Third Quarter 2019 Phishing Surge and Business Email Compromise Highlight Need for Security Awareness Training
Based on data through the third quarter of 2019, email phishing attacks climbed to the highest level in more than 3 years. Email remains one of the top attack vectors for a variety of criminal activities. For the criminals, step 1 is to compromise a user via a successful phishing attack. The next step can be any of a wide variety of criminal business models– identity theft/credit card fraud, request for gift cards, ransomware, crypto mining, bank account theft, sale of fake anti-virus, and so on. One model in particular, Business Email Compromise (BEC), grew significantly in the quarter. BEC attacks attempt to trick an employee to direct the organization’s funds to the fraudster.
The international Anti-Phishing Working Group (APWG) is an international coalition of 2200 organizations that unifies the global response to cybercrime across industry, government, law enforcement, and the NGO communities. They track phishing activity using multiple metrics, the most important being the number of unique, active phishing sites in use by criminals. Third-quarter volume jumped 45% over the average of the first half of 2019:
Graph courtesy of Anti-Phishing Working Group
An emerging trend is an increase in Business Email Compromise, which typically involves an attack directed to an individual in the organization in the accounting or finance area. The email attempts to trick the employee into directing funds to the criminal. By far the most common is a request to purchase gift cards, since these can be easily used and are not trackable. The average amount requested by the fraudster was $1571. Requests for wire transfers, while much less frequent, involved a much higher amount, averaging $52,325.
The solution is a multi-layered approach…
Security Awareness Training
The Security Awareness Training is particularly important because of the increase in Business Email Compromise. These attacks do not involve the features that are detected by the technical anti-malware solutions – there are no malicious urls, and no attachments. Preventing these attacks relies on a trained, security-aware workforce.
Eagle offers multiple platforms for Security Awareness Training, KnowBe4 and BreachSecureNow, based on the size of the organization. Each of these platforms includes the key features detailed above. Eagle provides management support to optimize the effectiveness of these programs. Please contact us for more information.