Let’s face it, phishing is not new and forms of social engineering have been around for as long as we’ve been trying to protect information on the internet. Anyone who’s responsible for protecting their organization’s users from unsolicited spam or social engineering can tell you that phishing is definitely still occurring on a regular basis. What many organizations today don’t realize, is that not only is phishing still occurring, it’s becoming more complex, occurrences are increasing at an alarming rate, and users’ behavior is not changing at the same pace.
People Click Links
I had a great opportunity to hear a couple of my peers speak recently and they referenced Verizon’s Data Breach Investigations Report (DBIR) from 2018 and pointed out a few alarming trends.
First, let’s start with the scary one; sanctioned phishing campaigns uncovered that a small subset of individuals click on literally every link they get in their inbox:
“Unfortunately, on average 4% of people in any given phishing campaign will click it”
Ok, so it’s only 4%. That’s not that bad, right? Well, consider a couple things; first, that individuals who have clicked on links in the past are far more likely to continue that trend, and that 4% of some of the largest organizations turns out to not be a trivial number at all. Walmart? 2.3M employees. JPMorgan? 256k employees. I wrote recently that a single compromised user gives an attacker a foothold in your organization and is often the start of most major data breaches.
So now that we know some individuals are susceptible, let’s take a look at the brighter side of that number; almost 80% of all users never click on a single link at all.
It’s not a huge secret that today vendors rely heavily on samples being reported in order to improve detection rates. What is pretty interesting is that a vast majority of phishing campaigns go unreported, with only 17% being reported at all. This means that you have no idea how effective you are at blocking those messages inbound and that there are plenty of instances where potentially malicious content has been viewed inside your organization and you have no idea.
Bringing it All Together
Now that we’ve got a little transparency into some raw numbers, let’s spend a minute on a more positive note and outline some great features available to help combat the knowledge gap in end users and the drastic increase in inbound phish attempts.
Microsoft’s Security Intelligence Report outlines the increase in phishing messages their service identifies. They handle over 470 billion messages per month and saw a 250% increase over the span of 2018.
As phishing campaigns become more and more complex, so has the way service providers protect their end users from 0 day threats. Microsoft leverages the sender side signals of those 470 billion messages to develop a user first contact graph to leverage machine learning for impersonation protection. On top of that, ATP adds SafeLinks and Safe Attachment protection for Office. The technology proxies every single end user click through a Microsoft server to validate the target URL before directing the user there. The cool thing about that statement? SafeLinks works in Office, including Office Mobile for your remote users. URLs embedded in attachments are equally protected.
Microsoft certainly isn’t the only provider who’s making great strides on the email front; vendors like ProofPoint, FireEye, Palo Alto, Menlo, etc. have all innovated in their own right as well. The thing that sets Microsoft apart is that they handle exponentially more mail than all other vendors and leverage machine learning and artificial intelligence to make use of that data to exponentially improve protection for their users.
Keep up the Good Fight
Unfortunately the world isn’t going to become a peaceful place overnight and people aren’t going to suddenly become benevolent to their neighbors. While I’ll keep waiting for that day to come and doing my part to see it to fruition, I’ll also work just as hard to stay on top of emerging trends to make the internet a safer place for everyone to learn, collaborate, and enjoy a bottomless sea of cat memes.
Big thanks to Cam and Daniel for sharing sources for data.