Phishing attacks are increasing in number and evolving in variety (newer methods include spear phishing and CEO fraud), putting at risk millions of users worldwide – actually, everyone with an email account. Why are they so popular among fraudsters and why are they so successful? A new report from Osterman Research sponsored by Forcepoint sheds some light on the matter:
1. Users are the weak link in the chain
Lack of training/awareness about phishing and ransomware is the number one reason these attacks are so successful. According to the research, 6% of users have never received security awareness training, crushing confidence in staff’s ability to recognise threats and act dutifully. Users should be trained to be sceptical and suspicious of any unexpected incoming email and any other scam they might encounter on social media.
2. Organisations are not performing sufficient due diligence
Companies are not doing enough to reduce the risks associated with phishing and ransomware: they do not have adequate backup processes in place, do not identify the weakest users that need further training, and do not have strong internal control processes to prevent CEO fraud (like double confirmation for any bank transfer request).
3. Criminal organisations are well funded
The access to funds has widened criminals’ ability to nurture their technical skills and allowed the development of more sophisticated attacks.
4. Cyber criminals are shifting their focus
The availability of stolen data on the Dark Web has decreased their commercial value – the price of a payment card record dropped from $25 in 2011 to $6 in 2016, so cyber criminals have had to focus on new ways to earn as much as they did in the past. Consequently, they found a fruitful source of funds in information-holders, which they target through phishing and ransomware attacks. Afraid of losing their data, information-holders wouldn’t think twice before paying what criminals demand.
5. Widespread availability of low-cost phishing and ransomware tools
The availability of phishing kits and the rise of ransomware-as-a-service (RaaS) has allowed wannabe hackers to get into the market and compete with sophisticated criminal organisations.
6. Malware is becoming more sophisticated
From the first attempt at luring users into clicking malicious links to the latest CEO frauds, time has passed and criminals’ skills have improved. Jonathan Whitley of WatchGuard Technologies predicted that this year new threats will be developed like “ransomworms” (self-replicating ransomware).
Fight phishing and ransomware attacks with a cohesive approach
The key to preventing these attacks or mitigating their magnitude lies in the development of a cohesive strategy that encompasses people, processes and technology:
- Raise awareness of these threats among staff through staff awareness programmes or dedicated e-learning courses;
- Develop processes that help staff take the best course of action in case of attack;
- Implement technology that can prevent these attacks from striking in the first place.