Introduction: Understanding the Lure of Phishing Scams
Jack Danahy, co-founder and CTO at Barkly
Twenty years ago, hackers attempted to breach organizations by breaking holes (or finding them) in the network perimeter of organizations, or in exposed and critical servers. In response, security became focused on locking those things down. The result: a “hard, crunchy outside” that unfortunately still left internal users, systems, and networks unprotected.
Modern attackers have long since realized the easiest way to deliver their attack tools is to focus on the “soft, chewy, center” of the organization. And the very softest part is the ambulatory, 98.6 degree system: the user. By setting their sights on employees, criminals increase their odds of compromising an organization considerably. After all, why go to the trouble of trying to break through strong, digital defenses when you can simply trick someone on the inside into opening the door and letting you in?
What is phishing and who does it target?
Users are susceptible to all manner of phishing scams, from free software to fake websites, from unsolicited photos to Nigerian fortunes. They unwittingly type their credentials into fraudulent screens. They click on malicious links that install system monitors, keyloggers, ransomware, backdoors, and bots.
It’s hard to blame them. Social networks, particularly LinkedIn and Facebook, serve up all the information, contacts, and backstory necessary to make a targeted spear phishing attempt or spoofed email look real. When that message appears to come from a high-level executive — a tactic referred to as a business email compromise (BEC) scam — it’s very easy for any employee at an organization to be duped.
Any organization — big or small, regardless of industry — can be the target of a phishing attack. That's because many phishing messages are delivered via mass email campaigns, with attackers understanding that even a small success rate spread out over a large number of attempts can still generate them a profit.
According to Wombat Security's 2016 State of the Phish report, 4 out of 5 organizations have experienced phishing attacks, and the frequency of those attacks is increasing.
Phishing statistics: Attacks are on the rise
source: Wombat 2016 State of the Phish
Why learning how to protect yourself from phishing attacks is so important
According to the Verizon 2016 Data Breach Investigations Report, email attachments have become the #1 delivery vehicle for malware, with email links coming in at #3.
Email attachments are the #1 delivery vehicle for malware
source: Verizon 2016 DBIR
Infecting a single user with malware can give attackers everything they need to launch a much more substantial penetration into your organization's network, stealing credentials, disrupting critical processes, or — in the case of ransomware — encrypting data and making it inaccessible until ransom demands are met.
Nearly 97% of phishing emails delivered ransomware in Q3 2016
The cost of phishing attacks is in the hundreds of millions of dollars and mounting. Their profitability continues to spawn new criminals and increasingly sophisticated new tools.
Preventing these losses starts and ends with supporting your organization's users — protecting them from themselves, and, while they develop better habits, protecting the organization from their mistakes.
This guide will help you to develop and deliver messages that will raise the priority of security in the organizational mind. It will also give you some concrete steps to take in blunting the sharp edge of the phishing trend and its dangers. Weakness has taught attackers to phish. Now it’s time to teach our users to resist the lure.
Are you counting on your users being perfect? Learn how to automatically block phishing attacks even when one of them takes the bait.
Training users to avoid falling for phishing emails is a must, but knowing you're protected even if they do get fooled? That's even better. Find out how Barkly can help you stop phishing attacks automatically, before they do any damage.