When it comes to phishing and social engineering attacks, it’s time to think outside of the (in)box. Consider these (scary) facts:
- The Verizon 2018 data breach report states that over 90% of successful breaches start with a phishing attack
- While phishing still occurs in email, threat actors are increasingly employing phishing attack vectors beyond email, including targeted ads, pop-ups, social media, IM and chat applications, rogue browser extensions, and web ‘”freeware”
- 46,000 new phishing sites go online each day and most disappear in just 4-8 hours
- Static threat feeds and blocking defenses can’t keep pace with fast-moving Web-based phishing threats, leaving employees increasingly exposed to previously unknown, zero-hour phishing sites
A New Generation of Phishing
Browser extensions by design have full access to most of the browser’s resources and information being entered and rendered within the browser. It was just a matter of time before cybercriminals realized that injecting malicious code inside browsers disguised as benign looking browser extensions would give them unlimited access to much of the data passing through the browser. It also provides them with much needed cover from security systems that are designed to catch only file-based malware executables and software exploits.
Because these plugins run inside browser memory, SSL encryption is not a problem for them. In order to bypass Two Factor Authentication (2FA), these plugins usually wait for the authentication phase to be completed before snooping on the authenticated session and stealing data to mount further attacks.
The Threat to Enterprises
Once a user’s credentials have been compromised, the threat is further mobilized and can be catastrophic to the enterprise. Breaches are tremendously costly. It’s not just loss of critical business or customer data, but there’s risk of loss of IP, shareholder value, lawsuits, financial payouts, and more. These are just a few consequences a company can face when their employees fall victim to phishing attacks.
The User is the Real Vulnerability
It’s important to understand that many of today’s social engineering attacks do not target the device, the software, or even the network. They target their users. As noted in a recent Bloor Research report (Security Has Become a Human Problem), it’s the imperfect, fallible human that becomes the vulnerability to enterprise security. And with employees increasingly accessing the Web for everyday tasks, they are exposed to a far greater number of very convincing phishing threats than they used to, presenting IT security teams with a daunting challenge.
IT Security Should Think Outside the (In)Box
To deal with these challenges, IT security teams need to think outside the (in)box and the prevailing focus on email phishing. Employee phishing training needs to be broadened to include awareness around the new generation of Web-based threats. But with today’s distracted workforce and so many increasingly legitimate-looking phishing sites, organizations need security controls which can detect zero-hour phishing threats in real-time so can better protect their users and reduce the risk of breaches. They need to close this gap. Fortunately, that’s where SlashNext real-time phishing detection solutions can help!