Phishing has been around now for over two decades. Its longevity of phishing is a testament to the simple but highly effective way it enables hackers to trick victims into divulging their details and/or unwittingly installing malware. But why do users keep falling for these scams?

New research from Google reveals some interesting insights and reminds us that when it comes to businesses, defense-in-depth is the best way to mitigate the phishing threat. Crack this, and firms could take a giant step towards improving their cyber resilience.

A hundred million problems

The findings were presented at the Black Hat 2019 security conference in Las Vegas last week, by Google security researcher Elie Bursztein and University of Florida professor Daniela Oliveira. They explained that Google blocks 100 million phishing emails for its Gmail users every single day: an indication of the sheer scale of the problem and the popularity of phishing amongst hackers.

So why is it such an effective tactic? According to the research, 68% of phishing emails blocked by Google at any one time are new variations never before seen. “This fast pace adversarial evolution requires humans and machines to adapt very quickly to prevent them,” it argued.

This challenge is compounded by the fact that many campaigns are targeted at small groups of users: perhaps just a few dozen. Such “boutique” campaigns also last just a few minutes – meaning that they could be over before you’ve even been able to update your guidance to staff.

Experts on the prowl

Experts on the prowl

The researcher was also at pains to point out that phishers have honed their tools and techniques over many years. The idea is to persuade the victim that you are who you say you are. Some of that comes from how well the sender domain can be spoofed. But a large part depends on the language and social engineering techniques chosen.

“Persuasion techniques, emotional salience and gain or loss framing” are key here, according to Google. Often, a sense of urgency is created to force the recipient to respond by clicking on the malicious link or opening an attachment without thinking things through first.

Over the past decade or longer, the latest techniques are passed around on the dark web, so even those without much prior knowledge can set up a highly effective phishing campaign.

Counting the cost

The odds are also stacked against the victim organization. It takes just one user to click on one phishing link to potentially land the entire company in hot water. It could result in the theft of log-ins for a key sysadmin account, or a malware download, allowing hackers to launch a multi-stage information-stealing raid. It could lead to an organization-wide ransomware infection; a banking trojan; a crypto-mining malware download; or even an email account takeover to facilitate a BEC scam.

The impact on the bottom line and corporate reputation could be severe, including:

  • Clean-up and remediation costs
  • Legal costs (if customers file a class action suit)
  • Regulatory fines
  • Customer attrition
  • Declining share price
  • Damage to the brand

The bad news is that attacks like this are on the rise. July 2019 report claimed that 43% of organizations have been the victim of a spear-phishing attack in the past 12 months. Nearly a quarter of respondents said attacks have cost their organization $100,000 or more.

Back on the front foot

Back on the front foot

The difficulty for many organizations is in finding a way to mitigate a cyber risk intrinsically linked to user behavior. The research presented by Google and the University of Florida revealed that a worrying 45% of consumers still don’t understand what phishing is or the risks associated with it.

The fightback, therefore, needs to include improved tools to spot phishing attempts and better education efforts by corporate IT teams. Here’s a quick rundown of best practices:

Improve user awareness: invest in simulation tools that can be personalized to run different scenarios your users may encounter. Train users in 10-15 minute lessons for maximum impact, run little and often. Don’t forget to include everyone from temporary staff to senior executives.

Consider new tech: such as AI-powered tools which can baseline normal email language and sending behavior to better spot when patterns deviate from the norm – indicating suspicious activity.

Switch on two-factor authentication: (2FA) so that even if a user has their password phished, it will be useless on its own.

Consider password-management tools: these will store long, complex credentials for each unique site/app/account a user is registered with. Typically, they do this by hiding the passwords from the user, who only needs to remember the master log-in. This means that when a phisher comes knocking, the employee will not be able to give them the required password even if they wanted to.

One giant step

In most of the cases spotted in the Google research (around 50%), the phishing email was spoofed to appear as if sent by an email provider, with cloud service providers (25%) the next most popular. Financial services and e-commerce firms were also common choices. But in theory, any brand or organization could be spoofed.

The bottom line is that phishing is a major vector for data theft and covert malware delivery. With a more concerted effort to stop it in its tracks, firms could seriously reduce cyber-related risk, or at least force the hackers to rethink their approach.