A lack of security common sense still plagues businesses with 30 percent of phishing emails opened by campaign targets. Worse, 12 percent click on the attachments inside those phishing attacks, giving crooks easy access to systems to snarf up credentials that are later used to pull off financially or espionage motivated crimes.
According to the 2016 Verizon Data Breach Report (DBIR), when it comes to gaining a foothold in a target organization, phishing is still the king. More concerning though is that the numbers aren’t getting better. Based on the the 2015 DBIR, 23% of users opened phishing emails, 7% lower than then 30% reported in 2016.
What does this mean in plain English? (1) Attackers (malicious hackers) are using phishing emails to gain a foothold into organizations. (2) Phishing attacks are working more often in the past year than they did in the previous year. (3) They are using these footholds to steal credentials (usernames, passwords, etc.), spread malware and gain access to sensitive financial data, POS systems, etc.
Phishing exploits one of the few vulnerabilities that we can’t solve with shiny boxes with blinky lights, it exploits the human behind the keyboard (or touchscreen). The good news though is that it’s not an impossible problem to fix. Through user education (an internal phishing campaign to simulate an actual attack) and innovative processes (i.e., before your HR person sends sensitive information via reply email, they get verbal authorization from the supposed requester).