The Phishing Landscape


When it comes to cyber-attacks, there are many, many different forms they can take. However, one of the most common and insidious is phishing. This type of attack can lead to loss of data, compromised accounts, malware infections, and loss of profitability, and can leave a business facing serious legal charges and paying steep fines for noncompliance. Phishing attacks are not lessening, either. In fact, they are increasing.

Attack Statistics

While the actual numbers for phishing attacks in recent months is hard to nail down, simply because most attacks go unreported, a great deal of insight can be gained by considering the fact that Kaspersky Labs (the name behind one of the most popular security software suites on the market) says its anti-phishing system alerted them 30.8 million times during 2015 alone. Now, understand that this is only one software company. There are many others out there. The Ponemon Institute noted that the average company experienced 160 successful phishing attacks per week. This marks a threefold increase from the figures in 2010.

Phishing attacks cost their victims money, a lot of money. The average cost for 2015 was $1.9 million. The largest was $65 million. The cost is not tallied in dollars alone. For instance, the Beacon Health breach actually put the private information for 300,000 patients into hackers’ hands.

Phishing attacks are spread around the world, and no nation is spared. While the US might be less frequently targeted than Brazil (9.74% of all attacks) or India (8.3% of all attacks), it does see its fair share. It should also be noted that these are “rough” numbers because these statistics are only reported if the crime is discovered. In most instances, it never is. In terms of the industries attacked, there is a clear pattern. Internet service providers are the most frequently attacked, followed by financial services, payment services, multimedia companies, retail firms, social networks, the gaming industry, and government.

Each attack has the potential to bring wide-ranging fallout. Yes, there is often financial fallout. However, there are also legal repercussions. Breaches put businesses in danger of lawsuits brought but customers who’ve had their information stolen. There’s also the potential for insurance companies to be sued by businesses with phishing coverage and having the claim denied.

Phishing attacks do not take one single, common form, either. While phishing emails are very common, there are many other types of attacks. Phishing websites have gained prominence today, as have social media attacks, spear-phishing, fraudulent tax returns, phishing phone calls, and even charity phishing. Each type is carried out in a different manner, and it can be incredibly difficult to guard against them.

Read our complete article on phishing attacks and statistics.

Phishing Targets

Think you’re safe from phishing because you don’t fit a specific profile? Think again. Phishing scams target a broad range of businesses in many different industries. While Internet service providers might be the most common targets, no one is actually safe.

Really, anyone can be a target of phishing, whether you’re an individual, a business, a nonprofit organization, or a government agency. In addition, a number of individuals within businesses and organizations can be targeted. According to a study by Cloudmark, the most commonly targeted individuals targeted within C-level executives are:

  • CEOs (27%)
  • CFOs (17%)

Within general staff, the most commonly targeted areas are:

  • IT staff (44%)
  • Finance staff (43%)

However, this is somewhat misleading. In many phishing attacks, the attacker is not particularly interested in one specific individual. They’re more interested in scamming as many people as possible. This is at least partially due to the nature of the information being sought when a business or organization is the target. Attackers are looking for victims with credentials that will grant them access to crucial business information, employee data, customer information, and the like.

In the Cloudmark study mentioned above, 300 companies were studied. Of those, 84% admitted to their firm being successfully attacked (primarily spear-phishing). 42% of those respondents stated that spear-phishing was among their top three security concerns and 20% stated that it was their top security concern.

Security Awareness

In another study, this one conducted by the Anti-Phishing Working Group, it was found that ecommerce was one of the most highly targeted areas, followed by the banking/financial sector, social networks, and email providers. As you can see, phishing attackers spread a very wide net, and no business or organization is safe. The same report highlighted the fact that utility providers are becoming increasingly targeted, as are toll road collection systems, insurance companies, and many others.

Size does not protect businesses, either. In the past, phishing attacks were primarily conducted against larger firms. However, in 2014, there was a serious jump in the number of attacks directed against businesses with 250 or fewer employees. In fact, 43% of the attacks in 2014 were directed against small and medium-sized businesses (SMBs).

Read our Phishing Targets article here.

Ransomware

Ransomware is not new, but it has become an increasingly serious problem for consumers as well as businesses and organizations. Essentially, ransomware is a form of malware that, once downloaded to a computer, is capable of locking it. It can only be unlocked by the creator of the software, and the system is generally held for ransom, with the victim paying the attacker sometimes thousands of dollars to unlock their computer. Believe it or not, the first incidence of ransomware actually dates back to 1989 and the creation of a Trojan horse by Dr. Joseph Papp. 2009 saw the next step in the evolution of this threat, with Russian hackers taking the helm. Today, the FBI reports that the cost of ransomware attacks was over $200 million in just the first three months of 2016.

Perhaps the most frightening thing about ransomware is the shift away from targeting individuals (note that these attacks do still occur with frightening frequency) and toward other areas. Police departments are now being targeted, as are other emergency services. Even hospitals are not safe from these insidious threat. As a prime example, a police department in Massachusetts was forced to pay $500 to ransom their computer system. The Hollywood Presbyterian Hospital paid $17,000 to get their computer system back in operation and restore communication and access to patient records.

In most instances, the hacker responsible for the ransomware infection demands payment, but not in dollars. They want it in Bitcoin. Bitcoin is an electronic currency that has gained considerable popularity (as well as less savory notoriety, thanks to the Silk Road incident, and others). With that being said, Bitcoin does have its limitations and some attackers demand payment via PayPal MyCash cards.

Vigilance is the single best defense against ransomware. Avoiding unsavory sites and ensuring that your software (including your antivirus program) is up to date are critical steps. However, as many people have learned, sometimes all it takes to become infected is clicking the wrong link in a seemingly innocent email.

Read more about Phishing and ransomware.

The Evolution of Phishing Attacks

Phishing has been around for a long time. It’s at least as old as the Internet itself, and can actually be traced back to the bulletin board systems (BBSs) that proliferated before the Internet came online. In fact, it was the “warez” crowd that traded pirated software on BBSs that initially kicked off phishing when the Internet was still in its infancy. They were able to take advantage of many individuals who knew little or nothing about how the Internet worked. They stole or spoofed credit card numbers and set up fake accounts. They stole information by posing as tech support professionals from companies like AOL. As early as 1986, phishing websites that looked identical to the real thing were being created to steal money and information from consumers and businesses.

Today, phishing attacks are much more sophisticated than they once were. Information is easily found, including personal details that allow attackers to target individuals within businesses. The advent of email and other forms of communication has also made it easier to create seemingly authentic messages that have an air of authority, even urgency. Too often, victims don’t realize that an email asking for account information isn’t from their boss, but from an attacker seeking access to the system.

Phishing attackers have also adapted to and adopted new technologies. Using JavaScript, an attacker can make a URL read as anything they want, while still directing the individual clicking the link to a phishing destination. For instance, the link might read http://www.MySocialAccount.com, and if you were to hover the mouse cursor over the link, the text in the corner of the browser or email client would say the same thing. However, clicking on that link would take you somewhere completely different. It might look like the same place (as in a spoofed website), but the hacker would then be able to gain access to any information you shared, such as your login name and password.

This type of attack is used in many ways, but one of the most alarming actually looks like an authentic site warning about an attack or a hack. For example, you might receive an email from your bank (or what you think is your bank) telling you that your account has been frozen due to a hacking incident. To clear things up, you just need to click on the handy link in the email body. Obviously, doing so won’t fix anything. There is no problem but, once you click the link and provide the information the attacker needs, there will be.

Other ways that phishing has evolved is in the development of new techniques. These include the following:

  • Spear-phishing: A targeted attack against a very specific individual.
  • Whale phishing: A targeted attack against a CEO, CFO or other high-level executive in a business.

Both of these require a significant amount of time, effort and research on the part of the attacker but, because of that, they’re highly successful. One company actually lost $100 million this way.

Read more about phishing evolution.

Phishing Publications and Resources

Phishing is big business, and a serious threat to all organizations, regardless of industry. Canada’s government reports that there are 156 million phishing emails sent daily, and that 80,000 people per day click links in those emails. Businesses suffer 160 successful online assaults each week. Obviously, it is crucial that you are armed with information. Thankfully, there are numerous resources available to help ensure business owners and decision makers, employees, and even individuals are able to learn more about the threats that face them.

These resources take many different forms, including books, online publications, forums, tests, and even phishing simulators.

In terms of books, Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft is one of the better options. Phishing Exposed is another excellent book, as is Phishing Dark Waters: The Offensive and Defensive Sides of Malicious Emails.

Of course, books are part of the solution to the phishing education conundrum. A number of valuable online portals provide vital information and education. OnGuardOnline.gov is a prime example, but others include the United States Computer Emergency Readiness Team, the Anti-Phishing Working Group website, DMARC, and Infosec Resources.

The Google Security Blog is another online resource that offers invaluable data, as well as news related to security and Internet safety. The Avast Blog, operated by Avast, one of the world’s more popular anti-virus suites, provides news, tips and information. Brian Kerbs and Bruce Schneier both operate high-profile, high-authority blogs in this area, as well.

When it comes to testing, SonicWALL is one of the better choices, as is the OpenDNS Phishing Quiz. Simulators available include SpearPhisher and SecurityIQ, both providing businesses, organizations and even individuals with the means to gain firsthand experience with phishing techniques.

When all is said and done, phishing is a clear and present danger. It is not confined to individuals. In fact, businesses, organizations, and government agencies are increasingly coming under attack as more and more attackers realize the enormous potential for profit, whether from stealing money directly or by stealing employee and consumer data and then selling it on the black market. However, despite its widespread presence, phishing attacks can be protected against. It only requires a proactive stance.

InfoSec Institute
Rated 4.3/5 based on 302 customer reviews.
InfoSec Resources

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan