Why Are Phishing Attacks Still So Effective?
Updated: Feb 28, 2019
The more the threat landscape diversifies and changes, the more it stays the same. Some of the oldest tactics in cybercriminals’ playbooks remain the most prevalent and successful. In 2018, as in years past, the vast majority of data breaches were accomplished by criminal actors external to the targeted organization. But the majority of these incidents were made possible by an action taken by an employee within that organization. Whether by mistake, accident or understandably being tricked by a sophisticated con, humans continue to fall victim to phishing attacks and social engineering schemes at an alarming rate.
Even as information security awareness grows, your employees are continuing—albeit inadvertently—to help attackers find a way onto your system: humans remain the weakest link in every organization’s security infrastructure.
According to the 2018 Verizon Data Breach Investigations Report, the most commonly employed activity in successful data breaches was the use of stolen credentials. Compromised or stolen passwords were to blame for 81% of hacking-related data breaches in another recent industry-wide cybercrime survey. And the majority of these credentials were obtained through phishing attacks, or in cases where users unintentionally downloaded keyloggers or other forms of malware when visiting fraudulent websites.
Although it’s possible to prevent some—perhaps even the majority—of these incidents through increased awareness and improved employee training, it’s not possible to eliminate the threat. Today’s reality is that someone, somewhere within your organization will inevitably make an IT security mistake at some point in time.
At least in part, this ongoing vulnerability can be attributed to the increasing sophistication of attackers’ techniques and methods. In the past, phishing emails were relatively easy to spot: they contained misspellings, obviously incorrect URLs, odd-looking graphics or improbable alerts. They were designed predominantly to target users who were careless, harried or distracted—users too busy to pause and consider the consequences before opening an attachment or clicking a link.
Today’s most advanced phishing attempts rely on far more sophisticated tactics. The ready availability of large volumes of highly personal information on social media networks enables attackers to craft messages that are customized to exploit individual recipients’ unique vulnerabilities. Text and graphics may be copied perfectly from authentic alert messages sent out by the companies being spoofed. Some email messages may even contain hidden code that will execute automatically as soon as the messages are opened on the victim’s computer.
But organizations also remain vulnerable because all too often they fail to take necessary steps to improve their employees’ security. Though research has proven security awareness training an effective means of reducing organizations’ overall susceptibility to these sorts of attacks, many businesses don’t budget adequately for this type of education. Or they choose programs that are too short or too shallow, or that fail to engage employees or impress them with the seriousness of the issue.
It’s even more worrisome that many businesses neglect to implement even the simplest of technical measures to protect themselves from attackers seeking to exploit their employees’ human weaknesses. Far too often, decision-makers don’t install the most effective tools or institute the strongest security policies because they fear these measures will make their network’s resources less accessible. The common belief is that there’s a tradeoff between usability and accessibility: what makes employees safer online may also make it more difficult for them to do their jobs.
In most cases, this perception is far from accurate. Even when extra steps are added (to login procedures, for instance), they seldom take more than a few seconds to complete, and the time spent is a worthwhile investment when compared to the probable costs of a data breach.
Time and time again, post-breach investigations show that the attacks succeeded because known security policy best practices were not followed, or readily available tools were not deployed.
Here are the most important—and most frequently neglected—steps you can take to protect your network from phishing and other social engineering-based threats:
1. Implement Two-Factor or Multi-Factor Authentication
Multi-factor authentication is one of the best ways to safeguard network assets attacks involving compromised credentials. When multi-factor authentication is in place, users must validate that they have two or more unique tokens—such as a password, one-time access code sent to a separate device, or physical key—in order to access the network.
Not only does multi-factor authentication add a much-needed extra layer of protection for administrative and privileged user accounts as well as business email and other applications, but it also sends an alert—in the form the request for the second authentication factor—to any employee whose account has been targeted by a attacker. Well-trained employees will recognize that unexpected alerts signal account compromise, and will report them promptly to security teams for investigation.
2. Restrict Access to Domains with a History of Hosting Malware or Other Harmful Activities
Outbound web traffic can be regulated on individual endpoints by installing browser-based web filters that prevent users from following links to known malicious addresses. It can also be regulated at the network level by incorporating data loss prevention (DLP) controls. DLP tools monitor network traffic for data streams that match a particular pattern—such as payment card data or protected customer information—and then prevent access or block the traffic.
Proactively-designed network-based defenses are usually the most effective means of blocking malicious IP addresses and domains without subjecting end users to unnecessary restrictions. Tools that employ contextual or advanced behavioral analytics can protect business networks even from newly-established dangerous URLs that haven’t yet been blacklisted.
3. Employ Email and Spam Filters
Inbound message filtering is the most commonly used tool to prevent social engineering attacks, but it’s less likely to be effective when employed in isolation instead of as part of a comprehensive multilayered approach. Although spam filters will detect most if not all of the least sophisticated phishing attempts, messages that have been carefully crafted to resemble genuine correspondence and sent to a single, unique recipient are unlikely to be flagged as dangerous. Malicious emails sent from a compromised account within an organization with a well-established, trusted IP address are also unlikely to be detected.
Even the best-trained and most technically savvy employees can fall prey to socially-engineered attacks. It’s human nature: when we’re stressed, busy or tired, we can momentarily succumb to carelessness. And a single click is all it takes.
For this reason, the wisest approaches to phishing prevention are those that emphasize ongoing monitoring and detection. Once we accept that it’s impossible to prevent every user from clicking every link, every time, and instead adopt an “assume breach” mentality, we can begin to implement the most effective defenses. Contact Netswitch if you’d like to learn more about how the Secureli platform incorporates the most effective anti-phishing tools available today, including data loss prevention, real-time network monitoring and intelligent malicious domain blocking.