Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • One in two computer users will click on a link from an unknown sender.–Friedrich Alexander University, 2016
  • It’s time to shift the security emphasis and burden of responsibility for phishing attacks away from companies and onto their employees. — TechRepublic

A new report from Comodo Security Threat Lab’s VP, Fatih Orhan, brings up an interesting statistic from Friedrich Alexander University in Germany: one half of all users click on links from unknown senders. That’s bad news for cybersecurity leaders worried about the rapid growth in phishing.

The report doesn’t end there, though: It reveals the alarming simplicity of putting a phishing campaign together in 2018, making any attempt to fight it seem futile.

With phishing now available as a service, all it takes is some startup money to buy the right software, and just some simple user-level expertise to operate it and get all the info you need to launch a campaign. From there it’s as easy as letting 50% of users click on phishing links and watching the data roll in.

It’s time for a change in the approach to preventing phishing.

The anatomy of the modern phishing campaign

The bulk of the report focuses on a hypothetical phishing scenario that walks through how simple phishing-as-a-service has become.

A hypothetical hacker who wishes to launch a phishing campaign against a specific company, known a spear-phishing for its focused targeting, only needs to buy some software from the Dark Web–in this example it’s legitimate security testing programs like The Harvester or Maltego.

SEE: IT leader’s guide to reducing insider security threats (Tech Pro Research)

After doing some initial research into a company’s hierarchy, its leadership, structure, etc., the attacker uses The Harvester to search public records for more specific info. It can find emails, subdomains, hosts, employee names, open ports, banners, and the like from search engines, PGP key servers, and SHODAN. Maltego can then be used to gather specific info on mail servers and usernames, which makes spoofing an email simple.

It’s then a matter of registering a fake domain that’s visually similar to a legitimate one, and using the Social-Engineer Toolkit application to do a complete copy of the target website to the fake one.

After that, the attacker simply creates a phishing message with a link to the fake domain and waits for half of their targets to click on the bad link and give them all the info they need.

Rethinking phishing prevention

Phishing continues to be a threat, and one that half of users fall for despite constant warnings and repeated news about its wide reach. With phishing accessible to criminals less and less skilled in hacking, it’s time to realize that fighting it by trying to stop attacks may be the wrong approach.

In light of the startling 50% statistic mentioned in the report, user education clearly needs to become a priority. To start, cybersecurity leaders should work with other executives to make phishing training a standard part of their company’s onboarding and periodic training regimens.

It’s also important to bring the threat of phishing front and center to the average user, and there’s no better way to do that than by phishing your own employees.

SEE: Incident response policy (Tech Pro Research)

Along with more education and user testing, it might be worth it to consider penalizing those who click on bad links because of where the onus lies: Not with companies, who can get phished regardless of how hard they try to prevent it, but with employees who click links.

It may sound dire to punish employees for falling prey to phishing attacks, but at the end of the day they’re ultimately the ones clicking the links–50% of them, in fact.

Also see: