The Real Reason Why Phishing Attacks Are So Successful
10 August 2017 08:59
Successful phishing attacks are increasing at a rapid rate, and so too are the variety of forms they come in. Millions of users worldwide are put at risk every single day (well, every 30 seconds to be exact). Simply put - cyber criminals are evolving, and so are their techniques.
But it isn't just your traditional phishing scam that's taking its toll on a range of businesses - spear phishing and CEO fraud now offer a much more damaging scope of an attack. Without a doubt, IT decision makers are squirming at the possibility of becoming yet another story in the never-ending book of breaches.
But what makes these phishing attacks so successful? Well according to a report by Osterman Research, there are 6 main factors to blame...
#1 Your Users Are Lacking Security Knowledge
The largest door being opened for cyber criminals is, without doubt, the one labelled with "security awareness". More specifically, a lack of employee training focusing on issues such as phishing and ransomware is the main reason for these attacks being so successful.
In fact, Osterman claim that 6% of users have never received security awareness training. This is pretty damning when it comes to an employee's confidence and ability to recognise phishing attacks and act appropriately. Users should be trained to be cautious of any unexpected emails and any the scams that they could face on various platforms.
#2 Criminals Are (unsurprisingly) Following The Money
The use and notoriety of the Dark Web has lowered the commercial value of stolen data. The price of a payment card record dropped from $25 in 2011 to $6 in 2016, meaning that cyber criminals have had to adapt their focus to new ways of earning the kind of money they did in the past.
Consequently, the fruitful nature of information-holders is the area they're now turning to. Attacks such as ransomware, where information-holders are afraid of losing their data, means that victims wouldn’t think twice before paying the demands of the criminal.
#3 You're Not Performing Sufficient Due Diligence
Companies are simply not doing enough to reduce the risks associated with phishing and malicious software. There's a lack of adequate backup processes in place, as well as an inability to identify the weakest users that need further training.
Also, strong internal control processes are often missing, such as a double confirmation for any bank transfer request (which can be key to preventing CEO fraud). Neglecting these processes is playing directly into the hands of some of the most common fraudulent techniques.
Similar read: 3 reasons why you should phish your own employees
#4 Criminal Organisations Are Sitting On A Mountain Of Funds
Many cyber criminals have access large funds, widening their ability to hone their technical skills and allow for more sophisticated phishing attacks.
#5 Low-cost Phishing and Ransomware Tools Are Easy To Get Hold Of
The availability of phishing kits and the rise of ransomware-as-a-service (RaaS) has given wannabe hackers an easy opportunity to enter the market and compete with sophisticated criminal organisations.
The most worrying part of this growing trend is that even people with little or no IT experience are reaping the rewards of these easy to get hold of tools. With that sort of earning potential, it's not hard to see why criminals are drawn into the lucrative business.
#6 Malware Is Becoming More Sophisticated
The old (but still very effective) technique of luring users into clicking malicious links will soon be overshadowed by much more cunning and hard to avoid tactics.
There's certainly no major rush to branch out from the current malware techniques, although many have predicted that this year will see the development of new threats, such as “ransomworms” (self-replicating ransomware).
Now is the time to fight phishing and ransomware attacks with a cohesive approach:
The key to preventing these attacks, or mitigating their magnitude, is found in the development of a cohesive strategy that encompasses people, processes and technology: