The PhishLabs Blog

Defining phishing is simple, right? Not exactly.

If you have ever worked for an organization that uses Microsoft-based systems, there is a high likelihood that your IT or security team has implemented a policy that occasionally forces you to create a new password. Years ago it was every three months, then every two, and so on. This policy was heavily encouraged by Microsoft, but as of May of this year, they have reversed course.

The risk of a user receiving a phishing attack is higher than ever, and technological solutions often miss the most devastating of them.

Each year new phishing techniques result in more attacks successfully landing in user inboxes. In most cases, threat actors are no different than anyone else, and follow the hottest trends in an effort to be more relevant. During tax season they may push out tax scams, during elections they may push bogus political-inspired healthcare emails, and there are even Game of Thrones inspired attacks, too.

The United States is once again, and for the foreseeable future, the most targeted country by threat actors’ phishing attacks. Making up an astonishing 84% of all phishing volume, the U.S. saw a single percent decline from 85% last year. But...

In this year’s annual Phishing Trends and Intelligence report we identified phishing sites targeting more than 1,200 different brands belonging to 773 parent institutions. Of the top five targeted industries, they accounted for 83.9% of total phishing volume. There are two big takeaways from this finding: financial institutions are back on top, and each industry is still at risk.

Back in the olden days of the internet, when AOL’s dial-up connection still made horrible sounds prior to getting you access to your inbox, phishing attacks were born. Somewhere in the mid-1990s, internet-based social engineering attacks were born and designed to capture credentials on AOL by way of a program called AOHell, and expanded on to stealing credit card numbers or other private accounts. That was nearly 25 years ago, yet to this day, social engineering-based attacks still happen, and in more mass than ever before.

There are all sorts of things that end up in your inbox, but among those that are reported to a SOC or security team, malicious content only makes up a small percent. Among the analysis provided in this year’s annual Phishing Trends and Intelligence (PTI) report, we added a new section based on data from our Phishing Incident Response team.

Phishing has and will continue to be a threat to anyone connected to the web. This is a fact set in stone, and regardless of advancements in technology, social engineering will allow these attacks to continue to be successful.

Recently, our Director of Product Management, Cary Hudgins, discussed how to develop a digital risk protection plan for the modern enterprise. One of the many reasons why such a plan should be created is because, in today’s world, an enterprise organization’s digital footprint can be vast and will continue to grow.