Phishing will remain the primary email attack vector through 2020.
A new report from Comodo Security Threat Lab's VP, Fatih Orhan, brings up an interesting statistic from Friedrich Alexander University in Germany that you can use for a budget request to get approval for security awareness training:
- One in two University computer users will click on a link from an unknown sender — Friedrich Alexander University
- It's time to shift the security emphasis and burden of responsibility for phishing attacks away from companies and onto their employees. — TechRepublic
Now, in a business environment this is markedly less, KnowBe4 research shows an average 16% of employees clicking, but that is still 16% too much.
The Comodo report doesn't end there, though: It reveals the alarming simplicity of putting a phishing campaign together in 2018.
All it takes is some startup money to buy the right software, and just some simple user-level expertise to operate it and get all the info you need to launch a campaign. From there it's as easy as letting 50% of users click on phishing links and watching the data roll in.
The anatomy of the modern phishing campaign
The bulk of the report focuses on a hypothetical phishing scenario that walks you through how simple phishing-as-a-service has become.
A hypothetical hacker who plans to launch a spear-phishing campaign against a specific company only needs to buy some software from the Dark Web. The example they use here however, is using legit security testing programs like The Harvester or Maltego.
After doing some initial homework into a company's org chart, the attacker uses The Harvester to search public records for more specific info. It can find emails, subdomains, hosts, employee names, open ports, banners, and the like from search engines, PGP key servers, and SHODAN.
Maltego can then be used to gather specific info on mail servers and usernames, which makes spoofing an email simple.
Next, registering a fake domain that's visually similar to a legitimate one, and using the Social-Engineer Toolkit application to scrape a full copy of the target website to create a fake one.
After that, the attacker simply creates a phishing message with a link to the fake domain and waits for half of their targets to click on the bad link and give out their credentials.
Rethinking phishing prevention
With phishing accessible to criminals less and less skilled in hacking, it's time to realize that relying on only software layers to block the attacks may be the wrong approach.
In light of the phishing statistic mentioned in the report, new-school security awareness training clearly needs to become a priority, especially at Universities, but also as a standard part of any organization's onboarding and frequent training.
It's also important to bring the threat of phishing front and center to the average user, and there's no better way to do that than by phishing your own employees.
Free Phishing Security Test
Did you know that 91% of successful data breaches started with a spear-phishing attack?
Cyber-attacks are rapidly getting more sophisticated. We help you train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone™ with our free test. Did you know that KnowBe4 also supports "Vishing" where you can actually send your users simulated voice mail attacks?
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: