Late last year, Dr Zinaida Benenson from The University of Erlangen-Nuremberg, conducted two separate studies on university students. These studies involved simulated phishing attacks over email and Facebook. The first study included phishing emails with the student name in the message. 45% of students clicked on the phishing link. The second study did not have the student name in the phishing email, and the click rates dropped to 25%. In both studies, the click rates were higher than the students admitted: 20% of students admitted to opening the first round of emails, and 16% admitted to opening in the second.
78% of the participants of this study said that they were aware of the risks of unknown links, prior to receiving the emails. After the study, most of those who clicked on the links said they did so out of curiosity. A majority also said that they thought the computer antivirus would protect them.
|Click on each image to see larger version in a new window|
This study demonstrated the difference in effectiveness when a phishing attack is personalized. This kind of personalization is called “spear-phishing,” and it's highly effective because it's based on research and it's customized to the intended target. As an example, let's look at what happens when an office administrator gets an email addressed to him by name, asking him to reset his login information for the company portal. The email looks like it is from the company system, and it includes a link that looks like it goes to the company portal reset password site. In fact, the actual link takes him to a website that is designed to look like the company portal, but it's really just there to capture his credentials and deploy malicious software to his PC. He won't fall for this attack if he notices the details on the sender email or the portal hyperlink. He won't follow through if he knows his portal wouldn't send an email like that for no reason.
That is, unless he's curious or overconfident in his antivirus protection, like the people in Dr Benenson's study. The majority of targeted attacks begin with a spear-phishing email for this very reason. It takes a little longer to create the attack, but the payoff can be huge.
The other factor at work in this study was overconfidence in the endpoint security system. People tend to think that antivirus or antimalware software can protect them from ransomware. The reality is that a local antivirus, even when updated, simply cannot defend against zero-day attacks and other emerging threats. The best protection against these advanced attacks is one or more threat protection layers between your organization and you users. A cloud-based security layer offers several advantages, which we'll come back to in a minute.
So how can you construct a security posture that will protect your users from fatigue, curiosity, overconfidence, and the other human factors that work against you? Training and awareness play a role, but cannot do it alone. The best answer is a combination of advanced technologies and specialized training that work together.
- Delivered as a cloud service. There's nothing on site to impact network performance
- Operates in real time. There's no waiting
- The first comprehensive, AI-based solution designed to fight spear phishing and cyber fraud
- Learns unique communication patters to stop impersonation attempts in real time with zero impact on network performance
Let's dig into these three layers in more detail:
- AI for Real-Time Spear Phishing Attack Prevention – Barracuda Sentinel’s artificial intelligence engine learns organizations’ unique communications patterns to identify anomalies and impersonation attempts. This messaging intelligence can automatically stop spear phishing attacks in real time. This AI engine uses two layers of classifiers – an impersonation layer that focuses on the organization’s existing communications patterns, and a contextual layer that studies the content of the specific messages. The intelligence gathered is then used to determine whether an email is a spear phishing attack.
- Domain Fraud Protection – Barracuda Sentinel helps organizations set-up, monitor, and enforce DMARC email authentication with a few simple clicks, to guard against domain spoofing and brand hijacking.
- Anti-Fraud Training for High-Risk Individuals – Barracuda Sentinel leverages the intelligence from its machine learning platform to identify high-risk individuals within the organization and to conduct specialized anti-fraud training that includes simulated spear phishing attacks.
These three layers work together to determine whether a message is from a legitimate sender or an impersonator. If the email is determined to be a spear phishing attack, the message is automatically moved to a quarantine folder and the user is alerted.
The FBI reports that spear phishing is growing rapidly in all 50 US states, and measured an increase of 2,370% of spear phishing attacks in 2015-2016. The spear phishing market is expected to grow from $840.7 million in 2017 to $1.4 billion in 2022. These attacks are dangerous and spreading across the world.
If you are concerned about spear phishing and cyber fraud, take a look at Barracuda Sentinel. This solution was engineering to protect people, businesses, and brands from this type of attack. Visit the Barracuda Sentinel site here for more information.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. In this role, she helps bring Barracuda stories to life and facilitate communication between the public and Barracuda internal teams. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.