-[ PHISHING NEWS ]-

Recognizing Phishing Risk – 3 Phallacies About Phishing

Every week, it seems, there are new stories of phishing attacks that result in substantial economic impact, sometimes to companies, sometimes to nations and states. Phishing has become a very popular attack vector for cyber criminals because it is much easier to get an unsuspecting user to click on a link that appears to be legitimate than it is to hack into a network or a computer.

April 4, 2022

---

Attackers use malicious links or attachments that can perform a variety of function, from extracting login credentials or account information, installing malware, or gaining access to financial information that allows the attacker to steal money.

Companies have spent millions on software and services to combat phishing.  Yet, phishing attacks are not only on the rise, but are still highly successful.  Phishing is now used as a primary attack vector for ransomware as well.  The continued success of phishing attacks is due to the weakest link in your security architecture:  PEOPLE.  Unfortunately, it is the people-level that companies largely ignore, thinking that they are protected because of an email gateway and an hour of security awareness training each year.   

This corporate mind-set is putting employees, corporate data, and corporate finances at risk.  Let’s look at 3 fallacies about phishing that are fueling this mindset. 

Fallacy #1:  Email is the only attack vector. 

Most companies today have a robust solution in place to protect against email phishing attacks, and with good reason:  over 95% of cyber attacks start with an email!  Companies are spending hundreds of thousands on tools and services.  Despite secure email gateways and services that block 98% of bad email (1.2 trillion phishing email per year), 50 million bad emails get through every day. Of those that get through, 5 to 15 percent of these are opened, and malicious links are clicked.  Hard working employees with no ill intent are putting your company at risk because they, through lack of training, lack of focus, or lack of concern do not know how to spot a phishing attack.   

To make matters worse, email phishing remains the number one attack vector for ransomware, the most prominent malware threat.  There are over 4000 ransomware attacks daily in the U.S., resulting in significant loses for those organizations affected. 

Email, however, is no longer the ONLY attack vector for phishing.  Phishing attacks are now invading all forms of digital communication, from web browsers and search engines to social media, even corporate messaging applications.  Any digital platform that can present a URL to an unsuspecting user can be used for phishing attacks.  Today there are 75 times as many phishing sites as there are malware sites on the internet – let that number sink in!  Compromised email, web pages and social media accounts can mimic safe links or files.  URL redirection and even SSL encryption are luring employees to phishing sites and successfully getting their credentials.   Social Media attacks are now 23.6 percent of all attacks, up from 11.8 percent inQ4 of 2020.  According to Google, there were 40 billion pages of spam detected every day in 2020, a 60% increase from the previous year.  These 40 billion pages included hacked sites, deceptively created sites, and other forms of web spam, scams and fraud.  It’s clear that providing email phishing protection is NOT enough!  Your customers need a more comprehensive solution to stop phishing attacks from all threat vectors.  

Fallacy #2:  People can detect phishing. 

Phishing attacks have been around since the mid 1990’s – in fact, this year marks the 25th anniversary for phishing attacks.  One would think that everyone would be well acquainted with phishing and how to spot an attack.  Despite the awareness training and simulations that companies employ, 97% of users are unable to recognize a phishing email, especially as those attacks become more sophisticated.  20% of employees will click on phishing links and two thirds of those will enter credentials and other data into fraudulent web sites.  This is a direct result of the fact that only 10% of companies spend more than 3 hours in cyber security training per year, and that training is typically high level.  And only 60% of companies provide formal education.  The remainder rely on newsletters, bulletins, videos, and user reporting to make their employees “aware.”   

Let’s face it:  regardless of how robust your security architecture is, it is the employees in your organization that are the weakest link.  IT Security work inside the information security “bubble” every day where the common vernacular is security buzzwords and acronyms.  But the employees that they support have little to no understanding of even the basic terminology, particularly when it comes to the many types of phishing.   

As evidenced in Proofpoint’s State of the Phish Report 2020, only 61% of employees understood the term phishing.  Only 31% were familiar with ransomware.  The numbers continue to go down when you ask about more modern threats like smishing and vishing.  And the numbers decrease in the younger generation as those under 40 are less informed about basic security threats. 

Phishing simulations have become a very popular component of the corporate security awareness training program.  They are intended to teach employees how to detect and avoid phishing attacks in a safe environment.  But is this approach working?  The numbers above suggest that there is an overwhelming lack awareness AND knowledge when it comes to basic cyber security.  Is it because employees lack concern?  Are the training methods ineffective?   

Regardless, 74% of phishing attacks in the US last year were successful.  Phishing attacks have increased 47% in Q1 of 2021 and are now the primary attack vector in 80% of security incidents, resulting in an average breach cost of $4m.  It is clear that the current approach of simulations and training are not working, and that change is needed.    

Fallacy #3:  Employees will report phishing attacks. 

While more than 80 percent of companies have a process for employees to report phishing emails, less than 25 percent of malicious or suspicious emails are actually reported.  Some tools make it easy for users by providing a button to report suspicious activity, but this approach still relies on the knowledge of the user.  Training employees to be able to spot phishing emails is more important now than ever.   

From the moment the first email was sent, phishing has been a top security concern for one primary reason:  it targets the weakest link in the security chain – PEOPLE!  Clicking on links has become second nature, thanks to social media, and threat actors are continuously looking for ways to fool users into a response.  Employee training, though not a silver bullet (which does not exist), is an important part of your overall security architecture.  In fact, when properly trained,  

• 82% of employees reported a phishing email within an hour of receiving it.  
• 52% of employees reported within 5 minutes.
• 19% of employee reported within 30 seconds.

Unfortunately, most training is high level awareness training and does not delve deeply into the myriad of ways one can spot a phishing attack, making your training program ineffective.  And only 10% of companies spend more than 3 hours per year on this vital training.  With the stakes this high, those on the front line should not be so ill-prepared.   

According to the World Economic Forum, $5.2tn in global value will be at risk from cyber attacks.  With only 3 hours per year in training, the front lines, your employees, are ill-prepared.  And only 60% of companies provide formal education.  The remainder rely on newsletters, bulletins, videos and user reporting to make their employees “aware.”  Unfortunately, this awareness does NOT arm employees with the ability to spot and avoid phishing attacks. 

A Human Approach to Anti-Phishing 

Tools that focus on email alone are creating a blind spot for your customer’s IT security administrators who have no visibility into emails that make it through gateways and filters, or malicious links that are clicked in web browsers, social media post and messaging apps.  With no visibility, they cannot block an attack, properly triage an attack, or understand what kind of malicious content your users are encountering daily. 

You need to take a different approach – a human approach.  You need a solution that clearly identifies malicious, suspicious, or safe content – like a traffic light – in email, web browsers, social media and messaging apps, so your customers know what they can and cannot click on, and so they can block a threat before it’s clicked.  You need a solution that gives your customer real time visibility into malicious content that is being viewed or activated so you can respond in real time and focus on only the most critical events.  And you need a solution that delivers real-time training based on what malicious content is being viewed by your users, making sure they are properly trained to spot the threats before they put their company at risk. 

What if you could offer a cloud-based service to your customers that delivers employee visibility as simple as a traffic light – green for safe, yellow for suspicious, and red for malicious content – so that your customers could make the right decisions and avoid malicious content? 

What if you could offer your customers complete visibility into suspicious or malicious activity so that their IT security administrators could automatically block bad links from being clicked, with proactive threat attribution and contextual event data, so you know who, what machine, when etc.? 

And what if you could deliver this multi-tenant, 24/7 security service without any capital outlay, without the need for additional resources, and without having to acquire high-end security intelligence, all the while preventing phishing risk for your customers and closing yet another gap in their security posture.   

Now you can empower both your customer and their IT and Security teams to: 

• Avoid risky clicks with intelligent, traffic-light-style visual indicators that clearly identify safe, suspicious, or malicious content in email, web browsers, social media and messaging apps. 
• Automatically block malicious content before it can do damage. 
• Significantly reduce the time to risk prediction, incident prediction, and incident response with real-time attribution reporting 

• Take advantage of machine learning and AI technology that protects your users from threats seen across the globe 
• Integrate data streams with your existing tools and workflows, including SIEM platforms. 
• Reduce risk across multiple email, browser, social media and messaging app platforms. 
• Deliver targeted training to employees, in real-time, based on malicious content seen, so that they are trained to spot malicious content. 

So, if you want to provide the most comprehensive phishing protection on the marketing today, there’s only one way add this capability to your existing portfolio:  PhishCloud!  

Page Break 

About PhishCloud 

PhishCloud, an IT Security Services company, makes people a key ingredient of your security architecture, not the weakest link, giving IT both visibility and confidence in how their people work every day.  PhishCloud provides tools that empower people to make intelligent decisions on digital phishing threats, fortifies IT visibility so they can quickly respond to that threat, and delivers targeted education to reduce the risk of phishing attacks. 

Founded in 2018 and headquartered in Seattle, WA, PhishCloud delivers comprehensive visibility into phishing attacks across all digital threat vectors, including email, web, social media, and messaging apps – not just email – so that IT can respond to and block phishing threats that people see in real time.   PhishCloud then delivers training based on what your people see so that training is targeted, meaningful and teaches your people their role in your security architecture. 

PhishCloud.  Empowering People.  Fortifying IT. 

For more information, visit http://www.phishcloud.com/. 

 

Disclaimer. © Copyright 2021 by PhishCloud, Inc. All Rights Reserved. All product and company names herein may be trademarks of their respective owners. The information and content in this document is provided for informational purposes only and is provided “as is” without any warranty, either express or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. PhishCloud is not liable for any damages, including any consequential damages, of any kind that may result from the use of this document. The information is obtained from publicly available sources. Though reasonable effort has been made to ensure the accuracy of the data provided, PhishCloud makes no claim, promise, or guarantee about the completeness, accuracy, recency or adequacy of information and is not responsible for misprints, out-of-date information, or errors. PhishCloud makes no warranty, express or implied, and assumes no legal liability or responsibility for the accuracy or completeness of any information contained in this document. If you believe there are any factual errors in this document, please contact us and we will review your concerns as soon as possible.

Reproducing, copying, or making adaptations, or compilation works based on this content without prior written authorization from PhishCloud, Inc., is prohibited by law.