Phishing is an international problem that continues to grow rapidly. Basically speaking, a “phishing” attempt is when a hacker or criminal sends an email, text message, or voice communication, pretending to be someone they are not. This communication will have a link or attachment, and when clicked, takes the unsuspecting victim to a phony website or downloads malware to their computer.

The phony website can then collect information, for example, bank passwords, and then use them on the real site; the malware can infect a computer network, steal information, or use it to send more phishing emails.

Kapersky Labs, makers of a popular anti-phishing software, states in its Q3 2016 report that their system was triggered 37,515,531 times, an increase of 5.2 million over the previous quarter. And they’re not just attacking people and companies in the U.S.; Kapersky notes that the top three countries with the most users affected by phishing are China, Brazil, and UAE.

To combat this continually expanding threat, both global and national organizations and initiatives have formed, often combining forces between public and private sectors. Here is a list of some of the most notable anti-phishing organizations and the latest developments in the war against cybercriminals.

List of Resources

APWG – (Anti-Phishing Work Group): http://www.antiphishing.org/
(EU version: https://apwg.eu/)

The APWG is one of the largest global anti-phishing collectives with over 1800 organizations as members. It also advises top-level government entities, such as Commonwealth Parliamentary Association, ICANN, OAS, and the G-8. APWG was founded in the U.S. but now has a chapter in the EU; its goal is to tackle cybercrime worldwide. Every month it sends upwards of a billion records to its members, outlining current threats along with the latest research. It has a branch called STOP.THINK.CONNECT. which is designed to help governments pass cyber security information onto their populace.

In January of 2017, APWG announced it was expanding its board from two to five, adding members with specialized experience in fighting cyber crime. AWPG noted that 2016 saw an unprecedented increase in sophistication of phishing attempts, particularly targeting CEOs.

US-CERT: https://www.us-cert.gov

Originally called FedCIRC, the department was created in 2000 to combat the rising threat of cyber attacks against the U.S. Government. Since 2003, it has been a part of the Department of Homeland Security and its mission expanded to include protection for individuals, private industry, and international organizations. As part of their job, US-CERT collects phishing email messages and website locations and helps prevent others from getting scammed. You can forward any phishing emails to phishing-report@us-cert.gov or: https://www.us-cert.gov/forms/report

ScamWatch: https://www.scamwatch.gov.au

Run by the Australian Competition and Consumer Commission (ACCC), its role is to educate consumers and small businesses to the dangers of all kinds of internet fraud, including phishing. The ACCC is working with the Australasian Consumer Fraud Taskforce (ACFT) on what they call the Scam Disruption Project. Since some phishing scams involve the transfer of large amounts of money, they work with the country’s financial institutions to spot scams when they notice large amounts unusual financial activity. They then reach out to the individual or business to warn them they may be victim of a scam.

Get Cyber Safe: https://www.getcybersafe.gc.ca/index-en.aspx

Canada’s Get Cyber Safe initiative has a portal for small businesses as well as consumers to help them steer clear of internet fraud. It gives suggestions how to educate employees as well as create policies designed to protect your infrastructure.

Computer Incident Response Center Luxembourg (CIRCL): http://www.circl.lu

In spite of being one of the smallest countries in the world (179th out of 194), Luxembourg is the best connected country in Europe, and due to its central location, the home of many data centers. As such, it has a heightened mission to protect its infrastructure from phishing attacks and other security threats. To do this, they created CIRC. They also have a url abuse testing form, where one can copy and paste a suspicious url and get a report back on its safety without having to visit the site. https://www.circl.lu/urlabuse/

Get Involved, Stay Informed, Raise Awareness

If you are in one of the countries listed above, we encourage you to visit the websites above for further information, as well as subscribe to their newsletters or alerts. If not, check with your local government to see if they have any initiatives or organizations that can help keep you up to date.

We also suggest you join InfoSec Institute’s SecurityIQ program. Members can use PhishSIM to create and send a battery of phony phishing emails to test vigilance within your organization. The accompanying AwareED platform allows you to enroll learners in a customizable education program, where they can learn more anti-phishing techniques.

You can join SecurityIQ for free, which gives you a limited number of campaigns and learners. Or, sign up for our premium service with unlimited everything and get 30 days free.

Sources:

https://blog.barkly.com/phishing-statistics-2016

http://www.bitrebels.com/technology/phishing-emails-statistics-infographic/

http://finance.yahoo.com/news/board-members-anti-phishing-working-163400965.html

https://datacenters-in-europe.com/data-centers/

Be Safe

Section Guide

Stephen
Moramarco

View more articles from Stephen

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Stephen
Moramarco

View more articles from Stephen