According to F5’s latest 2018 Phishing and Fraud Report: Attacks Peak During the Holidays, fraud incidents during the months of October, November and December jump over 50% from the annual average. Phishing, which gives cybercriminals access to one’s personal information including login credentials and credit card numbers, continues to be the number one attack vector.
Phishing tactics have moved beyond the Nigerian prince e-mail scam, becoming much more sophisticated and aggressive through increasingly using impersonation tactics and playing on people’s emotions to con them out of their money.
The increased sophistication of phishing methods have become a real threat to businesses. Over the course of 2016-17, reports to the ACSC indicated losses of over AU$20m due to Business Email Compromise (BEC), representing an increase of over 130% from 2015-2016. In addition, almost half (47%) of Aussies admit to shopping online at work. This significantly increases the threat of cybercriminals accessing company information if an employee was to fall victim to a phishing scam whilst using a company device.
The F5 research reveals insights into annual phishing and fraud trends, the top impersonated companies in phishing attacks, and how employees and businesses can defend against phishing and fraud.
Highlights from the report include:
- The most successful phishing lures play on people’s emotions (greed, concern, urgency and fear) to get them to open an email and click on something.
- Impersonation is a key tactic – 71% of phishing attacks seen from September 1 through October 31, 2018 focused on impersonating 10 top-name organisations, predominantly in the technology industry.
- Financial organisations are the fastest growing phishing targets heading into peak phishing season, however we expect to see a rise in e-commerce and shipping starting in December due to holiday shopping
- Training employees to recognise phishing attempts can reduce their click-through rate on malicious emails, links, and attachments from 33% to 13%.
Defending Against Phishing and Fraud
Tips to share with employees:
- Shortened URLS from services like bit.ly and others can be malicious. Always open a new browser tab and search for the content or website that’s referenced.
- Certificate warnings are displayed by in the browser when the security certificate of the website requested is invalid, not current, or has not been issued by a trusted certificate authority. Rather than ignore the warning, if you think the site is legitimate, it’s best to search for the site in a separate browser window.
- Fake phishing websites can be extremely well crafted and look surprisingly legitimate. Always make a habit of checking the URL in the address bar before providing any personal information such as login credentials or account information. Alternatively, try reaching the site directly in a separate browser session.
Tips for the business:
- User awareness training is essential to protecting organisations and users from phishing attempts
- Raising user awareness and reducing the amount of phishing emails that creep into employee mailboxes is key, but businesses also need to accept the fact that it’s inevitable employees will fall victim to a phishing attack. To reduce risk, it’s important to take proactive steps to protect the organisation through containment controls including email labelling, anti-virus (AV) software, web filtering and multi-factor authentication at a minimum.
- Ultimately, there is no one-stop-shop security control for phishing and fraud. A comprehensive control framework that includes people, process, and technology is a requirement to reduce the risk of a phishing attacks becoming a major risk to your business.
Read the full report to explore the core threat areas, understand the impact of phishing in detail, and obtain an extensive list of recommendations to defend your business against phishing and fraud.
