Phishing is a top threat to information security for organizations, according to 72% of security professionals in SANS 2017 Threat Landscape Survey. The SANS survey also mentions spearphishing and whaling, and articles about information security often mentions phishing websites, “vishing” and “smishing.” With all this jargon and ambiguity, it’s easy to see why understanding phishing attacks–what they are and how to stop them–can be a challenge. First off, what exactly is phishing?
Phishing attacks deceive people using technology.
Although phishing attacks come in many forms, the following components are always present:
Probably the most common example of a phishing attack is an email sent to someone under false pretense. For example, the Nigerian Prince scams (also called “Nigerian Letter” and “Nigerian 419” fraud) were typically emails from someone who claimed to need to move a large sum of money and would be willing to share it in return for help. The scam usually involved the victim sending money to the fraudster in order to get the process started–perhaps to pay wire transfer fees–and then the victim was convinced to send more and more money for various reasons. Ultimately the victim was defrauded and was never paid the promised money.
Phishing emails have come a long way since then. Trends in phishing attacks change often and vary widely in complexity. In some cases they involve the use of faxes, emails, websites, flash drives, text messages (“smishing” because of SMS text messaging protocols), and telephone calls (“vishing” because of the “v” in voice)–either alone or in combination. Sometimes they exploit vulnerabilities in operating systems, applications, or firmware. They often use social engineering techniques, which involve taking advantage of human behavior. Regardless of the attack vector, they always involve people, technology, and deception.
There are many reasons that phishing remains a top threat for most organizations. The attacks are cheap, fast, and effective. That’s why most cyber attacks (91% according to this study) start with a phishing email. Even advanced persistent threats often begin by spearphishing (sending a very targeted phishing attack to individuals at an organization). From the attacker’s perspective, there’s no need to change what’s already working.
And why are phishing attacks so effective? That’s a little more complicated. But one of the reasons may be because the attack involves both people and technology. From the defense side, the people who are very good at addressing the technology vulnerabilities aren’t necessarily cross-trained in the skills to address people’s vulnerabilities, and vice-versa.
Because the attack involves people and technology, a comprehensive response to phishing risks often considers an organization’s people and technology as well. An approach to managing phishing risks that addresses both people and technology will likely involve very different skill sets and perhaps different functional teams and disciplines within an organization. Managing a defense program that involves those different people and skill sets presents unique challenges, but there are resources to support exactly those efforts here at PhishFramework.org.