A recently published study from the Federal Trade Commission’s (FTC) Office of Technology Research and Investigation has revealed that anti-phishing technologies are not being widely adopted by U.S. businesses.
While there are several anti-phishing technologies that could be adopted by businesses to reduce susceptibility to phishing attacks, relatively few businesses are taking full advantage of the latest anti-phishing solutions.
Phishing is a type of online scam primarily conducted via email, although the same type of scam can occur online on malicious websites. The email version of the scam involves sending an email request to an employee in which the attacker claims to be a well-known source. That could be an Internet service provider, a well-known company such as Amazon or Netflix, or the CEO or CFO of the employee’s company. The target is asked to send sensitive personal or business information.
Typically, the attackers request financial information, logins, or as we have seen on numerous occasions this year, employees’ W-2 Form data. The information is then used for identity theft and fraud. In the case of the W-2 Form phishing scams, the information is used to file fraudulent tax returns in employees’ names.
Phishing is one of the biggest cybersecurity threats that businesses must mitigate. A separate study conducted by PhishMe showed that the vast majority of cyberattacks start with a phishing email. The largest ever healthcare data breach – which resulted in the theft of 78.8 million health insurance members’ credentials from Anthem Inc. – occurred as a result of an employee responding to a phishing message.
The FTC’s research revealed that most businesses have now implemented authentication controls, but little else. The FTC study (performed by OTech) found that 86% of businesses were using the Sender Policy Framework (SPF) to determine whether emails that claim to have been sent from a business were actually sent from the domain used by that business.
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo
While this is an important anti-phishing control, SPF alone is insufficient to protect businesses from phishing attacks. SPF controls can be bypassed.
The FTC study found that fewer than 10% of businesses were using Domain Message Authentication Reporting & Conformance (DMARC) to receive intelligence on the latest spoofing attempts used to bypass SPF controls. DMARC allows businesses to automatically reject unauthenticated messages, yet few use the technology.
While not covered by the FTC study, one of the best additional anti-phishing technologies is a spam filtering solution such as SpamTitan.
SpamTitan blocks 99.97% of spam email messages, 100% of known malware via its dual anti-virus engines, while a powerful anti-phishing component looks for common signatures of phishing emails and prevents them from being delivered.
The threat from phishing is growing. A study from the Anti-Phishing Working Group revealed there was a 65% increase in phishing attacks in 2016 compared to 2015. Last year, 1,220,523 phishing attacks were reported. With attacks increasing at such a rate, and given the number of phishing attacks on businesses so far in 2017, more must be done to prevent attacks.