Phishing attacks continue to grow in volume and complexity, supported by more aggressive social engineering practices that make phishing more difficult to prevent, according to a report from Wombat Security Technologies.
Organizations surveyed indicated they have suffered malware infections (42 percent), compromised accounts (22 percent), and loss of data (4 percent), as a direct result of successful phishing attacks.
Survey respondents said they protect themselves from phishing using a variety of methods, including email spam filters (99 percent), outbound proxy protection (56 percent), advanced malware analysis (50 percent), and URL wrapping (24 percent).
"The lack of measurement by security professionals concerned us the most," Trevor Hawthorn, chief technology officer of Wombat, told eWEEK.
He pointed out that 37 percent of respondents did not measure their susceptibility to phishing, and a staggering 56 percent do not assess end user risk.
"Without assessing to understand security problems, you cannot create an effective plan to combat them," he explained. "There are multiple ways that security officers can measure risk – through pulling numbers on items like policy violations, malware infections, reported and identified phishing attacks, or they can do a knowledge assessment or simulated phishing attack that will not only help them understand risk, but set a baseline to measure improvement against."
The report found that the most popular phishing attack templates with the highest click rates included items employees expected to see in their work email such as an HR document, or a shipping confirmation.
"Email is a part of virtually everyone’s life. We get large volumes every day, and we have more and more details about our lives online on places like social media that allow criminals to create more targeted messages to get us to click," Hawthorn said. "Organizations can be sure that they are continuously training their employees on what phishing messages look like and how to avoid them."
Wombat found the following plugins as most vulnerable for being outdated and susceptible to an attack: Adobe (61 percent), Adobe Flash (46 percent), Microsoft Silverlight (27 percent), and Java (25 percent).
"Threats will continue to do what works until it doesn’t," Hawthorn said. "Then they will adjust and exploit the next easiest path. Right now end users are still the easiest path. Why? Because the security industry has matured when it comes to managing risk of technical assets. We need to manage end user risk the same way we manage technical risk. Perform on-going, targeted assessments, and gather real-time user behavior data to determine a user’s risk level."