On any given day, between 50 and 100 email messages land in my spam filter, and maybe one ended up there by accident. A few are legitimate emails, trying to sell me something based on past purchases, but most of them are phishing.
I’ve always gotten a lot of phishing email – who hasn’t? – but it seemed like the number has jumped considerably in recent months. That rise has been consistent across my multiple email accounts. My spouse and some friends have also commented to me about the rise in spam and the phishing email they’ve seen.
There’s a reason for that. According to a new report from the Anti-Phishing Working Group, there has been a significant jump in phishing attacks in the first quarter of 2016. The study stated:
The total number of unique phishing websites observed in Q1 was 289,371. The number observed per month rose steadily from the 48,114 detected in October 2015 to the 123,555 detected in March 2016 – a 250 percent increase over six months. The increase in December 2015 was expected, since there is usually a spate of spamming and online fraud during the holiday shopping season. The continuing increase into 2016 is cause for concern.
This rise in phishing attacks shows that they are still extremely effective in spreading malware and providing network and data access to cybercriminals. Back in the fall, I asked PayPal’s CISO John Nai why so many people, especially in the workplace, continue to be fooled by phishing scams. It’s not just that the criminals are getting smarter with their attacks, he said, but that they are doing a good job utilizing the tools available to them:
Today’s social media platforms make this even easier, especially since all of us are much more likely to accept an invite, click on a link or respond to an email from someone we know. We’ve even seen LinkedIn accounts being created by someone posing as a current or former PayPal employee. This person attempts to connect with our employees and then solicits small amounts of information about PayPal from each connection. While a small bite from one employee may not have a huge impact, multiple bits of information can potentially add up to enough information for the attacker to gain enough knowledge to create a believable phishing message.
Joe Ferrara, president and CEO of Wombat Security Technologies, told me in an email comment that the way to combat this rise in phishing attacks involves both education and awareness:
Being aware that phishing threats exist is not the same as knowing how to defend against social engineering attacks. Simulated phishing attacks, notification emails and alerts are absolutely valuable and useful — but on an awareness front. They aren’t a substitute for education, and they will not, on their own, drive the level of behavior change that training can.
The education side should involve hands-on training rather than lectures and videos about security practices. That’s because the threats we’re seeing today rely on user interaction and, Ferrara added, users need to have the skills to be able to identify and avoid these types of attacks.
In other words, they should be able to tell the difference between a good and bad email before they ever click their mouse. Until they are able to do that regularly, phishing scams will only continue to increase.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba