Why Phishing Attacks Are So Easy, Successful and Profitable – and What to do About It

Phishing Attacks are ProfitableWith phishing attacks being thought to have started literally 25 years ago, what makes this age-old method so continually valuable as a tool for cybercriminals and scammers?

When you think “phishing”, you might just think about the initial email sent to a potential victim recipient. But phishing today is far more than that; it’s about the domain registrations needed, the fake logon sites needed for credential theft scams; the pre-campaign diligence that’s done on potential victim organizations to find just the right person.

In short, phishing is a multi-faceted creation. And yet, it somehow finds success even when it’s poorly executed.

Why is that?

I see two simple reasons why phishing continues to grow, evolve, expand and succeed:

  • The cyber criminals see the opportunity… and are reaching for it – the “as a Service” market within the cyber criminal ecosystem feels like it’s expanding faster than the universe. It used to be simply rent an email list of millions from the dark web, but today there’s dark infrastructure, credential theft phishing site kits, and just about any other part of a phishing attack that can be offered as a service. So, the “opportunity” I previously mentioned isn’t even necessarily just the taking some company for its’ money; the opportunity for a web developer may be building lots of those phishing kits instead of working their 9-5 job. Everybody’s getting in on the game.
  • The potential victim doesn’t see it when it hits them – This is something I preach here every single day. Users are busy working their job and when a well-written, thought out, well-presented, properly-branded, contextually-appropriate email comes in, they’ve got their work hat on and just, well – click the link or open the attachment. Users simply aren’t prepared for the attack they someday will face (if they haven’t already).

Since there’s little we can do to stop the bad guy economy from growing, we need to focus on the one part we can – the user. By teaching them to “default to ‘skeptical’”, according to former CISSP Mark Stone, users can be taught to be critical of any email that results in asking for credentials, the transfer of funds, or any other kind of action that can be misused by a cybercriminal.

It’s only through continual Security Awareness Training that organizations can achieve ‘skeptical’; users must receive constant reinforcement to ensure they know the danger is always present and must keep their defenses up when interacting with email or the web.

I think it’s evident, phishing isn’t going anywhere. And because it looks like it’s probably going to continue to grow, now is the time to get to ‘skeptical’.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:


Topics: Phishing

Subscribe To Our Blog

Cybersecurity Awareness Month Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews