High profile, embarrassing data hacks like the Sony (NYSE:SONY) email breach and the Target (NYSE:TGT) credit card scandal receive the bulk of the media attention, but there's a bigger threat to Internet security that's much closer to home.
Phishing campaigns -- which send malicious emails disguised as legitimate correspondence -- have become not only more prevalent but also more effective in tricking Internet users to open them. In past years, the DBIR reported that the overall effectiveness of phishing campaigns was between 10%-20%. However, in this year's report, DBIR notes that the trend has worsened "with 23% of recipients now opening phishing messages and 11% clicking on attachments."
Unfortunately, the scammers have become more clever with their campaigns, according to the report.
Now, these messages are rarely sent in isolation—with some arriving faster than others. Many are sent as part of a slow and steady campaign. The numbers again show that a campaign of just 10 emails yields a greater than 90% chance that at least one person will become the criminal's prey, and it's bag it, tag it, sell it to the butcher (or phishmonger) in the store.
It's a dangerous world where the real villains are not always hackers looking to break into huge companies or steal tens of thousands of credit card numbers. Instead, we now hear of increasingly clever criminals disguising emails to make them look like urgent messages from your bank, credit card company, or other trusted sources.
So how can you protect yourself?
The authors of the DBIR take some solace knowing that Internet users do not open or interact with 75% of phishing emails. In the past, Internet users could simply use common sense to stay safe from predatory e-mail scams, but because the phishing campaigns include smarter techniques today, the report suggested three solutions to limit the problem:
- Better email filtering before messages arrive in user in-boxes
- Developing and executing an engaging and thorough security awareness program
- Improved detection and response capabilities
In many cases, however, it's human diligence and not technology that represent the frontline of defense. This can be maximized in a business setting.
"One of the most effective ways you can minimize the phishing threat is through effective awareness and training," said Lance Spitzner from the SANS Institute, a cooperative research and education organization which focuses on security issues. "Not only can you reduce the number of people that fall victim to (potentially) less than 5%, you create a network of human sensors that are more effective at detecting phishing attacks than almost any technology."
Technology helps, too
While the DBIR offers multiple experts who suggest training as the solution, that really only works in the corporate world. For individuals, having the best possible software protection is important as well security awareness.
A number of companies including Symantec (NASDAQ:NLOK) -- which maintains a crowd-sourced database of suspected phishing sites -- and AVG (NYSE: AVG) offer security products which can minimize your risk. AVG explains how it protects users from phishing scams on its website:
- AVG E-mail Protection component contains an Anti-Spam feature, which is designed to recognize spam and fraudulent emails. This also includes the detection of phishing emails.
- All commercial AVG editions contain the Online Shield and LinkScanner components. These components check the addresses and contents of websites visited. When you try to visit a malicious website, you are informed about this fact and access to the website is blocked. This detection also includes phishing websites.
Symantec puts out its own annual security report, which showed that while phishing remains a huge problem, the rate of scam emails has actually dropped.
Despite these drops, Symantec expects phishing to be a growing problem.
"As people increasingly interact with companies and services online, we expect phishing to increase -- there are more targets and barriers of entry that will continue to get lower," wrote Symantec's Nicholas Johnston "Even institutions in the very small and relatively isolated east Himalayan Kingdom of Bhutan have been targeted in phishing attacks. This only demonstrates that nowhere is safe from phishing."
Should you be scared?
When you see data like this, it's very easy to consider burying all of your electronics devices in the backyard. If email scams have moved beyond Nigerian princes offering millions in exchange for your personal info and into very clever mockups of emails from trusted institutions, then anyone is vulnerable.
While that's true, a combination of diligence and having the proper security on your devices goes a long way toward keeping individuals safe. Unfortunately, the Internet has moved from a world where you trust but verify to one where you should trust nothing. Yes, it's tempting to answer an email from your bank or credit card company that suggests a problem has occurred, but view all email with a skeptical eye.
Check the return email address and make sure it matches the business it represents. If you're unsure, verify with a phone call to customer service or by reaching out to online help from the company website.
It's possible to thwart danger, but it takes diligence, skepticism, and an aggressive level of common sense.