What is it?
An exploit in which an attacker, typically using email, attempts to trick a computer user into opening web links, entering personal information into a web form or fake website, or taking an action that allows the attacker to obtain sensitive information. Spear phishing targets a specific individual or group of individuals using personal information.
Why is it important?
Phishing and spear phishing are the most common attack methods for attackers to gain an initial foothold in an organization or obtain sensitive data.
Why does a business professional need to know this?
Email phishing is one of the most popular methods used by cybercriminals to trick users into taking actions that install ransomware on their computing devices. In the first quarter of 2016, the cybersecurity researchers at PhishMe Research determined that ransomware accounts for 50% of all phishing email messages.
As of the end of March 2015, 93% of all phishing emails analyzed contained ransomware. In the first quarter of 2016, the number of phishing emails hit 6.3 million, a 789% increase over the last quarter of 2015. Subsequent studies from PhishMe and other researchers continue to show the same trends.
With all the technical and administrative controls in place today, our cyberattacks are still growing at an alarming rate:
- 91% of breaches start with spear phishing
- Average time to identify a breach, 146 days
- Average time to contain a breach, 82 days
- The global average cost of a data breach, $4 Million
Business professionals looking for a defense must familiarize themselves with the emotional triggers that persuade and convince users to interact with phishing messages.
These emotional triggers can be:
- The promise of a reward for interacting
- The appearance that the message comes from a respected person, such as a family member or a boss
- An appeal to curiosity
Phishing email attacks usually ask the recipient to click a link, enter data in a form, or open an attachment.
Because humans are the first line of defense against cybercriminals, we must educate our customers and co-workers so they can recognize malicious phishing attempts and report them to the appropriate authority.