New research indicates the threat from phishing is growing at an alarming rate, with thousands of new malicious websites being created every week. Detection rates of new phishing sites are also increasing, thanks to new software introduced by the Anti-Phishing Working Group (APWG).
APWG is a pan-industrial not-for-profit organization dedicated to improving Internet security. The organization works alongside law enforcement to reduce identity theft and make it harder for online criminals to operate. One of the ways it achieves its aims is by finding new websites set up by cybercriminals to obtain login names, passwords and other sensitive information from Internet surfers.
A recent report issued by APWG shows an alarming rise in the number of new phishing websites, indicating cybercriminals are concentrating on this attack vector to obtain the data necessary to commit fraud and steal identities.
In the month of February alone, 56,859 new phishing websites were detected. This rate of detection has not been achieved since August 2009. February’s count of new phishing websites was 1% higher than the organization’s August 2009 figures. While this suggests there has been a major increase in cybercriminal activity, the company’s new detection software may account for the rise in detection. That said, the threat from phishing is certainly growing.
What does a phishing website look like?
The reason that phishing websites are so dangerous is they look exactly the same as legitimate websites. Criminals are investing a considerable amount of time and money into creating spoof sites that are highly convincing. Big brand name websites are now being spoofed, with Amazon and E-bay just two of the major retail sites that have had fake versions created to fool users.
It is not only the retail industry that is being affected. Criminals have created phishing websites that look the same as those of major banks and financial institutions. If users can be fooled for long enough to attempt to login to the websites, criminals will obtain their credentials and be able to make bank transfers. Huge sums of money can be transferred and withdrawn by criminals before the victims even realize.
Protect your MSP clients with the newest zero-day threat protection and intelligence against anti-phishing, business email compromise and zero-day attacks with PhishTitan.
Free Demo
The majority of the fake websites discovered by APWG were located in the United States. Over half of those websites used the brand names of large organizations to fool users into revealing their sensitive information. This is achieved by creating a website that looks very similar to the brand being spoofed, with the domain name also featuring the brand name.
Security software identifies phishing websites and neutralizes the threat
There may now be more phishing websites than ever before, but fortunately action is being taken. When new sites are identified, the companies hosting those sites are alerted and the websites are closed down. Hackers and other cyber criminals may be devising more sophisticated ways of obtaining sensitive information from businesses and consumers, but detection software is also becoming more sophisticated. Companies such as SpamTitan Technologies have devised software that can rapidly identify phishing websites, allowing the threat to be neutralized. However, the volume of these malicious sites is such that even with rapid identification, it is not possible to totally eliminate the threat they pose. All that can be done is to use a web filter to prevent Internet users from visiting these websites.
Employees are not reporting phishing emails and websites to their IT departments
Many companies have developed policies which require members of staff to report suspicious emails and websites to their IT departments. By sending a quick email, the IT department can ensure that the threat is neutralized. Unfortunately, despite these policies existing, they are not being followed by all members of staff.
SpamTitan conducted a survey earlier this year which revealed that 70% of organizations had suffered losses as a result of phishing and spear phishing emails that had not been reported to their IT department. If staff members receive security awareness training, and report attempted phishing attempts, the emails can be deleted promptly to neutralize the threat. A failure to report those emails is likely to see some members of staff fall for the scams.
Many of these phishing scams seek to obtain access to sensitive data in order to commit fraud against individuals. If criminals can gain access to a business network, they can potentially obtain sensitive information from the entire workforce. The loss of data and system downtime can cost companies millions of dollars. When customer or healthcare data is stolen, the costs of resolution can be even higher. Theft of customer and patient data can trigger a wave of class-action lawsuits and result in regulatory bodies issuing heavy financial penalties.
What is the solution?
The cost of data breach resolution is considerable, but it does not cost a small fortune to take proactive steps to reduce the likelihood of a data breach being suffered. If organizations are proactive and implement a range of security measures, the risk of cyberattacks and data breaches can be effectively managed.
It may not always be possible to prevent phishing emails from reaching inboxes, but it is essential that employees are security aware and know how to identify suspicious and malicious emails in case they are delivered. There must also be an easy way of reporting such emails so that prompt action can be taken to neutralize the threat.
What security measures can be implemented to reduce the risk of a data breach?
Robust, multi-layered security defenses can be implemented to protect data and networks from attack, although there is no single solution that will work for all organizations.
Some of the measures that can be implemented to keep networks and data secure include:
- Encrypt all customer, client and patient data stored on networks
- Devise a secure password policy and ensure that it is enforced
- Make sure users change their passwords every 3 months
- Conduct security awareness training
- Issue cybersecurity bulletins to alert employees to new risks
- Purchase a robust email spam filter to stop phishing emails from reaching inboxes
- Use web filtering to restrict the websites that can be visited by employees
- Perform regular risk assessments to identify new security vulnerabilities
- Ensure anti-virus and anti-malware solutions are installed on all devices connected to a network
- Make sure all software and virus/malware definitions are updated regularly
- Conduct periodic security audits to check for malware and viruses that have inadvertently been installed