Phishing continues to be a top attack vector, and in many cases, it is the initial, tried-and-true method in a multivector attack. That’s no surprise to security pros. What is surprising, though, is that phishing is still on the rise, and incidents will start to peak as we approach the holiday season, which generally gets started in October and continues through January. Is your organization doing enough to thwart them?
Our company has been monitoring breaches for years, and in October 2018, phishing incidents jumped over 50 percent from the annual average. In 2019, we expect phishing attacks to surpass web application attacks to become the No. 1 attack vector leading to a breach.
Attackers use a variety of phishing ploys — everything from fraudulent fundraisers to fake job opportunities — and scammers use phishing emails to get access to anything they can: login credentials, account numbers, Social Security numbers, email addresses, phone numbers, credit card numbers and any other information that will give them access to accounts.
Beware of scams that appear legitimate
Many of the scams appear to come from legitimate businesses. In fact, in our 2018 report, we found that 71 percent of phishing attacks seen from September 1 through October 31, 2018, focused on impersonating 10 top-name organizations. With the cloning of legitimate emails from well-known companies, the quality of phishing emails is improving and fooling more unsuspecting victims.
Also, attackers disguise the malware installed during phishing attacks from traditional traffic inspection devices by phoning home to encrypted sites. Sixty-eight percent of the malware sites active in September and October leveraged encryption certificates, according to our report.
Be on the lookout now
The best time to begin preparing for the onslaught of multivector attacks this fall is to be on the lookout now, and start warning your employees to do the same. As with most threats, phishing woes can be solved with people, processes and technology. Training employees to recognize phishing attempts can reduce their click-through rate on malicious emails, links and attachments from 33 to 13 percent.
Here are more tips to prepare for phishing season during the holidays:
- The best first line of defense for phishing is to create a culture of curiosity. Teach your users to ask questions first and click second.
- The more security awareness training is conducted, the better employees are at spotting and avoiding risks.
- Regularly run training campaigns and phishing simulations for your employees, and be sure to keep content current and relevant.
- Teach employees to be wary of PDF and zip file attachments, shortened URLs, certificate warnings, security alert emails marked urgent, and even unexpected emails.
- Clearly label all mail from external sources to prevent spoofing.
- Accept the fact that employees will fall victim to a phishing attack by preparing your organization with containment controls that include web filtering, antivirus software and multifactor authentication.
For more details on these tips, read the report, “2018 Phishing and Fraud Report: Attacks Peak During the Holidays.” Our report is based on data from a variety of sources, including F5’s Security Operations Center for Websafe and our data partner Webroot. The report looks at phishing and fraud trends over a year, the top impersonated companies in phishing attacks by name and industry, the growth rate in phishing attacks, and the fastest growing targets. It also details how phishing works, the most common and successful phishing lures, what happens when a phishing attack is successful, and what types of malware can be installed.