Phishing is on the rise – how to ensure your company isn’t the catch of the day
Each quarter, the Anti-Phishing Working Group (APWG) – a coalition unifying the global response to cybercrime across industry, government, law-enforcement and NGO communities with a membership of more than 1800 institutions worldwide – releases a report detailing global phishing activities over that three month period.
The APWG just released their Phishing Activity Trends Report for Q4 2015 at the end of March, and the numbers aren’t good for organizations that think they’re immune to phishing, spear-phishing, malware and other attacks. Especially for enterprises in the two most frequently targeted industries during that period – retail and financial services.
According to the report, the retail/service sector was targeted with 24.03 percent of all phishing attacks in Q4 2015; a nice present for those companies to receive during their busiest time – the holiday shopping season. But the financial services industry was close behind, accounting for 20.47 percent of all phishing attacks during that quarter.
And, although the report is global in nature, it’s abundantly clear that American companies are top targets. The U.S. was second only to Belize in the list of countries that are hosting phishing sites, and was the top country hosting phishing-based Trojans and downloaders for that quarter.
According to the report, many of these American phishing sites are fake tech support and anti-virus scams. The report also found that there was a notable increase in software bundlers – which install unwanted programs without the user’s consent – during those three months. Overall, the report claims that 14 million new malware samples were captured during the fourth quarter of 2015.
What does this mean for your company? Especially if your company is in one of the most frequently targeted markets? It means that you need to protect your networks from this ever-expanding and increasingly dangerous ecosystem of malicious actors and phishing attacks.
Regardless of how intelligent and well-trained your employees are, some will invariably click on something they shouldn’t click on, stumble on a Website or fall victim to one of the 173,262 different phishing attempts reported to the APWG is Q4 2015 alone. Although training and reporting phishing attempts can help curb phishing attacks – especially those perpetuated via email – it’s not wise to assume that your company will avoid them forever.
In fact, phishing is successful more often than many think, and this can be particularly dangerous when phishing targets top executives – an attack that’s becoming affectionately known as “whaling.” One such attack was recently perpetuated against the grocery chain, Sprouts, which has more than 200 stores and employs more than 21,000 people. In that phishing – or “whaling” – situation, an HR executive was targeted and resulted in the delivery of employee W2 forms to the attacker. These forms contain much of the information necessary to conduct identity theft on the company’s employees.
If a phishing attempt is successful, the end result can vary widely. In some cases, a phishing attack can be a direct communication to an individual within the organization asking for a specific action – like a wire transfer, one-time payment, or the previously mentioned W2 forms. But some phishing attacks can install unwanted software – such as key-loggers and other malware – that can begin to aggregate credentials for an enterprise’s more essential systems and applications. This is where things can get hairy – especially in today’s world of single sign on authentication, where one authentication process grants access to many accounts, profiles and applications.
This is where today’s advanced technologies can help. Falling victim to a phishing attack doesn’t have to result in handing the keys to the kingdom over to malicious actors anymore. Today’s advanced, next-generation authentication solutions can ensure that even if key-loggers and other forms of malware compromise credentials that attackers don’t have everything they need to successfully access company networks, applications and information.
Today’s advanced authentication solutions utilize out-of-band authentication processes to keep the credentials away from the malicious actor, even if the user’s device has been compromised. They also require authentication by more factors than a simple log-in and password. These factors can even be as advanced and difficult to fake as location and intent of the individual authenticating.
The problem with traditional authentication systems and processes was that they could only tell if the credentials being provided were correct. They couldn’t gauge if the person requesting access was who they said they were. But that’s changing. Today’s authentication solutions do more than check credentials, they require that the person requesting access actually be the person who has been given permission to access certain company networks and applications. The new generation of authentication solutions also analyzes data and available information about the individual requesting access, making them more contextually aware and less static, and more capable of determining an individual’s identity.
In today’s dangerous cybersecurity landscape, where more than 1,700 phishing attacks are reported to the APWG over a three month period – and that’s not counting spear phishing attempts or those that weren’t reported – it’s important that enterprises protect themselves against what really has become the inevitable. People make mistakes. Phishing attacks can succeed. It’s important that companies implement the technologies that ensure that a successful phishing attempt doesn’t become a catastrophe.
To learn more about the security challenges facing enterprises today – including whaling and phishing – download our recent Webinar with Mattel CISO, Jill Knesek, entitled, “Ending the Game of Enterprise Security Whack-A-Mole.”