Phishing has been around for nearly as long as email has, and the perception that phishing tactics have not evolved persists. Many people believe we are still in the era of the easy-to-spot "Nigerian prince" emails, shown below. Underneath that, we see a highly creative, yet not any more technically sophisticated, "Nigerian astronaut" ruse.
But the reality is that we live in a time when well-crafted, sophisticated, and targeted phishing attacks are aimed specifically at enterprises.
Here is an example of a phishing email and phishing landing page designed to mimic Microsoft Office 365:
Now, you're probably looking at this example and thinking, "I'd spot these because I'm pretty savvy when it comes to security. I can identify a phishing email when I see one."
Sadly, not everyone is as astute as you. At the 2019 Black Hat security conference, a Google researcher reported that 45% of Internet users don't know what phishing is. That's a pretty staggering statistic given how long phishing has been around and how much time and effort has been expended in educating users about phishing.
Before looking at phishing in more detail, let's look at the current definition of phishing, as defined by the Anti-Phishing Working Group (APWG).
"A criminal mechanism employing both social engineering and technical subterfuge to steal personal identity data and financial account credentials. Social engineering schemes use spoofed emails purporting to be from legitimate businesses and agencies, designed to lead users to counterfeit Websites that trick recipients into divulging data such as usernames and passwords."
In other words, the key objective of phishing is to steal personal information, such as name, address, email, and financial details. Put into an enterprise context, attackers are trying to steal usernames and passwords linked to corporate accounts.
Notably, the APWG states that email is a phishing campaign's primary attack vector. I'd suggest the definition should be expanded -- both to reflect modern attack channels and the growing threat that phishing poses explicitly to enterprises.
There are five key reasons why phishing remains a huge problem and should be top of mind for enterprises.
- Phishing is no longer just an email problem. Social media platforms and instant messaging tools are increasingly used to launch and distribute phishing scams. And it doesn't stop there. Other attack vectors such as personal email and lateral phishing attacks from compromised email accounts are rampant.
- There's an enduring perception that phishing is just a consumer problem. In reality, Akamai's research (and other research) shows that between 30-40% of all phishing attacks are targeted at enterprises.
- Phishing is the attack beachhead -- as many as 93% of all corporate security breaches start with a phishing attack. Simply put, once an attacker has a domain username and password, they also have the keys to the enterprise's front door. Why bother with another approach when the phishing route is so effective?
- Phishing had been industrialized. Sophisticated attacks are templatized and can be launched by anyone, regardless of specific knowledge or expertise. Akamai threat researcher Or Katz details this trend in his recent blog post, "Phishing Factories and Economies". More importantly, such attack methodologies are forever evolving.
- Lastly, the defenses that enterprises employ against phishing are insufficient. Existing security solutions have inherent gaps. Furthermore, they can't protect against emerging attack vectors. Attackers are exploiting both of these weaknesses.
In my next blog post, I'll provide more details about the industrialization of phishing.
In the meantime, check out the Akamai white paper, "Phishing Is No Longer Just Email: It's Social".