Written by Stu Sjouwerman
Using a combination of old and new phishing tactics and distribution channels, cybercriminals continue to seek to compromise endpoints and obtain online credentials.
The targets haven’t changed. And, in some cases, the tactics haven’t either. But, one thing’s for sure – according to the latest data from Kaspersky, phishing enjoyed a massive uptick in 2018. Counts of Kaspersky detections of phishing emails nearly doubled from 263M in 2017 to 482M in 2018.
Campaigns revolved high profile events and interests, such as GDPR, the FIFA World Cup, iPhone launches, lotteries, and surveys. Additional campaigns focused on obtaining credentials and personal information faked the login pages of cryptocurrency sites, tax authorities, online stores, and more. Those campaigns leveraging malicious attachments primarily used trojans and backdoors in an attempt to gain control of endpoints.
In each of these cases, researchers at Kaspersky make it clear in the report that the content being sent is improving in quality, elevating the credibility of these emails.
Greatest Weakness – The User
It’s evident from the reported data, the bad guys are leveraging their greatest ally – the unwitting user. Phishing emails designed to lower the users’ defenses, gain their interest, and establish urgency are all part of a recipe for falling victim to these crafty scams.
Organizations need to enhance their security around the user in the same way other parts of the layered security strategy are being beefed up. A proper strategy needs to assume that some percentage of phishing emails will get through to the user. That puts the onus on the user to stop the attack effort by not falling for the phish.
Train, Train, Train
Putting users through continual Security Awareness Training changes them from being a security liability to becoming an asset – users become a part of the security strategy, spotting and reporting phishing emails, rather than falling for them.
It’s likely 2019 is going to be more of what’s being reported in 2018. Phishing is your biggest problem, and untrained users are hurting more than helping.