Why phishing is a growing business for cyber-criminals

Stuart Fuller

According to a new report from PhishMe, one of the global leaders in threat management solutions, 91% of all cyber-attacks start with a phishing email. One click from a single unsuspecting user and the results can be devastating for a business.

The report goes into some of the motivations for people being fooled by phishing emails, stating that the biggest reason why we fall for them is curiosity. We are naturally suspicious in the real world, but put us in front of a computer or a smart device and that barrier falls; we seem to believe that because we can’t see anyone doing anything wrong, it is all fine.

Some people are motivated by reward or even the opportunity to see something salacious, whilst others are driven to act by the fear of not completing a particular task – especially when the phishing email is targeted at certain employees in instances of CEO fraud (an email sent to an employee reputedly from the CEO or another high-ranking official of the company to make an unauthorized payment externally).

“Fear and urgency are a normal part of everyday work for many users”, says Aaron Higbee, co-founder and CTO of PhishMe. “Most employees are conscientious about losing their jobs due to poor performance and are often driven by deadlines, which leads them to be more susceptible to phishing.”

The PhishMe study took place from January 2015 to July 2016, and was based on more than 40 million simulation emails by about 1,000 of its customers around the world. Their findings also saw that the average time to identify a security breach following a phishing email was 46 days, with a further 82 days to contain it.

In its 2016 Q3 Malware Review, PhishMe also revealed that more than 97% of phishing emails delivered in that period contained malware, which is a significant risk to any business – especially if it includes encryption software that can in turn lead to a ransomware demand.

Whilst we are used to seeing poorly written emails with very unlikely stories about millions of dollars in foreign bank accounts, cybercrime has moved on. Today’s most successful phishing attacks are very carefully planned, look the real deal and are often targeted at perceived weak points in an organization.

The economic and reputational damage to victims of ‘successful’ phishing attacks can be huge. PhishMe estimates the average value is $4m, but that number does not include the damage to a firm’s reputation and the cost to repair it. The growing threat of ransomware is now firmly on the radar of all security services, including the FBI, which produced a briefing and avoidance statement earlier this year. CEO fraud has cost US organizations north of $2 billion in the past three years.

So how can everyone be part of the solution and not the catalyst for major problems? One of the oldest sayings is still the best – if it looks too good to be true, it almost certainly is. Some very simple checks can ensure the risks of falling victim to a phishing attack are significantly mitigated. First, check the domain name used in the email address. Whilst email addresses can be spoofed, many attacks rely on cyber- or typo-squatted domain names. Also check the Whois record – if the address details are masked, or the domain is registered in the past few days, warning signals should be flashing in your mind. Finally, the use of an email authentication service will significantly reduce exposure to phishing emails, but is not always the panacea. A large dollop of common sense and education is the fastest, cheapest and most effective solution for all employees.