The term originated in the early days when black hat operators would use the common HTML tag "<><" to hide references to stolen credit cards or other illegal activity from chat room filters. Since the symbol looked like a fish, the name stuck.
Rather than do the heavy lifting of code manipulation and firewall breaching, phishing relies on very human failings – ignorance, carelessness or sometimes, greed – to bypass the target’s best security efforts. Largely phishing scams rely on sheer numbers to overwhelm common sense and lure some unsuspecting user into giving away the store. Research from the Anti-Phishing Working Group reveals the number of phishing attacks rose in the third quarter of 2019, to a high level not seen since late 2016.
According to the latest E-mail Fraud and Identity Deception Trends report from e-mail security firm Agari, three billion phishing e-mails are sent daily. That works out to an average 35,108 phishing incidents faced by organizations annually. With numbers like that, the bad actors reason, somebody is bound to click on something they shouldn’t. For employees, that can lead to analysis-paralysis: “Should I open that link to what claims to be a million-dollar invoice? Why take the risk?”
Scammers Get Bolder
But while the concept is pretty simple, the threat is becoming more sophisticated.
Cybersecurity company Webroot notes in its 2019 Threat Report Mid-Year Update, “one in 50 URLs are malicious, nearly one-third of phishing sites use HTTPS and Windows 7 exploits have grown 75 percent since January.” The update also reports that hackers are using stolen data not just to take over accounts, but to make their phishing expeditions more personalized – and more convincing. These attacks also try to ferret out the target’s secret questions and the answers used in multi-factor authentication schemes.
Another disturbing trend, according to Webroot: Nearly a third (29 percent) of the phishing web pages detected in the first half of 2019 are using HTTPS and the padlock symbol to trick users into believing they're on a trusted site.
"These tactics take advantage of familiarity and context, and result in unwarranted trust,” says Tyler Moffitt, Webroot’s senior threat research analyst. “Businesses and consumers need to be aware of and continually educate themselves about these evolving methods and risks to protect their data and devices."
Among the top industries that phishing attacks are spoofing, the report finds 25 percent are SaaS/Webmail providers, 19 percent are financial institutions and 16 percent social media companies. Retailers, file hosting services and payments companies have also been frequent targets.
And for devices still running Windows 7, the threat is growing, with infections increasing by 71 percent in the first half of the year. Between January and June, the number of IPs that host malicious Windows exploits grew 75 percent, the report finds. Among all infected PCs detected, nearly two-thirds (64 percent) were home machines. But companies are still vulnerable; the remaining third (36 percent) were business devices.
