I continue to be surprised by the number of organizations that seem to think they are doing everything they can to protect themselves, their employees and their customers from phishing attacks. By and large, the thinking I come across generally falls into one or both of the following categories:
(1) "We have one of the best antispam/antivirus filters."
(2) "We have tried to educate our users to not fall for phishing attacks, but it is pretty hopeless."
As it turns out, both lines of reasoning are severely flawed. In my recent Journal article, I provide an assessment of the state-of-the-art in this area and also offer practical tips on how organizations can better defend themselves.
In particular, I show how organizations are often misled to assume that, because their filtering installation is good at catching regular spam and viruses, it is also good at catching phish. Our recent work with Virus Bulletin, one of the premier independent organizations in evaluating email filtering solutions, shows that there is very little correlation between performance on regular spam and performance on phish. Even on run-of-the-mill phishing emails such as those commonly sent to hundreds of thousands of consumers at a time, some of the best known email filters miss as many as one in four phishing emails. When it comes to more targeted phishing emails, namely those behind many of the more severe security breaches reported over the past few years, performance is even worse.
Because many organizations are often reluctant to replace their existing filtering solutions, a more effective approach is to purchase a dedicated antiphishing filter intended to complement an organization's existing solution. But, as I also point out in my article, there is no silver bullet in this space and organizations would be well served to take a look at some of the most recent simulation-based training solutions developed to teach employees and customers not to fall for phishing attacks. They can really make a difference!
Read Norman Sadeh's recent JOnline article:
"Phishing Should Not be Treated the Same as Common Spam," ISACA Journal, volume 3, 2013.