The Art and Science of Phishing
Phishing, or sending out spoofed email messages in an attempt to fool the recipient and obtain personal information is a huge and growing problem. According to a recent infographic by getcybersafe.ca, the numbers break down as follows:
156 million phishing messages per DAY
16 million make it through spam detection and other security systems
8 million get opened
800,000 links are clicked
Their numbers indicate 10% of opened phishing emails get clicked. The click-through estimates vary wildly however, depending on the nature of the message, and the list of recipients that receive them. In many cases, the click rate may be much higher.
The term phishing generally refers to blanket messages sent to a bunch of recipients indiscriminately. Spear Pfishing on the other hand, involves targeting recipients that are known to have a relationship with the company or organization used as bait.
If a spammer can obtain emails for people known to have a relationship with a particular bait organization, the response numbers go up dramatically. If they can obtain names and other personal information at the same time, the messages can be personalized, thus increasing the response rate even further, and making the message look very authentic.
In the past, many malicious email messages had an attachment, usually a zip file, which made them easier to filter out. It was also possible to train employees not to open certain attachments, with reasonable compliance. Symantic reported this week however a recent uptick in the number of messages with malicious links rather than attachments. This trend does not bode well for businesses, because a link can appear to be quite legitimate, since the link label and underlying address can be completely different. It is much more difficult to train employees to look at the actual address before clicking.
So, what are the take-always for businesses from the increasing dangers of phishing?
1) Train your employees, train them again, and then refresh the training. It is a mistake to assume anyone has the common sense not to act on a suspicious message. We are all bombarded by email these days, and it is all too easy to click without thinking. I don't care how big or small your business is, regular employee security training is now essential. In a recent Carnegie Mellon Study, the likelihood of users clicking a suspicious link went down significantly with proper training.
2) Protect your customer email addresses and names as well as you do their credit card numbers. Even simple names and addresses can be used to great advantage by expert phishers.
3) Use spam filter software, which can help filter out messages with spoofed links. I use Cloudmark DesktopOne at home, which is free for non-commercial use, and can be purchased for business use. It rarely lets a phishing message show up on my inbox. There are many other products available as well.
4) Did I mention employee training?
It is sad that we now face such an increased threat from phishing, but it will not go away. The only answer is vigilance.