Fewer Phishing Websites Doesn’t Mean Lower Risk
While the number of unique phishing websites may be down, that doesn’t mean lower risk for organizations. It may simply mean that cybercriminals are becoming more sophisticated about phishing, and using fewer, more targeted websites as attack vectors.
The APWG report notes that free hosting providers or website builders are increasingly used to carry out phishing attacks. Free hosting providers allow attackers to work with greater anonymity, and to create subdomains that spoof brands and make phishing sites appear more legitimate.
Phishing Emails Still Get Through Filters – and End Users Need to Be Prepared
As the APWG statistics show, the number of unique phishing reports may be lower now than at their peak in early 2016, but the numbers are still high. And that means plenty of phishing emails are still getting through to employees’ inboxes.
According to a recent Dark Reading article, nearly 9.3% of emails delivered to Office 365 inboxes last month were phishing messages, spam, and known or zero-day malware. The article drew upon research from threat intelligence firm Cyren, which analyzed 10.7 million messages delivered to Office 365 users. Out of those 10.7 million delivered emails, 34,077 were phishing messages.
Unfortunately, the end users who receive phishing messages that slip through often lack the anti-phishing training they need to avoid clicking on dangerous links. In our 2017 User Risk Report, we surveyed more than 2,000 working adults in the US and UK, and learned that 30% still do not know what phishing is; more than 10% of respondents wouldn’t even hazard a guess. The very real threat of phishing — and the equally real lack of awareness on the part of end users — underscores the need for regular assessments and phishing awareness training.
Get a Better Understanding of Risk by Combining Phishing Tests and Knowledge Assessments
Many organizations rely on simulated phishing attacks to determine how vulnerable their end users are to real attacks. While these phishing tests are valuable, you can only learn so much about why a user did or did not click, as we noted in our 2017 Beyond the Phish™ Report. Combining simulated attacks with question-based knowledge assessments, such as those available in our CyberStrength® tool, may reveal a more accurate picture of your end users’ vulnerabilities — and a greater need for phishing awareness training.
We found that employees in the healthcare industry, for example, showed a significant difference in how they responded to simulated attacks vs. question-based assessments. They had an 18% click rate on simulated phishing attacks, but answered 26% of phishing questions incorrectly in knowledge assessments. This difference points to a need for more in-depth security awareness training that may not have been apparent from the simulated attacks alone.
Given that the APWG’s phishing statistics show the number of reported attacks was on the rise in the first part of 2017, there’s no reason to think the end is in sight. When a certain percentage of those phishing emails do make it through your company’s email filters and other technological safeguards, they land in employees’ inboxes. What those employees do next depends on their level of phishing awareness — and could have serious implications for your company.