By Atif Mushtaq, CEO of SlashNext

Phishing is often equated with phishing emails containing malware attachments or links to malicious sites. However, as email security solutions improve and phishing awareness training makes employees more careful about what they click, threat actors are moving to new phishing attack vectors where defenses are not as strong and users’ guards may be less vigilant. Most organizations are ill-prepared for these new attack vectors or the growing number of unknown, zero-hour phishing threats lurking on the web.

The phishing threat landscape has already expanded well beyond email and shows no sign of abating. Increasingly, employees are being subjected to targeted phishing attacks directly in their browser and via specialized apps outside their inbox. These targeted attacks are executed with highly legitimate looking sites, ads, search results, pop-ups, social media posts, chat apps, instant messages, as well as rogue browser extensions and free web apps. Users who encounter these threats on the web or embedded in apps can easily make a disastrous click that opens their company up to costly data breaches, ransomware, or other extortion attempts.

Figure 1: Phishing threat vectors have expanded beyond the inbox

Most companies lack adequate safeguards against this new phishing threat landscape and many IT security leaders do not fully understand how prevalent the dangers are from this growing threat. As a result, organizations are left in the dark when it comes to understanding their exposure to modern phishing risks and how to evaluate needed solutions to protect their employees.

The 2018 Phishing Survey we conducted of 300 IT security decision-makers shows that 95 percent of respondents underestimated how frequently phishing is used to breach enterprise networks. Only 5 percent of survey respondents realized that phishing is involved in over 90 percent of successful breaches. Most also do not realize how fast phishing threats move, typically lasting minutes to just a few hours before sites are taken down and cybercriminals move on to evade existing security controls.

This survey data suggests a dangerous lack of understanding about the implications of new phishing attack vectors and the implications of short-lived, fast-moving phishing threats on the web. Despite layered security controls and phishing awareness training programs for employees, many organizations remain unaware of their increased vulnerability to this threat landscape.

Another data point to note was that nearly two-thirds of respondents cited shortfalls in employee awareness and training as their top concern for protecting workers against social engineering and phishing threats. Furthermore, almost half of respondents (45 percent) said that they experienced 50 or more phishing attacks per month, and 14 percent said that they received more than 500 phishing attacks per month.

In addition, only a third (32 percent) agreed that current threat feeds and blacklists are adequate to protect users from new phishing sites, and 39 percent doubt the ability of their current defenses to reliably detect phishing attacks. So, what can be done?

A Real-Time Shield against Fast-Moving Phishing Threats

According to Webroot, 95 percent of web-based attacks now use social engineering to trick users. The methods are becoming more sophisticated, in large part because users are increasingly trained to recognize security risks, as well as owing to improvements in network, application and browser security. Organizations that are increasingly vulnerable must rethink how they plan their defenses, and a new approach is clearly needed.

A more effective security approach combines solutions for real-time as well as preemptive phishing site detection that can definitively spot malicious sites based on page contents and server behavior rather than relying on URL inspection and domain reputation analysis — methods which are easily fooled by more sophisticated hackers. When combined with automated ingestion of real-time phishing site blacklists by URL filtration or blocking defenses, organizations can better shield their users from fast-moving, zero-hour phishing threats which would typically be unblocked.

Note that not all URL filtration and blocking defenses such as firewalls, web proxies, gateways, and DNS servers are capable of continuous blacklist updates, but the security industry is improving.  It is what is needed to close the gap on phishing security measures to better protect employees.

About the Author

Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext he spent nine years as a senior scientist at FireEye where he was one of the main architects of its core malware detection system. Mushtaq has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks including Rustock, Srizbi, Pushdo, and Grum botnets.