Whether the subject line was “You’re account will be closed!” or the email address was firstname.lastname@example.org, we have all received and rolled our eyes at a poorly disguised phishing attempt. While many view phishing as a small annoyance, this attack method has maintained longevity for a reason and is still the number one cause of data breaches. Phishing ranges from the painfully obvious to the nearly impossible to detect, and remains a huge challenge for organizations to address and keep under control. Read on to find out what attackers are trying to achieve with phishing, why it continues to be such a large problem, and if there’s anything that can be done to reduce the risk.
How Does Phishing Work?
Phishing is typically used to gain credentials so attackers have access to an organization’s systems, or as a way to deploy malware directly. The more obvious emails that are generic, from unrecognizable addresses, and often riddled with spelling errors, are sent in bulk to hundreds or thousands of users. By casting a wide net, attackers hope to catch someone off guard who isn’t paying careful attention or someone who is a relative novice at technology.
These days, attackers are often being more discerning and turning to spear phishing, a tactic where they tailor phish to target specific groups or individuals. These emails can look very authentic, appearing to come from a known contact or leading them to a false website that looks identical to one they regularly visit or use. Creating these phish requires an attacker to research the target beforehand, learning as much information as possible to create an email they would be likely to open. Even the most perceptive users can fall victim to one of these highly sophisticated phishes.
One of the key reasons phishing is so successful is how easy it is to execute, and how many ways it can be used. The skills needed to create and deploy a campaign are not overly complicated, and detailed instructions are available online. Even the more complex phish isn’t as difficult as you would think, with so much information about people being available on social media or with a simple Google search. Additionally, with the advent of the dark web, nearly anyone can purchase a turnkey phishing kit, and be well on their way to launching their first attack within minutes.
Why is Phishing So Hard to Avoid?
While spam filters do catch a good deal of the more simplistic phish, attackers have come up with many evasive techniques, like encryption or scan blockers, to make sure they land in your inbox. Once there, the only barrier is how careful the user is. There is no tool to prevent them from opening an email or downloading an attachment that has not been flagged as dangerous. At organizations with multiple users—sometimes numbering in the thousands—it only takes one careless employee to trigger a breach that may lead to long term damage. The true strength of phishing is its reliance on human error.
How Can Phishing Simulations Help?
While human error cannot be eradicated, it can certainly be managed. Spotting phish is a skill that can be taught—all it requires is a bit of practice. Those that have accidentally fallen victim to a phishing attack may not even be aware that they did anything wrong, and will never learn from their mistake, making them more susceptible to another attack. Phishing simulations allow organizations to find out who is vulnerable by launching a safe phishing campaign, deploying emails that are of varying degrees of difficulty. The only consequence of clicking on one of these emails is being flagged as someone in need of additional training to learn what to look out for. By regularly running this type of pen test, users are reminded to remain continuously vigilant and to make healthy suspicion about your inbox contents second nature.
But how do you get started with a social engineering pen test? Just as threat actors can find instructions to launch a phishing attack online, there are luckily plenty of resources for those looking to learn how to successfully create and execute their own ethical campaign, like the Best Practices for Effective Phishing Simulations eCourse.