State of the Phish: Protecting Against Increasing Phishing Attacks
The 2016 State of the Phish Report from Wombat Security found that 85 percent of respondents reported being the victim of a phishing attack in 2015, a 13 percent increase from 2014.
The top ten industries in the report hailed from finance, manufacturing, healthcare, technology, education, government, energy, transportation, professional services and retail, showing how phishing attacks can strike every industry.
Phishing attacks can target any organization or individual with an online account or application login that requires a set of credentials, making them a fast, easy, low-tech and effective way to gain legitimate access to sensitive information. Phishing emails will direct users to a credible-looking website to enter their credentials or other sensitive information, sending the data to online criminals.
However, the report also warns that phishing attacks aren’t only email-based, but can often be preceded by social engineering phone calls. Fifty-five percent of companies have experienced phishing through phone calls and SMS messaging.
Of course, it’s not just the phish that matters, but what happens as a result. Organizations report that they suffered from malware infection as a direct result of phishing (42 percent). Another 22 percent report that they experienced compromised accounts as a direct result of phishing.
How does this happen?
- An attacker may send a phishing email to a targeted user with a malicious attachment. When the user clicks on the attachment, they download a malware executable that infects their machine and attempts to exploit any known vulnerabilities in order to gain access to their organization’s network.
- Or, the user clicks on a link in the email that directs them to a malicious website that delivers a malware payload.
- Or, worse yet, the user clicks on a link, directing them to a spoofed website that appears to be a login page, and then enters their credentials. Their username and password are sent to an attacker’s command and control server, which are then used to log into the user’s company email or applications.
The cost of a phishing incident to a business includes lost productivity for employees (44 percent), the impact of the loss of proprietary business information (36 percent), and the damage to a company’s reputation (20 percent).
The actual estimated cost of phishing for a 10k-employee company is $3.8 million, with expenses related to malware, productivity hits and credential compromises.
Quick Phish-Free Tips
Here’s a few quick tips from the report and Duo for end users on how to avoid becoming the victim of a phishing email attack:
- Never give out your password or username via email
- Don’t log into websites via links sent to you in an email
- Pay attention to the sender of the mail - do you recognize their name and email address?
- Question if the tone is consistent with what you’d expect from the sender, and if the email conveys a sense of urgency or contains a call-to-action
- Be cautious whenever an email asks you to open an attachment or access a website
- Verify the authenticity of the email by contacting the sender in a way other than email - call, or, better yet, talk to them in person or over video conferencing
Another aspect of risk evaluation is which plugins are most vulnerable, that is, which ones are typically out of date. This can give organizations insight into their susceptibility to an attack. The report found that Adobe PDF Reader was outdated 61 percent of the time, while Adobe Flash followed at 46 percent. Microsoft Silverlight was next at 27 percent, and Java last at 25 percent.
Tax Records Exposed in Phishing Email Scam
The tax season is a prime time for phishing attacks. Just a few weeks ago, nearly 500 Wisconsin state employees fell for a phishing email scam that resulted in compromised tax records for 50 employees.
The email linked to a spoofed landing page, a replication of the Department of Human Resources website. The website urged employees to click on link to give them access to W-2 information, exposing names, addresses, Social Security numbers and bank account numbers to the attacker.
Below is an example of the email:
From: ESSW2@vermont [mailto:email@example.com]
Sent: Thursday, January 21, 2016 10:58 AM
Subject: IMPORTANT TAX RETURN DOCUMENT AVAILABLE
Dear Account Owner,
Our records indicate that you are enrolled in the Vermont State paperless W2 Program. As a result, you do not receive a paper W2 but instead receive e-mail notification that your online W2 (i.e. “paperless W2”) is prepared and ready for viewing. Your 2015 W2 corrected statement is ready for viewing, follow the link below
Click Here to Login
To opt out of the Paperless W2 Program, please login to Employee Self Service at the link above and go to the W2 Delivery Choice webpage and follow the instructions.
Vermont State’s Human Resource Management Systems
Unfortunately, employees clicked on the link and exposed sensitive tax record information. To avoid falling for similar emails, don’t click on the link and ask your HR dept. if they really did send you important tax returns.
Log into your HR portal by typing the URL directly into the address bar of your browser and protect your account with two-factor authentication. That way, you can ensure malicious hackers can’t log into your accounts without possessing your physical authentication device - a smartphone. Learn more about Duo’s two-factor authentication mobile app, Duo Mobile.
Organizations can further protect their business-critical applications by enabling Duo Access, which combines two-factor authentication with endpoint analysis. That means, administrators can collect, analyze and export reports on your users’ devices, including which ones are running outdated browsers or plugins like Flash - all without the use of agents.
Use the data to enable a policy to allow your users to update their own devices, or create a policy to block all outdated devices from accessing your network, protecting from malware and associated vulnerabilities. Learn more in our Two-Factor Authentication Evaluation Guide.