Baited breadth - the rise of phishing

Reviews of organisational security can be viewed in many positive ways, but all too often with trepidation or resignation. The rise of phishing, where spoof, but increasingly credible, messages try to obtain sensitive information, is a particularly troublesome challenge. It exploits one of the weakest links in digital security, people, to get them to click on something they should not.

The latest (4th) annual State of the Phish report from Wombat Security Technologies is an interesting overview of the issue. This article quotes some of its data. It is based on feedback from infosec professionals, technology end users and Wombat’s customers. The report outlines the breadth and impact of phishing and what organisations might try to do to address it.

The scale of the challenge

The scale of the issue is staggering. Around half of organisations are seeing an increase in the rate of attacks, and the approaches are diversifying. Over half are experiencing spear fishing – targeting specific individuals, roles or organisations – and 45% are experiencing phishing by phone calls or text messages (‘vishing’ and ‘smishing’).

To combat this, companies can go beyond basic training courses and awareness campaigns, and simulate actual phishing attacks to see how employees behave and how they might respond to specific phishing styles. Those in the survey typically use four different styles of email templates to assess how end users react:

  • Cloud emails, relating to accessing documents from cloud storage or using other cloud services.
  • Commercial emails such as simulated shipping confirmations or wire transfer requests.
  • Corporate emails, which look like the sort of messages normally circulated internally such as ‘memos’ from IT or HR departments.
  • Consumer emails related to social media, retail offers or bonuses and gift cards notifications.

Although individuals are starting to get wise to the issue and average click rates have fallen from 2016 to 2017, sophisticated attacks can be very effective. Two particular simulated corporate templates had almost 100% click rate – one pretending to include an updated building evacuation plan, the other a database password reset alert. Other high deceivers were messages about corporate email improvements or corporate voicemails from an unknown caller. The only high rated consumer attack was about online shopping security updates.

The impact of phishing attacks seems to be growing, or at least is being more widely recognised as it has a strong impact on IT professionals. Almost half of organisations noted malware infection as a consequence of phishing. Compromised accounts and loss of data were the other most significant responses. It was also noted it causes a greater burden on IT in terms of, for example, helpdesk calls. So too was the potentially more far-reaching business consequences in terms of cost, time and disruption.

Addressing the issue

The key to mitigating the risk is to change end user behaviour. This is much more than simply making users aware of the consequences, although many organisations do have severe punishments. ‘Repeat offenders’ will face counselling in three quarters of organisations, removal of access to systems in around a quarter and in one in ten organisations it may result in being sacked. (The research was conducted in the US, UK and Germany, and employment regulations may differ significantly.)

As phishing seems not only to be inevitable (around three quarters of organisations say they are experiencing phishing attacks), but also very damaging, the most pragmatic approach would be to tackle the issue head on. Better to avoid any of those unfortunate consequences and address the problem at source by highly targeted training. This would benefit enormously from ongoing reinforcement since both the threats and the workforces having to deal with them will change over time.

This is where training using regular simulated attacks appears to help greatly. The majority of organisations are doing this very frequently with 40% training quarterly and 35%, monthly. Why? Well, an increasing number, now over three quarters of organisations, measure their own susceptibility to phishing attacks. Over half say they have been able to quantify a reduction based on their training activities. Given those metrics and the growing risks and potentially significant business disruption and impact, who wouldn’t do more to avoid being caught in the phishing net?