Phishing has been around a long time because it still works.
No matter what companies do in terms of technology and security improvements, employees will always be the weakest link that hackers can exploit. And it only takes one.
Companies are putting more defenses in place to overcome phishing:
- Anti-virus programs that blacklist known phishing URLs
These are of limited use because many phishing websites exist for only four or five hours, so anti-virus black lists are always outdated.
A simple workaround is to hide the phishing link n attached documents or inside Google documents that are linked to in the email.
- Staff training
Some phishing attempts are easy to spot because of poor spelling and English. But it only takes oneemployee to open one phishing link, and the entire company network is exposed.
Phishing is a numbers game. No training will ever be 100% effective,so there will always be a small percentage of phishing targets who will click on the link.
- Penetration Testing
Some SMEs are asking cyber-security companies to conduct a penetration test on their systems. This is not a cheap service so many small businesses are reluctant to spend what it takes.
Penetration testing will include trying to get into a company’s network over the internet using the same techniques hackers use, including sending phishing emails to employees.
The graphic below is from the annual report from pen testing company Bulletproof.
Bulletproof found that 7% of employees opened the mock phishing email, clicked the link and sent their new passwords. Enough said.
Penetration testing followed by staff training would be an effective anti-phishing defense, but some people will forget or ignore any training and will always click on phishing links.
Recent Phishing Exploits
This slideshow demonstrates many of the most popular types of phishing attacks.
Big companies, universities, and government departments are all targeted by hackers’ phishing attacks.
Graceland Universityand Oregon State Universityhave both suffered data breaches as a result of phishing attacks this year.
Free HTTPS services from many web hosts mean that this can no longer be seen as a mark of trustworthiness in a website. Phishing sites are more likely to use the HTTPS protocol in 2019 and the trend is likely to continue.
Two-factor authentication (2FA) is no longer the guarantee it is commonly perceived as.
This Youtube presentationdemonstrates how hackers can intercept 2FA codes and go on to steal login data.
2FA is still a sensible precaution, but users need to still use caution.
Hackers are increasingly sending phishing links using Slack or Facebook Messenger. Recipients who might be suspicious of email links are more likely to click on a link in these apps.
Malicious browser extensions
SingleFile is a browser extension tool for Chrome and Firefox that hackers can use to create spoof login pages that will defeat most phishing detection software.
TrendMicro found the above spoof of the Stripe login page. If someone enters their login, it goes straight to the hacker, who will then be able to empty the account. The only apparent difference between this and the genuine Stripe login page is the URL.
Even a novice hacker can create a convincing phishing site if they use a phishing kit. The kit will include everything the hacker needs from email spamming software to graphics and shopping cart pages & product pages that are identical to those of the target site.
This Checkpoint.com article demonstrates just how convincing these phishing kits can be. The only difference will be a slightly different URL and lower prices.
Generic Email Addresses
Generic email addresses like [email protected] are popular targets for phishing attempts. They may be accessed by more than one employee, giving the hacker multiple chances of tempting someone to click a link.
The Short Version
Phishing still works and always will work because prevention techniques can never be 100% effective.
Technology solutions don’t work. Training solutions don’t work.
There will always be some people who ignore training and warnings issued by management and IT departments, so hackers will always be able to use phishing as a way to break into company systems.