Defending against one of the most common cyberattacks is sort of like Whack-a-Mole on steroids.
A variety of statistics are available from cybersecurity and non-cybersecurity firms about spam, phishing and malware. It really doesn’t matter which vendor’s numbers you look at; everyone will tell you that more than half of all email sent is at best is just spam and at the worst, a malicious attack of malware or ransomware. The problem with statistics, however, is that there is a major dependency on who is reporting the attack, to whom they report it, and how the report is classified and analyzed. To learn more about phishing statistics, check out Cofense’s blog post about phishing stats.
Cofense’s own research shows that 1 in 7 emails has some sort of malware (that does not include just regular spam that stuffs your daily inbox). While statistics will vary, the Barkly Blog collects stats from a variety of sources and some are eye-opening. Here are some examples:
- The average user will receive 16 malicious emails per month.
- 92.4 percent of malware is delivered by email.
- Fake invoices are the top choice for delivering malware.
- The most common file extension for delivering malware is a Microsoft Office file extension.
- The most effective lure for delivering malware is a fake DocuSign document.
- The FBI reports that business email compromise attacks cost companies $676 million in 2017.
In December the Anti Phishing Working Group released its Q3 2018 report. Among the highlights of the report were:
- Phishing that targeted cloud storage and file hosting sites fell, while phishing against payment processors and banks remained high.
- Phishing remains most prevalent in the old, large gTLD .COM, but phishing is higher than normal in the new gTLDs and in repurposed ccTLDs.
- Phishers are increasingly using web page redirects as a way of hiding their phishing sites from detection.
- Half of all phishing attacks are now hosted on websites that have HTTPS and SSL certificates
So what does all this mean? It means phishing is just as bad as it’s ever been and both HTTPS and SSL certificates mean less than ever before. The phishing industry is getting smarter, so that means defenses also need to up their game. Simply educating users is not sufficient. Even the most sophisticated user can be snared by a legitimate-looking email from a known source sending an expected attachment.
So what can you do? Certainly one option, albeit perhaps overkill, is to send all attachments through analysis to ensure there is no malicious payload. That’s cranking part of your email analysis to 11, but what about fileless attacks? You need to scan those as well.
Ultimately it comes down to a balance of performance, productivity and security. Email with unanticipated attachments or the telltale signs of spam should be analyzed before being opened, and certainly before attachments or links are clicked. Automated systems can perform those tasks well. Other emails that don’t scream “I’m spam” need a deeper analysis, perhaps by automated systems or by human analysts.
Technology is good today, but sometimes the proverbial shoe leather used by a human investigator who can make analytical decisions based on personal experience and instinct makes the difference between a safe email and a successful spear phishing attack.
The bottom line is just this simple: Phishing attacks are effective because they are compelling.
How will you defend against these attacks against your users? We will give you some actionable recommendations right here at Sharpening Your Defenses. Come back frequently to catch up on our new content.