Verizon’s latest annual security report, released late last year, covers almost 100,000 security incidents and over 3,000 serious breaches. In 2016, as in previous years, social engineering — including phishing — was the primary means of initiating an attack.
What that means is that phishing emails are not merely an inconvenience: They are a real threat. In its survey, Verizon’s Data Breach Investigations Report (DBIR) found 9,576 phishing incidents, of which 916 resulted in confirmed data disclosure.
Of course, the phish is just the first step. “The majority of phishing cases feature phishing as a means to install persistent malware,” Verizon wrote. Once that malware has been installed, the trouble really starts.
Phishing is a subset of a broader category of attacks known as social engineering. As the authors of the Verizon report put it:
“Social engineering in its basic form is simply to dupe or trick someone into doing something they would not otherwise do…. Social tactics can take many forms such as pretexting, elicitation (the subtle art of extracting information from a subject via conversation), baiting (planting infected media in victim areas), and a myriad of other lowdown and dirty tricks. However, by far its most successful variety is phishing.”
These aren’t just script kiddies we’re talking about. In fact, phishing emails are the major vector through which serious hackers — including organized crime and state actors — start their attacks. These phish emails lead to immediate data leaks (as when someone replies with the W-2 tax forms for hundreds of employees), loss of cash (as when an executive mistakenly wires millions of dollars to the hackers’ account), or the installation of persistent malware that gives the hackers increased access to the corporate network (as when Democratic strategist John Podesta clicked on a malicious link and opened up the DNC email servers to Russian hackers).
Verizon’s take on phishing reflects what others are saying. RSA noted a 308% year-over-year increase in phishing attacks in Q2 of last year. And attendees at the Black Hat conference last year overwhelmingly indicated that phishing was their #1 security concern.
Why does this keep happening? Because, despite education, people can’t resist clicking on links in emails from what appear to be familiar senders. After analyzing eight different tests of phishing effectiveness, Verizon concludes that 13 percent of people will click on a link in phishing email — many of them within hours of the email being sent.
But the root of the problem is that the senders of phish find it too easy to simulate the return addresses of legitimate senders. Despite the widespread adoption of email authentication standards by the big consumer providers of email inboxes (Google, Microsoft, AOL, and Yahoo), too many smaller companies have not yet implemented email authentication on the sending side.
That leaves their emails vulnerable to impersonation, because the Internet’s basic email standards have no tools for authentication of senders whatsoever. It’s such a big problem we’ve called it “email’s original sin.”
Fortunately, given that authentication is so widely used on the recipient side, the solution for security-conscious companies is fairly straightforward: Implement email authentication, preferably by creating a DMARC record and setting it to enforcement mode (so non-authenticating messages get quarantined or rejected). That will prevent everyone except whitelisted email servers from sending messages using the corporation’s domain name in the From: field or the email return address. Any DMARC-compliant inbox that receives a message coming from a non-whitelisted server will flag it or reject it — and what’s more, it will deliver a report to the domain owners that will alert them to an attempting phishing attack in progress.
Sure, social engineering will still happen. Hackers will still use pyschological skills or social media to try and trick their targets into revealing information, giving up passwords, downloading malware, or otherwise providing entry into the target’s network.
But by shutting down phishing, companies will reduce their attack surface markedly. Given that it’s as simple as publishing a DMARC record, why wouldn’t you take this simple step right away?
Is your domain protected by DMARC? Use our free DMARC domain checker to find out, and request a demo to find out how easy it can be to implement email authentication for your company.
Everything you ever wanted to know (but were afraid to ask) about email authentication DMARC, SPF, DKIM, and how they can stop fraud and phishing.