emPower

Spear Phishing?

In today’s news, phishing is still on the rise. The trends are inexorable and disturbing – shown here are figures from the Anti Phishing Working Group’s most recent Phishing Activities Trends Report.

And the report from Gartner in November 2006 notes the following figures:

2005 2006
US adults receiving phishing emails 57 million 109 million
Recipients who click on phishing emails 12 million 24 million
Recipients who gave sensitive information 1.9 million 3.5 million
Average loss per victim $257 $1,244
Percentage of cash recovered 80% 54%

But there’s some positive news … 85% of the people who were interviewed say that they don’t open or respond to unsolicited emails so awareness of the problem is clearly increasing.

However, that’s not what worries me most. Recently, I was talking to the security officer from a reasonably large organization. They’re very aware of phishing as a threat, so they took some time to teach their staff about phishing attacks, and what to do. Then, a couple of days later, they sent out an email crafted to look like their own website but directed users to a dummy site where they asked for usernames and passwords. About 40% of their staff went to the site and entered their network credentials!

Why is this so worrying? Normal phishing spreads a wide net and relies on a small fraction of recipients to provide critical information. But most of the messages can be spotted fairly easily (especially when you don’t have an account with the organization being impersonated), and awareness of the attacks is rising fast to the extent that I would expect to see an improvement in some of these statistics in the next year or so.

But “spear phishing” – where an attacker targets one specific organization and develops an email that closely resembles an official communication from (say) the IT department or HR – represents a huge threat to any organization that relies on email as a key communication mechanism. And – today – that’s most organizations. Since the recipients may well be used to receiving official communications like this, they’re particularly vulnerable.

What’s to be done? As of today, there are some technical solutions that help to protect against phishing attacks. But they’re far from foolproof and user vigilance is critical (it reminds me of the early days of anti-virus defences). So, if you’re responsible for protecting against this kind of threat, get in front of your users as often as possible to drum in the message.

Like this post? Subscribe to receive updates directly in your inbox.