This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.
Anyone who has spent any amount of time trying to secure their organization’s endpoints or network would not be surprised to learn that phishing is now the #1 delivery vehicle for malware and ransomware.
According to Mandiant, phishing was used in about 95 percent of the cases of successful breaches where an attacker has been able to get into a target network and do something malicious. A phishing campaign is likely to have a 90 percent success rate—i.e., someone takes the bait—when the campaign is sent to 10 or more people.
+ Also on Network World: 7 steps to avoid getting hooked by phishing scams +
Wombat Security says 85 percent of organizations they surveyed reported being the victim of a phishing attack in 2015, and that figure increased 13 percent from the previous year. What’s more, two-thirds of the organizations they studied reported experiencing attacks that were targeted and personalized (i.e., spear phishing attacks), and that’s up 22 percent from the year before.
In short, phishing in all its forms is a dangerous and growing threat for every organization, regardless of size or industry.
Most of us tend to think of a phishing attack as a menacing email that harbors either a malicious file attachment or a link to a compromised website. While email is a primary means for distributing bait to potential victims, it’s not the only means. Often, legitimate websites are compromised so that when a person visits the website or clicks on a specific link, malware is downloaded automatically. Sometimes people who head to a particular URL are automatically redirected to a malicious website where malware is downloaded. Because of these varied delivery mechanisms, techniques such as educating users about not clicking suspicious links or opening unknown attachments, and screening incoming email messages, aren’t sufficient to fully protect an organization…