Phishing is one of those attack vectors that keep evolving and multiplying. Because it’s been around for so long, many security and privacy professionals underestimate how effective it can be. “How can people still be falling for that?” One might wonder.
But despite the security community’s ongoing efforts to clamp down on this nefarious activity, phishing incidents are on the rise. The Anti-Phishing Working Group noted in its Q3 activity report that from July through September 2019, phishing reached its highest level in three years. Phishing is also on the rise in emerging regions such as Brazil and other parts of South America, where internet penetration is increasing and e-commerce websites are entering new markets.
The problem is getting worse. Adversaries are increasingly stealthy in the way they evade detection of their phishing campaigns in remarkably sophisticated ways, as reported by Microsoft.
Why phishing is proliferating
There are several reasons why phishing campaigns still work. First, executing them is becoming more automated. Attackers don’t even need to be all that tech-savvy to make phishing schemes look convincing and achieve their goals. There are plenty of tools available to help them scrape legitimate content, including web copy and images, from the websites they’re attempting to target. Some tools available on the Dark Web even enable adversaries to bypass the two-factor authentication (2FA) process that many websites rely on to protect their users’ credentials. We’ve now reached a point where even the trained eye has trouble identifying the difference between a real URL and a spoof.
The relative ease and cost-effectiveness of phishing could explain the recent uptick in website spoofing activity. Google reported that the number of unsafe sites associated with phishing rose from just under 690,000 in January 2018 to 1.2 million in January 2019 – almost double the number in one year. And that number has continued to escalate all year long, with no signs of slowing down in 2020.
Preying on customers’ trust
According to a recent report, the brands most frequently targeted by phishing campaigns are Microsoft, PayPal, Facebook, Netflix, Bank of America, and Apple. Think for a moment about the millions of customers each of these brands has across the globe. The attack surface for this handful of companies is enormous. Attackers specifically target well-known brands with their schemes, because they can capitalize on customers’ trust in those brands. If a highly convincing spoof website and a corresponding email to a customer carry the brand name of a company they trust, they’re more likely to click on a link and take an action. The customer’s trust in the brand is part of the adversary’s strategy.
As more customer transactions are moving online, attackers, in turn, are branching out and diversifying. Not only are they launching more spoof websites, but they’re targeting more brands. The APWG report notes that more than 400 different U.S. brands were targeted with website spoofing attacks each month in Q3 of 2019. Phishing was once aimed mostly at banks and financial institutions, but clearly, that is changing. If a company has a website requiring customers to log in, they are at risk. And so is their brand’s reputation.
Protecting customer data protects your reputation
All the brand equity that companies work so hard to build can turn into a double-edged sword when there is a breach impacting customer data. The trust customers have in a company is being used against them – and the brand – when a phishing attack is successful. And ultimately, it’s the brand that pays the price, both literally through regulatory fines and the loss of customer revenue, and figuratively when their brand reputation is tarnished. Research shows that when a customer is the victim of data loss through a corporate breach, they blame the company, not the hacker. In the minds of the customer and the regulatory bodies who assess violations of data privacy laws, it’s the company who must be held responsible for these incidents, even when the consumers themselves are creating risk by responding to phishing attacks.
Preserving brand reputation is about more than trying to stay out of the headlines. It requires a better approach to protecting customer data from one of the biggest threats out there: orchestrated phishing schemes. This new approach needs to extend beyond current limitations, such as domain monitoring, 2FA or email filtering, because these are all subject to human error. It must also do more to protect customers, instead of just company employees. Customers are at far greater risk. And remember, some of these security mechanisms, such as 2FA, can be bypassed through tools that are all too easy for hackers to deploy.
Brands need an intelligent, multipronged anti-phishing strategy that addresses the shortcomings of current market offerings. Each of these shortcomings puts customer data at risk. A robust anti-phishing detection and response strategy considers the tactics used in today’s sophisticated phishing schemes, such as social engineering, email, and the fundamental building block of this attack vector: the spoof website.
Demonstrating that you take your customers’ privacy seriously will retain their trust and positively impact your brand’s bottom line. A new report from Cisco signals that consumers are more willing to “vote with their feet” and take their business elsewhere if a company doesn’t protect their data. This is especially true for younger consumers. Taking a stronger stance on protecting your customers from phishing attacks will address their fears about transacting with you online. A new study of 1,500 U.S. consumers reveals that the privacy and security of their personal data is one of the top concerns – second only to healthcare. Think about the burden you can remove from their minds by taking the right actions to eliminate risk.