-[ PHISHING NEWS ]-

3 Reasons It’s Time for Change

In the Information Technology world, the term “Phishing” is well known, and for good reason.  Phishing attacks have duped unsuspecting users into divulging credentials, credit card numbers, and other personal or corporate information.

April 27, 2022

---

This often makes headlines when the attack delivers ransomware that cripple’s production and costs millions of dollars.  It’s no wonder that phishing is the number 1 threat to businesses today.  In 2020, during the height of Covid-19, phishing incidents rose 220%.  In Q1 of 2021, phishing attacks rose another 41% as the number of attack vectors and the complexity of attack methods continued to increase.  Ransomware attacks, most commonly proliferated via phishing, increased 105% in 2021.  Companies experienced on average 9.7 attacks per day, resulting in an average of $5.1 million in costs per successful attack.   

Despite the plethora of email anti-phishing solutions – as well as security awareness training and simulation providers, companies are still reeling from the growing onslaught of attacks.  Unfortunately, 74 percent of phishing attacks in the US are successful, primarily because 97 percent of users are unable to recognize a phishing email. 

Clearly, the current solutions can’t successfully address the problem. Yet the market keeps pushing out more of the same solutions, fueled by “Sand Hill Road” investors looking to cash in on yet another cyber security startup.  While the threat has changed, both in volume and complexity, the market has not kept pace, leaving corporate IT and Security administrators with a significant weakness in their security architecture. 

It’s time for change!   

Let’s look at 3 reasons IT must change they way they approach phishing protection today. 

1. Phishing is NOT just an email problem! 

Most companies focus only on email protection with no visibility into the risk associated with phishing attacks in social media, web browsers and search engines, and corporate messaging applications.  Focusing on email only creates a significant gap in your defense-in-depth security architecture and leaves your company at risk. 

Today there are 75 times as many phishing sites as there are malware sites on the internet – let that number sink in!  Compromised email, web pages and social media accounts can mimic safe links or files.  URL redirection and even SSL encryption are luring employees to phishing sites and successfully getting their credentials.   Social Media attacks are now 23.6 percent of all attacks, up from 11.8 percent inQ4 of 2020.  According to Google, there were 40 billion pages of spam detected every day in 2020, a 60% increase from the previous year.  These 40 billion pages included hacked sites, deceptively created sites, and other forms of web spam, scams and fraud.  It’s clear that providing email phishing protection is NOT enough!  Your company needs a more comprehensive solution to stop phishing attacks from all threat vectors. 

2. IT has no visibility into what their users click on! 

Phishing has been a top security concern for one primary reason:  it targets the weakest link in the security chain – PEOPLE!  And phishing is a top concern for good reason:  97 percent of users are unable to recognize a sophisticated phishing email.  Regardless of how robust your security training program is, 25% of all employees are likely to click on phishing links, and 67.5 percent go on to enter their credentials or other data requested.   Clicking on links has become second nature, thanks to social media, and threat actors are continuously looking for ways to fool users into a response.   

While more than 80 percent of companies have a process for employees to report phishing emails, less than 25 percent of malicious or suspicious emails are actually reported.  Some tools make it easy for users by providing a button to report suspicious activity, but this approach still relies on the knowledge of the user, something we’ll address in the 3rd reason it’s time for change!.   

IT has no visibility into what their users are seeing and/or clicking on, and by the time it is reported, if it is, the damage is done.  This lack of visibility is compounded by phishing attacks in social media, web browsing and search engines, and corporate messaging applications.  IT needs the ability to see what malicious or suspicious links their users encounter, across all digital platforms, so that they can take action to mitigate risk. 

3. Training and Simulations aren’t working! 

Despite the awareness training and simulations that companies employ, 97% of users are unable to recognize a phishing email, especially as those attacks become more sophisticated.  20% of employees will click on phishing links and two thirds of those will enter credentials and other data into fraudulent web sites.  This is a direct result of the fact that only 10% of companies spend more than 3 hours in cyber security training per year, and that training is typically high level.  And only 60% of companies provide formal education.  The remainder rely on newsletters, bulletins, videos, and user reporting to make their employees “aware.”  Unfortunately, this awareness does NOT arm employees with the ability to spot and avoid phishing attacks. 

Though well intentioned, phishing simulations can often have a negative effect on employee morale, especially when not paired with effective, reality-based training.  Many companies today are using the “name and shame” approach to force compliance in their user base.  The Consequence Training Model is gaining traction as companies look to punish users who regularly fall for phishing attacks.  Consequences can range from additional in-person training to monetary penalties to termination.  These measures, however, can be counterproductive.  According to John LaCour, founder and CTO of PhishLabs, “It (simulations) really demotivates people, and it doesn’t really teach them anything about how to be more diligent about phishing attacks.  He further explained, “each phishing simulation program needs to be accompanied by a robust training program, where you teach employees what to do when they see something “phishy.”  Otherwise, it just creates resentment among employees.”   

So what changes are needed? 

You need a phishing solution that clearly identifies malicious, suspicious, or safe content, in email, web browser, social media and messaging apps, so you can block a threat before it’s clicked.  You need a phishing solution that gives you and your customer real time visibility into malicious content that is being viewed or activated so you can respond in real time and focus on only the most critical events.  And you need a phishing solution that delivers real-time training based on what malicious content is being viewed by your users, making sure they are properly trained to spot the threats before they sink you. 

What if employee visibility were a simple as a traffic light – green for safe, yellow for suspicious, and red for malicious content – so that your users could be a step ahead to make the right decisions and avoid malicious content? 

What if you could deliver complete visibility into suspicious or malicious activity so that you could automatically block bad links from being clicked, and full attribution of phishing clicks within minutes, so you know who, what machine, when, etc.? 

And what if you could deliver reality-based training to your users based on the type of malicious activity, they see so that training is specific and real time?   

Now you can empower both your employees and your IT and Security teams to: 

• Avoid risky clicks with intelligent, traffic-light-style visual indicators that clearly identify safe, suspicious, or malicious content in email, web browsers, social media and messaging apps. 
• Automatically block malicious content before it can do damage. 

• Significantly reduce the time to risk prediction, incident prediction, and incident response with real-time attribution reporting 
• Take advantage of machine learning and AI technology that protects your users from threats seen across the globe 
• Integrate data streams with your existing tools and workflows, including SIEM platforms. 
• Reduce risk across multiple email, browser, social media and messaging app platforms. 
• Deliver targeted, reality-based training to employees, in real-time, based on malicious content seen, so that they are trained to spot malicious content. 

The only way to accomplish this is with PhishCloud.  PhishCloud provides the most comprehensive phishing protection and reality-based training available in the market today, all in one, easy-to-manage platform.  Learn more at www.phishcloud.com. 

About PhishCloud 

PhishCloud, an IT Security Services company, makes people a key ingredient of your security architecture, not the weakest link, giving IT both visibility and confidence in how their people work every day.  PhishCloud provides tools that empower people to make intelligent decisions on digital phishing threats, fortifies IT visibility so they can quickly respond to that threat, and delivers targeted education to reduce the risk of phishing attacks. 

Founded in 2018 and headquartered in Seattle, WA, PhishCloud delivers comprehensive visibility into phishing attacks across all digital threat vectors, including email, web, social media, and messaging apps – not just email – so that IT can respond to and block phishing threats that people see in real time.   PhishCloud then delivers training based on what your people see so that training is targeted, meaningful and teaches your people their role in your security architecture. 

PhishCloud.  Empowering People.  Fortifying IT. 

For more information, visit http://www.phishcloud.com/. 

 

Disclaimer.   © Copyright 2021 by PhishCloud, Inc. All Rights Reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided “as is” without any warranty, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. PhishCloud is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, PhishCloud makes no claim, promise or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. PhishCloud makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as possible.

Reproducing, copying, or making adaptations, or compilation works based on this content without prior written authorization from PhishCloud, Inc., is prohibited by law.