Phishing Affects Everyone
We’ve all seen the emails: someone shared a Google doc with us, our bank wants to verify our password, we’ve received an “important” attachment, you name it. Phishing is common. It’s common because it’s easy. Not only is phishing common, but it’s getting worse. In Q2 of 2016, the Anti-Phishing Working Group (APWG) observed well over 460,000 unique phishing sites — a record for the mostthe most ever
seen. That means over 5,000 phishing sites were created every day.
Phishing doesn’t target everyone equally. APWG’s report found that the industry most likely to be subjected to phishing attacks is retail/service, far ahead of other industries at 43 percent of all attacks. The financial industry follows at 16 percent.
How Does Phishing Actually Work?
In a nutshell, phishing works because email, like physical mail, is built to assume that the sender is who they claim to be. Without certain protections in place (which is true more often than not), an email exchange can look legitimate.
To detect and prevent spoofing, both the mail servers and mail senders need to be configured properly. This doesn’t happen most of the time2, which makes email spoofing possible. It’s important to note that email addresses aren’t always spoofed. They don’t have to be.
Attackers can be tricky and do things like:
• Register a similar domain name (example: account-google.com as opposed to google.com)
• Use a domain that simply doesn’t exist. (These are almost always delivered just fine.)
The Real Problem with Phishing
Many people think phishing is a credential problem. They believe they’re safe as long as they didn’t enter their credentials after clicking on the phishing link. This isn’t true. Phishing is also just as much a device problem as it is a credential problem.
In addition to being easy, phishing is incredibly effective. Research shows that 31% of people click the phishing links. We also saw that 17%
of users enter their credentials into the phishing site. In addition to this, as high as 72% of users are using an out-of-date plugin like Java, making them vulnerable to exploit kits.
How Do We Fix It?
Phishing is effective. “How do we fix it?” Traditionally, the solution most favored was user awareness training. User awareness training can help reduce the impact from a phishing campaign, but it doesn’t completely solve the problem since there will always be someone who clicks the link or has credentials stolen.
If credentials are stolen by attackers, they will try to re-use them to compromise the account. The solution to this is to deploy a two-factor authentication so credentials can’t be re-used to access critical applications.
Two-factor authentication doesn’t help protect devices when it comes to exploit kits, so deploying two factor alone isn’t enough to prevent phishing. Ensure devices are kept up to date so that exploit kits that target old or known vulnerabilities are mitigated.
Disabling macro execution via Group Policy is the recommended way to prevent against malicious macros. However, you’ll need another line of defense when it comes to malicious attachments. Even if account credentials are harvested from a compromised device, two-factor authentication prevents an attacker from gaining access to those accounts. And, while an up-to-date device still could execute and run the malware attachment, it is less likely to be able to successfully leverage known vulnerabilities to do things like escalate its privileges.