92% Of Malware Attacks Result Of Email Phishing
By: Jim Stickley and Tina Davis
August 28, 2019
It’s no secret that as email phishing attacks get more sophisticated, they get more successful. The latest statistics show some alarming results, with Proofpoint Inc. reporting email phishing accounts for 92% of all malware and ransomware attacks. And there’s more…Verizon estimates phishing campaigns lure 4% of all recipients, and that rate rises to 30% at business organizations. Further, F5 Networks find these emails responsible for 48% of data breach cases they investigated.
Researchers agree that phishing attacks are sharply on the rise, with Microsoft reporting phishing attacks grew by 250% in 2018. All these numbers point to one thing–hackers learn as they go, polishing what works and tossing out what doesn’t. They continue trying new tactics in their ongoing efforts to steal data, infect systems with malware, and make those who fall for their tricks very sorry they didn’t see it coming.
A recent scheme involves a phishing tactic called URL obfuscation, a way to literally hide malicious content in the emails. Almost all emails are now in HTML format, allowing hackers to plant characters in the email that can’t be seen by the human eye, as they are set to a font size of “0.” Those invisible characters spell trouble and can’t be detected by a browser when a hyperlink in the email is activated. Other obfuscation tricks with URL’s are also very difficult to detect. In other words, what you can’t see can hurt you. It makes spotting phishing emails before they harm you or your place of work even more important than it already is.
Business URL’s are also vulnerable to typosquatting attacks. Typosquatting, also called URL hijacking or domain jacking, happens when hackers create and purchase URL’s that are very similar to a company website name. An employee who accidentally types an incorrect character into the domain name could easily end up at a typosquatting website–created and owned by hackers to steal employee and company data and launch malware attacks. It could be as simple as “yuutube.com” to work. Known as a form of cybersquatting, businesses are now seeing the value in purchasing similar URL’s before hackers do. It’s a way of cutting typosquatters off at the pass, before they are able to own the fake URL’s themselves.
As the statistics show, it’s necessary to ratchet-up protection against new phishing attacks, as well as for older attacks that have been improved. Even with statistics showing scary email phishing numbers, it’s important for users not to be discouraged. They are still the best defense against hacker trickery, and increasing numbers of organizations understand that employees are a vitally important tool for combatting these attacks. Ongoing employee cybersafe education and secure systems support are keys to staying safer online, including spotting phishing emails. Always remind employees and anyone connecting to your network not to click on links from unknown persons, on links or attachments that are unexpected, or anything that just doesn’t seem right. They all need to be 100% certain that what they click with the mouse is not going to harm them. If they can’t be, they should not do it. Contact someone from the IT department to check it out. It’s also wise to confirm with the sender by paying a personal visit to his or her desk, placing a quick phone call using a phone number that is confirmed as a good one, or even starting a brand new email using the sender’s email address that is already known to be legitimate.
Spending the time on education and awareness is an investment in the future of online safety and success of any company. It’s also well worth the effort to change the statistics in their favor.