Where are we at the moment?
Unsurprisingly, 2021 saw a significant increase in reported phishing attacks, contributing to around 36% of reported attacks in the last year. As an attack vector, it’s a low cost and low-risk method of launching a cyber attack with a disappointingly high success rate. Additionally, it’s flexible and can deliver malware, guide users to a website for indirect malware infection, or be the first phase of a more sophisticated attack method.
Email-based threats are the most common attack, and the percentages are on the attacker’s side. For example, an email sent to ten thousand users only needs one user to perform one click. According to the latest Verizon Data Breach Investigations Report, the median click rate in phishing simulations is around 3%, and anecdotally the click rate for real phishing emails is higher. Of the ten most successful phishing attacks made public, the estimated losses were around £330 million.
Stemming the Tide
Organisations can implement anti-spoofing controls to help prevent attackers from making emails appear as internal communications that recipients instinctively trust. Organisations should also encourage their contacts up and down the supply chain to do the same, making it more challenging for attackers to disguise emails as communications from trusted third parties. While email remains the most common transport method, phishing is commonplace across messaging apps like WhatsApp and text messages. If you use social media, you’ll be familiar with the number of organisations warning against fake parcel tracking text messages. From trading standards to charities, local councils, to ISPs. This particular SMS phishing campaign has attracted significant attention.
There are limits to how effective automated content scanning can be in emails or web pages. Even machine learning techniques to identify potentially suspicious links have limitations with the vast resources that organised criminal enterprises can devote to crafting enticing phishing material. User training is the only effective defence for preventing phishing material that has reached a user’s screen. Unfortunately, users are inherently fallible, forgetting awareness training over time or acting in haste when under perceived time pressure.
Finding a Solution
One of the problems is that big businesses tend to look for technological solutions, making a capital investment for solving the problem. In contrast, smaller companies rely on awareness to spot and avoid. The best defence is the multi-layered approach. First, technical controls can weed out the obvious and highlight the possibly suspicious. Then, training in phishing recognition and critical thinking techniques followed by refresher training and test campaigns can reinforce awareness. Finally, controls to mitigate the impact of a successful attack by spotting, halting and reversing the effects. However, the makeup of these layers will vary by business. Expertise and detailed analysis on a case-by-case basis need to drive informed decision making. In addition, different organisations will have different needs and strategies. For example, a user in a small, close-knit family business will be immediately suspicious of an email from Bill telling them to perform some urgent action if there’s no one named Bill working at the company. However, this won’t help in a large multinational organisation operating from offices across multiple continents.
Strength in Depth
Training can teach users to recognise common types of phishing content but is only part of the training needs. More complex phishing campaigns use social engineering tactics to deceive users into acting. Moreover, general classroom training is limited when a user is caught off guard or under stress. Automated system monitoring can support checks for unexpected user behaviour, but prevention is always better than remediation. In addition, attackers exploit fear, curiosity, and urgency, which are difficult to replicate in training. And the threat landscape continuously evolves, and training will always be lagging.
The answer is strength in depth, general awareness and preparedness, realistic simulations, and a culture that positively reinforces reporting and motivates correct behaviours. Once technical controls are breached, the last line of defence is users’ attitude, behaviour, culture, and awareness.
How we can help
We at Salus Cyber are experienced in running phishing simulations against many organisations in various industries; our consultants bring both ready-made scenarios and offer brainstorming sessions to each client to identify the most effective approach for you. Our phishing approaches can be a standard exercise targeting all employees, or a more targeted approach, utilising open-source intelligence to target high-value employees with tailored spear-phishing emails.
If you would like to understand more about the use of phishing to help determine some of the associated risks across your business, we will be delighted to discuss further with you and explore how best we can help.