The steep rise in phishing attacks in recent months was reason enough for Sophos to take a closer look at this form of cybercrime. The result: Sophisticated tactics combined with penetrating behavior make up the new quality of phishing emails.
Attackers have discovered the benefits of malware-as-a-service (MaaS) – a cousin of ransomware-as-a-service (RaaS), both residing on the dark web – to increase the efficiency and volume of attacks. Favorite target: employees. Current research indicates that the best defense against phishing attacks is a dual strategy:
- Deploying advanced security technologies
- Raising employee awareness of attack routes and behaviors
Daily attacks at 41 percent of companies
Traditionally, phishing can be located in online banking. But the attack technique is much more than a fake site for tapping sensitive banking data. Cybercriminals also use phishing to obtain other valuable user information or even system access.
Given the exorbitant increase in volume, fueled by dark web offerings such as free phishing kits and PaaS (phishing-as-a-service), it can be stated: Phishing is big business and a daily part of doing business. Forty-one percent of IT professionals say their organization expects phishing attacks at least daily. More than three-quarters (77 percent) expect an attack at least monthly.
Phishing is big business
The phishing ecosystem, thanks to its service mentality, also feeds criminals without any understanding of IT. Entire campaigns and the corresponding control panels can now be purchased on the dark web. This leaves time for perfidious fine-tuning and business evaluation: the click rate of phishing emails is 14 percent – six times higher than for common marketing emails (2.4 percent).
The kits and services save a lot of time and in turn, leave the attackers room for further ideas such as Business Email Compromise (BEC).
While we see through many “too-good-to-be-true” offers and scurrilous ones right away, our defenses seem to pause when it comes to emails that affect daily work. The top 3 highest phishing click-through rates are:
- Simple, task-based subject lines, such as “[JIRA] A task has been assigned to you” (click rate 38.5 percent)
- Everyday subjects, such as “Meeting next week” (29.1 percent)
- Suggestions of misconduct, such as “Harassment mindfulness training” (26.0 percent)
So it’s always on guard. Because users themselves are the first defense against a phishing attack. Sophos offers Phish Threat, an advanced phishing attack simulator and training solution for this purpose. It enables IT managers to create authentic phishing simulations and phishing training, as well as initiate targeted behavioral remediation among employees. The simulation helps users recognize a phishing attack and learn from the mistakes made without real risk.