Wombat Security Technologies recently announced its latest report on phishing attacks, State of the Phish 2016. Among the key results in the report was that these attacks are becoming more sophisticated and personalized in an effort to induce unwary users to click on malicious links and attachments.
Eighty-five percent of respondents stated that they had been the victim of a phishing attack, a 13 percent increase from 2014. Three out of five also reported that the rate of attacks has increased.
The report advises that it is no longer enough to be on the lookout for attacks in emails. The growing sophistication of attacks in 2015 indicates that phishers are using social engineering tactics by phone and text messaging too.
This is supported by the finding that two-thirds of respondents stated that they have been subject to targeted attacks known as ‘spear phishing’, a 22 percent increase from 2014. In a spear phishing attack, the victim is addressed specifically by name and therefore more likely to click on a rogue email. Such an attack would not be possible without the phishers doing some extra preparation in advance.
The impact of these attacks can hit companies hard financially. In its report,The Cost of Phishing and the Value of Employee Training, the Ponemon Institute (News - Alert) found that the cost of phishing for a 10,000 employee company was about $3.8 million.
To address the growing complexity of these cyberattacks, Wombat has developed a training methodology it calls Assess, Educate, Reinforce and Measure (AERM). The company claims that customers that have adopted this approach have reduced successful phishing attacks and malware by 90 percent.
One example of how Wombat’s methodology reduced attacks comes from a university in the northeastern U.S. According to a company case study, an unnamed university experienced five to six successful phishing attacks monthly.
One particular attack came from an official-looking email that appeared to have been sent from a dean at the school. The content of the email discussed new policies and other changes and asked recipients to change personal information.
The university implemented the AERM education program, which included emails that simulated phishing attacks. Through these simulations, administrators were able to track the effectiveness of phishing awareness programs. As a result of using Wombat’s platform, successful phishing attacks were reduced to about three every six months, a 90 percent reduction.
AERM is a system that makes sense as long as users don’t learn it once and then forget about it. Phishing attacks always change in terms of how they get distributed and the social engineering tactics the phishers are willing to resort to. This is one subject where there can never be too much awareness.