Phishing continues to be a people problem
The ease with which cyber criminals get results from this tactic has little to do with a lack of e-mail security, and much to do with the people on the receiving end, says Richard Broeke, a security expert at Securicom.
Phishing might be perpetuated via e-mail but it's not an e-mail problem. It is a people problem. So says Richard Broeke, a security expert at Securicom, a South Africa-based IT security vendor and managed IT security services provider.
"Phishing is on the rise. In fact, recent stats from a leading global cyber intelligence company, CYREN, show that phishing has increased by 15% since January 2015. The sheer ease with which cyber criminals continue to get results from using this tactic has very little to do with a lack of e-mail security. Their impressive hit rates have much to do with the people on the receiving end.
"Phishing mails left untouched aren't a problem. The problem comes in when recipients act on a phishing e-mail by clicking on a URL link which leads them to an unsafe, spoof site where they are tricked into revealing personal details and other confidential information.
"Despite warnings from all manner of companies, from banks to medical aid companies, people continue clicking on links and giving away their private information," he says.
Phishing is the fraudulent process of acquiring information such as usernames, passwords, banking details, credit card numbers and other sensitive information by posing as an entity or company that the recipient trusts. It is an example of the many social engineering methods used by criminals to con unsuspecting people into giving away personal details, which can cost them financially and put them at risk of identity theft and fraud.
Phishing is targeted and e-mails are always disguised as official or legitimate messages from banks, popular social networking Web sites, and even e-mail administrators. The Web sites the links lead recipients to also appear legitimate. This makes it extremely difficult, if not impossible, for the average person to detect a phishing e-mail or that the Web site it is linked to is fake.
Furthermore, because phishing e-mails are cleverly masked as the real thing, it is not uncommon for traditional e-mail security solutions like firewalls and anti-spam, anti-virus and anti-spyware solutions to miss detecting them.
E-mail has been the primary channel for "phishers" since the late 1990s, when the first phishing incidents were reported. However, social media, SMS and instant messaging are now widely used channels for phishing.
"Users click on links and pictures or enter bogus competitions which ask for their information. They appear legit and are appealing enough to encourage people to give away private details," says Broeke.
The perpetrators aren't in it for fun, they're in it for the money, and because too many people are naive to phishing, it really is becoming very lucrative.
"By giving away their private information, such as their banking details or ID numbers, people are at risk of fraud and even identity theft," warns Broeke.
Although phishing may not affect a business directly, aside from tarnishing a victim's perception of the company, Broeke says it is in companies' interests to protect their employees and customers against phishing. An employee can just as haphazardly divulge confidential business information as their own personal information through phishing.
Education is obviously a powerful weapon against phishing. However, despite the warnings, many people still get conned.
"We've said it before and we will say it again, don't divulge your personal information to anyone or any company in an e-mail or via social media. No legitimate financial institution will ask you to do that," stresses Broeke.
Technical security measures that stop access to spoof sites are the only foolproof way to protect a company's users.
"You want to prevent your users from being able to venture onto fake sites in the first place. To do this, you need a robust Web security solution that inspects filters and cleans inbound and outbound Web traffic to combat browser-based threats such as bots, phishing, and other malicious active content," concludes Broeke.