In today’s news, phishing is still on the rise. The trends are inexorable and disturbing – shown here are figures from the Anti Phishing Working Group’s most recent Phishing Activities Trends Report.
And the report from Gartner in November 2006 notes the following figures:
2005 | 2006 | |
US adults receiving phishing emails | 57 million | 109 million |
Recipients who click on phishing emails | 12 million | 24 million |
Recipients who gave sensitive information | 1.9 million | 3.5 million |
Average loss per victim | $257 | $1,244 |
Percentage of cash recovered | 80% | 54% |
But there’s some positive news … 85% of the people who were interviewed say that they don’t open or respond to unsolicited emails so awareness of the problem is clearly increasing.
However, that’s not what worries me most. Recently, I was talking to the security officer from a reasonably large organization. They’re very aware of phishing as a threat, so they took some time to teach their staff about phishing attacks, and what to do. Then, a couple of days later, they sent out an email crafted to look like their own website but directed users to a dummy site where they asked for usernames and passwords. About 40% of their staff went to the site and entered their network credentials!
Why is this so worrying? Normal phishing spreads a wide net and relies on a small fraction of recipients to provide critical information. But most of the messages can be spotted fairly easily (especially when you don’t have an account with the organization being impersonated), and awareness of the attacks is rising fast to the extent that I would expect to see an improvement in some of these statistics in the next year or so.
But “spear phishing” – where an attacker targets one specific organization and develops an email that closely resembles an official communication from (say) the IT department or HR – represents a huge threat to any organization that relies on email as a key communication mechanism. And – today – that’s most organizations. Since the recipients may well be used to receiving official communications like this, they’re particularly vulnerable.
What’s to be done? As of today, there are some technical solutions that help to protect against phishing attacks. But they’re far from foolproof and user vigilance is critical (it reminds me of the early days of anti-virus defences). So, if you’re responsible for protecting against this kind of threat, get in front of your users as often as possible to drum in the message.