The Rise of Phishing Attacks

By Eric Noonan • May 9, 2016

Recently, Verizon released its 2016 Data Breach Report, which has served to assist the security community in managing risk and avoiding security incidents since 2008. In the report, one can find data on almost all aspects of the current cybersecurity risk landscape. With that being said, I was most intrigued by the findings related to phishing attacks, a form of social engineering that seeks to exploit an organization’s greatest risk – humans.

The motivation behind phishing attacks is no different than any other information security incident. Generally, attackers will be looking to trick the target user into divulging credentials on a pharming website. These sites look and feel like they are genuine websites for banks, enterprise applications, etc. Another common tactic in phishing attacks is having the targeted user click an attached file containing some sort of malware, thus granting the attacker access to the machine and by association, whatever network it connects to. These attacks are troubling because they allow an attacker to simply avoid many of the technical controls an organization may have in place.

The Data Breach Report has included metrics on phishing cases for years, this year the report stated that 30% of users open phishing emails. While this may not be harmful in itself, 13% of users will go on to click on the malicious attachment or navigate to the phony website where credentials are collected. These numbers are somewhat higher than last year, which reported a 23% open rate and an 11% click-through on the attachments. Another important thing to note is how quickly this all happens, the report states that it often takes less than five minutes to see a targeted user click on the attachment or link.

Social Engineering attacks, phishing specifically, are on the rise because the attacks are much easier to execute than technical attacks targeting an organization’s vulnerable assets. It enables an attacker to compromise a network with much less effort than would normally be required, and often times in much less time.

The good news is that phishing attacks can be defeated in multiple ways.  First, two-factor authentication would nearly eliminate all the risk associated with credential-stealing activities. Even if an attacker did acquire the main credentials for an employee, they would still lack the secondary credentials that are required.  Second, and probably the most direct way to decrease human risk, is through a mature security awareness program. While awareness and training programs have been given more attention as of late, several organizations still do not take them seriously. Without training your employees on simple, human targeted attacks like phishing, they cannot be expected to protect your critical assets and data when they become the targets.

Curious how your organization stacks up?  CyberSheath can help, contact us today.

CyberSheath Blog

How to Safeguard Your Company from Phishing

Email is so ubiquitous in our everyday lives that it can be a challenge to always be on guard when receiving messages. Each day it’s not unheard of for each member of your team to have hundreds of messages land in their inbox. How do you make sure that none…

3 Tools to Help Defend Your IT Infrastructure from Threats

With the continually evolving threat landscape and the prevalence of team members working from home, it is more important than ever to be proactive with how your company is protecting itself from cyberattacks.  CyberSheath can help. We offer services to build on all the great work you have already done…

DNS Filtering for Additional Protection of IT Systems

Phase one of securing your IT infrastructure should include protecting your endpoints and safeguarding your employees from phishing attempts. After you have implemented these controls, the next logical step is to launch a DNS filtering solution.   What is DNS filtering and why do you need it? Domain name server…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO