Are you finding that your anti-phishing strategy is failing, despite your best efforts?
If so, you’re far from alone: despite employing anti-phishing strategies, direct financial losses from successful phishing attacks increased by a staggering 76% in 2022–and are only continuing to climb.
Today, our team of ethical hackers explains why many common strategies have not kept pace with how phishing is evolving… and recommendations for how to circumvent these spikes in security incidents.
An Overview of Phishing and Anti-Phishing Strategies
Firstly, what is phishing?
Phishing is defined as a social engineering attack where the attacker masquerades as a legitimate person to target the victim using emails, SMSs, social media inbox messages, and other means. The attackers use various vectors to lure victims into revealing sensitive information.
As such, anti-phishing strategies employ tools and techniques to prevent these attacks. This is commonly done by monitoring application traffic to check attempts to harvest private information, identity theft prevention techniques, and best practices like Multi-Factor Authentication (MFA) to ensure that an organization’s accounts can only be accessed by certain individuals. Having these strategies in place is essential for organizations to avoid both financial and reputational damage.
Why Anti-Phishing Strategies Fall Short
There are several reasons why some common anti-phishing techniques fail.
Six of the most common of these reasons are as follows:
1. Not Having Dedicated Employee Awareness Training
So you’ve invested in comprehensive anti-phishing tools and techniques, and feel confident in their efficacy. Done and dusted, right?
Over time, employees, staff, contractors, and other key stakeholders may still be falling prey to common social engineering tactics. As just one example of this, in the healthcare industry doctors are ranked as significantly more likely than all other hospital members to fall victim to phishing!
Practical drills and dummy attempt-based training should be invested in periodically as a way to circumvent these common pitfalls. As Jim Russell, Chief Information Officer (CIO) at Manhattanville College in Harrison, explains about his Employee Awareness Training methodology: "One of the things we talk about in our training is an authentic voice, which is one of the most important elements in recognizing a fraudulent email."
2. Not Acknowledging the Sophistication of Phishing
Cybercriminals use advanced tools and techniques to deceive people; in fact, most subscribe to PhaaS (Phishing-as-a-Service) and pre-existing online templates on both various hacking forums and the dark web to deploy top-of-the-line phishing attacks.
Some of the most common types of phishing to look out for are:
Spear phishing, which involves targeting a specific individual in an organization to attempt to steal their login credentials
Vishing (short for “voice phishing”), which is when a threat actor fabricates an individual's voice online or over the phone to try to steal information
Email phishing, which involves fishing for information or account details via a fraudulent email message or harmful links submitted via email
HTTPS phishing, which is executed by sending the victim an email with a link to a fake website
Pharming, which is when the victim gets malicious code installed on their device
Pop-up phishing, which involves using malware to trick an individual into clicking on a pop-up on their device that contains information-stealing malware
Evil twin phishing, which is where the a threat actor sets up a false Wi-Fi network that looks real in order to steal information once the user logs into it
Watering hole phishing, wherein a threat actor determines a website a group of users tends to visit and infects said website with information-stealing malware
Whaling, which is any phishing that specifically targets a high-ranking stakeholder
Clone phishing, which involves a hacker making an identical copy of a message the recipient already received to bolster the likelihood of it being opened over text or email
And smishing, which is phishing done over SMS
Each of these attempts, when successful, could create access to an organization's financial accounts, account passwords, internal messaging channels, customer or client information, and so much more.
3. Not Investing in In-Depth Anti-Phishing Strategies
Another reason organizations fail to implement anti-phishing strategies is that they lack both holistic and in-depth defence mechanisms.
Focusing only on anti-phishing tools or training employees to identify phishing emails is insufficient. Instead, organizations should provide an all-in-one approach.
One such way to accomplish this is to invest in various cybersecurity services. Compromise assessments, infrastructure penetration testing, and cyber maturity assessments are just some of the services that can work in tandem to reveal the top risks to your organization's security... as well as how to remediate them.
4. Lacking Internal Communication
Communication gaps are among the most apparent reasons for the failure of anti-phishing strategies.
Many new employees, for example, may not know whom to report when they encounter phishing attempts; and if key stakeholders are being targeted but are not reporting said attacks, an organization may not realize the importance of investing in cybersecurity until it's too late.
As such, professionals should create a clear communication channel as a part of the anti-phishing campaign.
Most security-driven enterprises have robust training programs and security policies. Still, they lack an anti-phishing strategy. It is because there are no consequences for employees who violate the policy. Many enterprise professionals know the benefit of 2FA but do not implement them. All these lead to anti-phishing strategy failure.
6. A Reliance on Outdated Technology
Last but certainly not least when it comes to the pitfalls of combating phishing is relying too heavily on outdated technology.
Having antivirus software and multi-factor authentication are both baseline ways to protect your organization's systems and devices, yes, but businesses that do not have frequent security audits on internal tools and services inevitably lead to successful phishing attempts. This is because sophisticated phishing software can bypass these common tools.
Anti-phishing strategies and solutions fail because employees and people make them fallible. Attention to these 6 reasons can help resolve issues and increase the chances of success of the anti-phishing strategy.
Looking for more information on phishing regarding your organization's security, or seeking cybersecurity? Download our free Phishing for Initial Access webinar recording to further strengthen your team's cybersecurity training arsenal.
Download our Free Buyer's Guide
Whether you are looking to complete Penetration Testing to manage risk, protect your data, comply with regulatory compliance standards or as a requirement for cyber insurance, selecting the right company is crucial. Download our buyer’s guide to learn everything you need to know to successfully plan, scope and execute your penetration testing projects.