Phishing - and by extension email-based attacks - remain the number one online threat, with 92% of malware being delivered by email. Sure, ransomware is bad and more targeted attacks can cause havoc, but phishing is cheap, easy and can be used to target a large number of people.
1. The Human condition
The biggest threat (and weakness) of phishing is that it requires some level of human interaction: clicking on a link, or downloading an attachment, for example. Without adequate protection in place, every person on your network is a big potential security risk. This is compounded by the fact that the average user received 16 phishing emails per month in 2017. Multiply that by 100 employees and that’s 1600 phishing emails your staff must avoid every month.
2. Timing is everything
For more targeted phishing attacks – commonly known as “spear-phishing” – timing can play an important role. More general un-targeted phishing has a very low chance of succeeding, that’s why large volumes get sent – spam being 45% of all email. Targeted phishing could make use of an event to tug on the heart strings – like a charity collection following a natural disaster – or something which impacts everyone – no doubt you’ve got emails purporting to be from “HMRC” regarding a tax rebate: just a small amount of psychological manipulation can go a long way.
3. Getting to the point
To increase the chance of phishing being effective it will often use scare tactics, such as something being time sensitive, or sensitive information to force an emotional snap decision. This could be done by spoofing the email address of a close friend, co-worker, or even superior. This added element contributes to the fact that 97% of people are unable to identify a more sophisticated phishing attack.
4. What’s the Password?
Phishing attacks which target specific services are on the up. For example, a Gmail phishing scam targeted nearly 1 billion users in 2017 and phishing campaigns targeting Dropbox have the highest click-through rate, at 13.6%. Campaigns like this are often intended to steal the users credentials to reuse in other attacks, or take control of said service. This could then result in a higher success rate in future campaigns, or even blackmail.
5. Throw enough at the wall
Although not a sophisticated method of attack, sheer quantity is a cheap and effective method of launching a “successful” phishing attack. Although the click-through rate may not be very high on a phishing campaign of this nature, even a few hits could easy net the perpetrators a good return on investment. With 14.5 billion spam emails sent every day, which costs businesses a massive $20.5 billion, there’s a huge number of potential pitfalls to dodge daily.
Phishing is still a significant threat, for the reasons above as well as a host of others, but with the right software protection and know-how you can significantly increase your chances of avoiding this insidious practice. Thank you to hostingtribunal.com for compiling the stats used above.
How do you spot a phishing email? Have you ever received training or advice on identifying and dealing with phishing? Let us know on Twitter or LinkedIn.