Although organizations face a wide variety of cyber security issues today, phishing surprisingly remains a popular attack vector. Over the course of Q2 2019, Kaspersky’s anti-phishing tool alone raised nearly 44 million red flags.
These constant attacks have a real impact. The FBI’s 2018 Internet Crime Report showed that phishing and other email account compromise attacks costed US businesses some $1.2 billion, with phishing accounting for over $48 million.
The rising volume and sophistication of phishing attacks and identity theft attempts is particularly concerning for larger companies, where every employee and their technology represents a potential weak link that threatens the whole network. However, cyber security firms have not sat idly by while hackers and attackers get smarter. The industry has evolved too.
Today’s security experts recommend turning to the following three tactics to help companies prevent attacks.
Training Has Become a Priority
Perhaps the biggest vulnerability when it comes to phishing attacks is users themselves. Even with the best technology and standards in place, a careless user, or even one that simply doesn’t recognize an attack, an cause chaos.
One 2017 study found that 66% of malware is installed via malicious email attachments, while 93% of all social attacks were phishing related. Many of these incidents stem not from faulty security, but from users who simply don’t know to recognize the signs of a potential phishing attack. Training employees is a good way to mitigate these instances and can help inform every user about well-known techniques and red flags to look for. This doesn’t always refer to simply having a course taught once a year, although that certainly helps.
Today, training tools offer more customized systems that can constantly test users and adapt to their level of sophistication. Hoxhunt, for one, offers tailor-made training programs that incrementally educate users and add complexity to tests to continuously improve their ability to react. By testing your team with simulated phishing messages, it exposes people to the different phishing tactics they are likely to encounter, and tailoring training to help them spot and avoid them, Hoxhunt’s gamified training can make a significant dent in the number of successful attacks a company faces.
While education is not the silver bullet to stop phishing attacks, it does significantly reduce the number of attacks that succeed, and it can help fill in the gaps where tech-based protection falls short.
Machine Learning and AI Deployed Proactively
Machine learning and artificial intelligence (AI) have become mainstays in the tech industry, and the cyber security sector has capitalized on the technologies. When it comes to phishing attacks, this is undoubtedly a boon, as the volume of attempts and vulnerabilities continues to expand.
A study by security firm GreatHorn found that between 2018 and 2019 there has been a 25% increase in the number of phishing attacks that evade standard security defenses, and over half of the companies it surveyed reported seeing threats at least weekly. With the number of attempts on the rise, it’s difficult for humans to keep track of and identify new attacks as they emerge. Especially as hackers also increase their sophistication levels to perform more dangerous phishing attacks, security tools require fast thinking and reaction times that are measured in milliseconds, not minutes.
Machine learning is nothing new for the sector, as Gmail’s spam filter proves. The company’s system delays delivery of roughly 0.05% of all email traffic to scan for phishing attempts, with a success rate of 99.9% of spam blocked. However, for companies without the massive resources of Google, AI still offers a great way to quickly and more effectively scan incoming emails and communications.
By scanning and learning about new vulnerabilities as it monitors communications, machine learning and AI powered cybersecurity can always be on top of new attack vectors and recognize red flags more quickly than the human eye can.
Improving Access Control
Some innovations don’t have to recreate the wheel to make an impact. Indeed, one of the most useful tools organizations and cyber security firms have found is one of the simplest better and more enforced implementation of two-factor authentication (2FA).
The goal with many cases of phishing is to start by discovering a user’s access credentials through a fake site masquerading as a legitimate one. When users input their password, it’s immediately stolen. However, 2FA can significantly reduce this risk by requiring an added layer of security that isn’t tied to user passwords. In many cases, a second-layer credential can be a code sent via SMS or encrypted messaging to users who can input it into their login screen.
These types of 2FA can be bypassed, though they remain a valuable tool. On the other hand, many companies (such as Google, for instance), use physical security keys that generate randomized codes that can’t be easily cracked.
While a return to physical security sounds sub-optimal for many companies, it also offers a more fool-proof security measure. Token and random key generators are relatively easy to implement, and they have the added benefit of not requiring passwords to be transmitted over vulnerable communications before they’re used for logins.
A Constant Battle
Regardless of the innovation cyber security firms make, the battle against phishing is constantly being waged. Hackers continue to evolve their tactics to bypass even the most advanced tools, but the industry has not sad idly by. Instead, the technology and methods we use to protect our businesses against phishing continue to improve as well.