With phishing attacks being thought to have started literally 25 years ago, what makes this age-old method so continually valuable as a tool for cybercriminals and scammers?
When you think “phishing”, you might just think about the initial email sent to a potential victim recipient. But phishing today is far more than that; it’s about the domain registrations needed, the fake logon sites needed for credential theft scams; the pre-campaign diligence that’s done on potential victim organizations to find just the right person.
In short, phishing is a multi-faceted creation. And yet, it somehow finds success even when it’s poorly executed.
Why is that?
I see two simple reasons why phishing continues to grow, evolve, expand and succeed:
- The cyber criminals see the opportunity… and are reaching for it – the “as a Service” market within the cyber criminal ecosystem feels like it’s expanding faster than the universe. It used to be simply rent an email list of millions from the dark web, but today there’s dark infrastructure, credential theft phishing site kits, and just about any other part of a phishing attack that can be offered as a service. So, the “opportunity” I previously mentioned isn’t even necessarily just the taking some company for its’ money; the opportunity for a web developer may be building lots of those phishing kits instead of working their 9-5 job. Everybody’s getting in on the game.
- The potential victim doesn’t see it when it hits them – This is something I preach here every single day. Users are busy working their job and when a well-written, thought out, well-presented, properly-branded, contextually-appropriate email comes in, they’ve got their work hat on and just, well – click the link or open the attachment. Users simply aren’t prepared for the attack they someday will face (if they haven’t already).
Since there’s little we can do to stop the bad guy economy from growing, we need to focus on the one part we can – the user. By teaching them to “default to ‘skeptical’”, according to former CISSP Mark Stone, users can be taught to be critical of any email that results in asking for credentials, the transfer of funds, or any other kind of action that can be misused by a cybercriminal.
It’s only through continual Security Awareness Training that organizations can achieve ‘skeptical’; users must receive constant reinforcement to ensure they know the danger is always present and must keep their defenses up when interacting with email or the web.
I think it’s evident, phishing isn’t going anywhere. And because it looks like it’s probably going to continue to grow, now is the time to get to ‘skeptical’.