The Surprising, Not-So-Secret Habits of Phishers

Good news: A new report reiterates that phishing attacks are far less sophisticated (and far more stoppable) than they seem

phishing attacks

Recently, Dark Reading published a story indicating that phishing attacks are way less aggressive than they seem. Its headline: “The Lazy Habits of Phishing Attackers.”

According to a recent study, in which researchers from the Israeli Institute of Technology set up honeypot accounts to observe behavior, the average attacker takes 24 hours to access accounts. These thieves are so emboldened that most don’t even bother to cover their tracks. Few deleted sign-in alerts dispatched to inboxes, or disguised their IP. Even less deleted sent emails from compromised accounts and/or failure notifications.

From a criminal’s perspective, these heists are simple to pull off, cheap to execute, and extremely accessible thanks to PhaaS (or, phishing as a service) DIY crimeware kits. That explains why 91% of cyber attacks are set into motion by phishing. But we must not be intimidated by that number.

Companies can train employees spot signs of phishing. This also includes periodically checking inboxes for alerts, sent folders for rogue emails, and trash for odd files—especially if a worker fears they may have been compromised.

Enterprise executives, however, should not consider phishing and the emerging act of smishing (or SMS-based text-message phishing) the results of employee errors. Instead, in the interest of risk management, they must view them as social-engineering tactics. These hacking methods manipulate people into giving up personal information or breaking with security protocols. They’re designed to fool C-suiters and interns alike, because human behavior is surprisingly predictable.

Security analytics is the most logical way to confront social engineering. In this type of solution, a platform baselines the behaviors of users, files, and devices for normalcy. The act of phishing creates several disturbances in those norms, escalating each entity’s risk score. With machine learning, that platform grows quicker in detecting odd behavior and more precise in pinpointing the who, what, where, when, and how of an attempted attack.

This not only protects the company from immediate threats, but greatly informs future risk management. You’ll actually learn from your mistakes.