A company called “PhishMe” based in Leesburg, VA says that more than 90% Of cyberattacks start with a Phishing Email.
First, let’s define “phishing” and “spear-phishing”. Phishing is using email to defraud individuals of personal or corporate information. Unlike Spear Phishing, Phishing emails are generally less personal. Spear Phishing is a targeted Phishing attempt. The email ostensibly looks as though it is from a trusted sender or contains more personal information in order to induce the targeted recipient to reveal confidential information. In both cases, the black hat hacker fraudulently seeks information including passwords, bank account information, credit cards and more. Phishing is also the leading cause of ransomware. For the purposes of this article, we will refer to both Phishing and Spear Phishing as Phishing.
Phishing, and its more sophisticated brother Spear Phishing are a significant problem. Phishing works when email users are enticed to open an email from a scammer who is seeking profit by obtaining personal or corporate information. Phishing is also the most common way companies and individuals are infected with Ransomware.It used to be that users were enticed to open an email that indicated they had "won a million dollars". However, users are certainly becoming more educated while hackers are becoming more sophisticated.
Unfortunately, Phishing remains the number one way attackers gain entry into computer systems. Phishme recently conducted a study to analyze users who fall for these Phishing lures.
PhishMe, Incorporated studied email recipients' reaction to more than 40 million simulation Phishing emails. The simulated attacks were sent to employees of about 1,000 of the company’s customers around the world. The study took place over an 18-month period from January 2015 through July 2016.
The report indicates that over 90% of computer system hacks begin when a user opens a Phishing email. What is interesting is why users are duped into clicking on links in these dastardly emails. What the study found is that end-users open and click a link in a phishing email almost 14% of the time because they are curious, while “fear” and “urgency” each enticed the user to open and click a link just over 13% of the time. A smaller percentage of the phishing email links were clicked for reward/recognition, social reasons, entertainment and opportunity.
Fear, such as employees being concerned about their job performance or deadlines causes employees to be susceptible to such attacks. "Fear and urgency are a normal part of everyday work for many users," says Aaron Higbee, co-founder and CTO of PhishMe. "Most employees are conscientious about losing their jobs due to poor performance and are often driven by deadlines, which leads them to be more susceptible to phishing."
Scan Attached:
The study found that business-related phishing attacks are the most difficult for employees to recognize. Users are more likely to be fooled by scans attached to an email, office communications, finances & contracts, retail & Shopping and Information Technology (IT) communications. Subject lines such as “Scan attached” with an email body that says something along the lines of: “Please open the attached PDF document.” causes users to open not only the email but also click on a dangerous link or open the hazardous attachment as well. The larger threat can be that the document is not a PDF document at all, but rather ransomware that gets installed on the local computer.
The “File from scanner” phishing attacks affected the Transportation industry approximately 49% of the time, the healthcare industry 31% of the time and the Insurance and Pharma / Biotech industries around 30% of the time.
Locky Ransomware:
In early 2016 a new form of ransomware emerged. Locky ransomware can be delivered via a Microsoft Office Document. This Phishing attack email message will contain a subject similar to “ATTN: Invoice 20160146” and the body of the email may say “Please see the attached invoice (Microsoft Word Document) and remit payment according to the terms listed at the bottom of the invoice".
This type of Phishing attack is especially disturbing as users frequently believe that Office documents are safe. It is also very common for Word, and other Office documents, to be exchanged via email. As a result, users open these types of Phishing emails over 21% of the time. Upon opening the document the user is usually presented with gibberish and an Office message indicating that the document contains a macro. Office asks if the user wishes to “Enable Editing”. All too frequently, the users confirm and the embedded macro goes to work causing havoc.
The Locky attack authors are very sophisticated. Generally, the email received by the end-user has no grammatical or spelling errors and frequently looks as though it is from a fellow employee or someone that the user knows. In addition, the Locky attack appears to the end-user as if it is part of the organizations existing invoice process.
Phishme found that Locky phishing emails were opened by the Insurance industry almost 35% of the time. The top three industries affected by Locky are rounded out by Energy at just under 32% and healthcare at almost 25% of the attack items were opened.
Prevention:
When employees actively report Phishing threats the time for detection of a data breach is reduced to just over an hour. In contrast, the industry average detection for a data breach is 146 days. This is likely due to the fact that once reported, Information Technology personnel know what to look for.
According to the study, employee education is likely the most effective method of increasing security and reducing vulnerability. The study found if a company runs through just one simulation, that the risk users pose drops by almost 20%. This means that users are trainable and can learn, which increases a firm’s security.
According to its website, PhishMe, Incorporated says: “PhishMe believes employees – humans – should be empowered as part of the solution to help strengthen defenses and gather real-time attack intelligence to stop attacks in progress.”
Evidence Solutions agrees education is key in preventing a data loss or a virus infection. Please share this newsletter.
PhishMe, Incorporated’s headquarters are in Leesburg, VA, the company also has U.S. offices in New York, NY, San Francisco, CA as well as Birmingham, AL. The full report is available at https://cofense.com/project/2016-phishing-susceptibility-report/
