The Phisher Kings

No doubt you have received those alluring emails which are written to entice you to click and collect your customer reward from your local drug store. But are you sure that email is really from your drug store? The same lure is also used by phishers. Open any number of ‘global threat’ reports from within the security industry and you’ll note the prominence of phishing as a threat vector in each.

Let’s take a look at what the professionals are saying.

Global Phishing and Internet Crime: Key Takeaways

We’ll start with the Anti-Phishing Working Group (APWG), who issued their Global Phishing Survey: Trends and Domain Name Use in 2016 in late June 2017. The survey provides a look at the backbone of the phisher’s ecosystem: the domains to which they send their unsuspecting victims. Couple this with their Phishing Activity Trend Report Fourth Quarter 2016, and you have all the confirmatory evidence you need to learn that phishing is a growth industry.

The key data points provided by the APWG: “Phishing activity in early 2016 was the highest ever recorded by the APWG since it began monitoring in 2004. Phishing activity in the fourth quarter of 2016 was higher than any period in 2015. The total number of phishing attacks in 2016 was 1,220,523. This was a 65 percent increase over 2015.”

The Federal Bureau of Investigation also released their 2017 Internet Crime Report in late June 2017, which showed an increase in both the number of complaints they received (298,728) and the quantity of losses attributed ($1,450.7M) to those complaints. Keep in mind when reading these numbers that this is just “reported crime.” The Department of Justice estimates that 85 percent of fraud victims do not report their crimes to law enforcement. 

The FBI noted that phishing (which includes voice, SMS, etc.) accounted for 19,465 reported incidents in 2016, which resulted in $31,679,451 of losses to the victims. The report notes the correlation between phishing and spear-phishing emails that “are sent to end users, resulting in the rapid encryption of sensitive files on a corporate network.” While the FBI did not associate Business Email Compromises (BEC) directly to phishing, some industry reports did.

When Dtex Systems conducted a survey of their customer base, and produced their Insider Threat Intelligence Report 2017, they noted the correlation between personal email use at work and the susceptibility of an organization to phishing attacks. A highlighted example was an instance where an insider clicked on a link in a phishing email. The user accessed the malicious email via their webmail account while on the corporate network, and, as a result, the entire organization was put at risk.

Phishing: A Business Challenge

So which sites are being targeted for phishing? The APWG notes that new businesses or applications are often targeted, as their focus is more on keeping the ship afloat during a period of rapid growth, and thus they are perceived as being susceptible to having their domain hacked and used to support phishing campaigns since they are not expected to be focused on security basics.

The 2017 IXIA Security Report notes that the top phishing targets are Facebook, Adobe, Yahoo, and AOL. The report goes on to attribute 20 percent of all attacks via these sites to be associated with phishing.

Moving on, the 2017 Data Breach Investigations Report (DBIR) produced by Verizon called out phishing as being used most often for purposes of espionage or financial gain.

The DBIR point to phishing via email as being “the most prevalent variety of social attacks.” Not so startling was the observation that 7.3 percent of all users were successfully phished. And perhaps a tad startling was how “in a typical company (with 30 or more employees), about 15% of all unique users who fell victim once, also took the bait a second time. 3% of all unique users clicked more than twice, and finally less than 1% clicked more than three times.”

The NTT Security 2017 Global Threat Intelligence Report called out phishing as “business challenge.” The authors note that over 60 percent of the NTT Security incident response engagements were to “help organizations manage phishing attacks.” They also noted the “strong correlation between phishing and ransomware attacks in healthcare and retail.”

With respect to the healthcare sector, 50 percent of incidents to which NTT Security responded were related to ransomware.

Educate and Train!

It’s unanimous: the Phisher Kings are alive and well. Those industry threat and intelligence reports show that time and again, you, your employees, your customers and your friends and even family are all potential targets. As the APWG notes, “If a site takes in personal data, then there may be phishers who want to exploit it.”

The great majority of industry reports call out the need to train employees to be suspicious of emails with links and attachments, and so over time the likelihood of a user falling victim to a phishing email should be reduced. They also collectively urge every entity to have a plan in place to cover the worst-case scenario, when user training/education fails and the malware execution, ransomware attack, or data breach occurs.

The APWG highlights the need to educate your customers on how to recognize phishing emails, and provides a portal with a great many resources available, most of which are without charge.

About Christopher Burgess

About Christopher Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher served 30+ years within the Central Intelligence Agency. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, Secrets Stolen, Fortunes Lost - Preventing Intellectual Property Theft and Economic Espionage in the 21st Century (Syngress, March 2008).