The Phish Are Still Biting
Despite a decade of terrifying headlines, education programs, employment and school policies, and other efforts to enlighten the masses, the odds are one in four that a phish will get a bite, according a recent report. Why is phishing still such a big problem? Read on...
Phishing is Still Big Business
It’s enough to make a security evangelist cry; I know I cringed when I learned how many people still fall for phishing campaigns. Now in its eighth year, Verizon's Data Breach Investigations Report (DBIR) has analyzed nearly 8,000 “data breaches” in which data was stolen or destroyed and nearly 195,000 “security incidents” in which hackers attacked systems but either failed to gain access or entered and didn’t steal or damage any data.
Denial-of-service attacks would be an example of a security incident. The 2015 DBIR alone covers 2,100 data breaches 80,000 reported security incidents in 61 countries during 2014. The DBIR team consists of dozens of tech companies led by Verizon. In 2011, only two percent of data breaches were traced back to phishing emails; by 2014, that figure had mushroomed to 23 percent. Phishing’s gain has come at the expense of spyware and keyloggers, which dwindled to five percent of data breach sources.
The objectives of phishing campaigns have changed in the past five years. Early phish typically focused on duping victims into providing their login credentials, credit card numbers, bank accounts, and similar information to the bad guys. I'm sure you've seen those emails purporting to be from your bank, Paypal or eBay. "There's a problem… click here to login and verify your account details." Doing so lands the victim on a rogue look-a-like website, which happily accepts their username, password, account number, etc.
The criminals would then use that information to commit fraud and ID theft or sell large batches of personal credentials. Now the goal of a phish is more often to install malware on a victim’s system. Malware can further the infiltration of a business network; enslave its host in a botnet used for spamming or denial-of-service attacks; or hold a computer hostage for ransom by encrypting its stored data.
Malware typically gets installed when a victim opens a file attached to a phishing email or clicks on a link embedded in it. The 2015 DBIR finds that 11 percent of people who receive phishing emails open the attachments.
Ups and Downs
On the brighter (or “less dismal”) side, there has been “slight decline” in users actually going to phishing sites and giving up their passwords to bank accounts and such. At least that part of the oft-repeated message has gotten through to a few people.
Just as an angler seldom casts his lure only once before moving on to a new spot, phishers generally send more than one phishing email to a given target address. The DBIR found that a phish campaign of ten emails has a 90 percent chance of getting at least one bite.
The bites come quickly, too. Two of the security firms that contribute to the DBIR sent out 150,000 simulated phish emails in a test sanctioned by their corporate clients, then measured the campaign’s effectiveness. Nearly 50 percent of users opened the phish email and clicked on its poisoned link within an hour of receiving it. That's stunning! (We should be happy these guys wear white hats.) The DBIR also reports that the median time-to-first-click in the real phishing campaigns it analyzed was only 1 minute, 22 seconds.
Phishers process their prey quickly, too. As I wrote in Surprising Stats On Phishing, “About 20% of victims had their accounts raided within 30 minutes of giving a rogue site the keys. Once hackers get into an account they spend about 20 minutes, on average, rooting around for more sensitive info and blasting out more phishing messages to a victim’s contacts, if they’re available.”
The rapidity of the phishing cycle gives corporate security administrators too little time to detect and counter phishing campaigns, according to the DBIR. The same is doubly true for home users, who aren’t paid to be constantly vigilant.
Workers in Communications, Legal, and Customer Service departments are the most likely to open phishing emails, the DBIR reports. Email volume is generally high in these departments, leading me to surmise that users don’t have much time to think before taking action on a given email. That’s just what a phisher needs.
It’s getting harder to detect phishing emails. Their designers have learned to mimic the emails of legitimate large companies pretty closely, and a phish email may well come from the compromised email account of a trusted contact. But at work or at home, it’s vital to think before you click, and err on the side of caution if you get the slightest whiff of anything “phishy” about an email.
Web browsers and anti-malware suites offer some protection from phishing emails and rogue websites, but you can't rely on them alone. I recommend that you use a bookmark when visiting sites that require a login. And it's always a good idea to call the sender when in doubt.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 24 Apr 2015
|For Fun: Buy Bob a Snickers.|
7 Reasons to Use Google Calendar
The Top Twenty
Project Fi - This is BIG!
There's more reader feedback... See all 24 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- The Phish Are Still Biting (Posted: 24 Apr 2015)
Copyright © 2005 - Bob Rankin - All Rights Reserved