Growing Gaps in Protections Against Short-Lived, Yet Dangerous Phishing Threats on the Web
SlashNext, the leader in real-time phishing site detection for businesses, released new survey data suggesting a dangerous lack of understanding and gaps in protection against modern, fast-moving phishing attacks. A revealing survey of cybersecurity decision-makers showed that most companies lack adequate safeguards against phishing threats on the Web and many don’t fully understand the prevalence and risks of this growing threat. As such, most organizations are left in the dark when it comes to understanding their exposure to modern phishing tactics and in evaluating what solutions are needed to keep employees protected and to reduce the risk of breaches.
The SlashNext 2018 Phishing Survey reveals that 95 percent of respondents underestimate how frequently phishing is used at the start of attacks to successfully breach enterprise networks. Only 5 percent of respondents realize that phishing is at the start of over 90 percent of successful breaches. In fact, phishing is one of the most used and most successful attack vectors, but despite multi-level security controls and phishing awareness training for employees, most organizations remain unaware of their increasing vulnerability to these threats.
Most phishing sites stay online for just four to eight hours, with some up for only minutes, according to the 2018 Webroot Threat Report. Such brief durations demand that organizations use real-time anti-phishing solutions that can detect a malicious phishing site in real time, rather than putting faith in static threat feeds that cannot keep up with the volume and short lifecycles of today’s fast-moving phishing threats on the Web.
While phishing attacks are often equated with phishing emails, phishing attack vectors are expanding beyond email. Both employees and consumers are subject to targeted phishing attacks in ads, search results, pop-ups, social media, IM and chat applications, rogue browser extensions and apps. Users encounter these threats on the Web or in free apps, where even a single mistaken click can open their companies up to costly data breaches or extortion attempts.
Over half of respondents to the SlashNext survey named the growing number of phishing attack vectors beyond email as a “Top 3” concern in terms of potential phishing threats. The other top concerns involved the growing sophistication and realism of spoofed sites, and the difficulties in training employees to spot these new types of phishing threats.
“Phishing tactics have evolved to using very fast-moving phishing sites and attack vectors that evade existing security controls. And with such legitimate-looking phishing sites manipulating users, there is little to protect employees, not even phishing awareness training,” said Atif Mushtaq, CEO and founder of SlashNext. “The solution involves a phishing detection system that can analyze and detect malicious sites like a team of cybersecurity researchers, but do it in real-time to protect users.”
Other key findings from the SlashNext 2018 Phishing Survey include:
- Nearly two-thirds of respondents (64 percent) cite shortfalls in employee awareness and training as their top concern for protecting workers against social engineering and phishing threats.
- Nearly half of respondents (45 percent) believe they experience 50 or more phishing attacks per month. 14 percent believe they experience more than 500 phishing attacks per month.
- Only one-third of respondents (32 percent) agree or strongly agree that their current threat feeds and block lists are adequate to protect users from new phishing sites.
- Four out of ten (39 percent) cite the inability of their current defenses to reliably detect phishing attacks as a top concern.
- 87% of respondents are currently evaluating or planning to evaluate real-time phishing site detection technologies.
The SlashNext 2018 Phishing Survey was conducted by Survata, an independent research firm based in San Francisco. The survey was taken by 300 IT security decision-makers in mid-sized firms in the U.S. between Sept. 21, 2018 and Sept. 26, 2018. For more information and an infographic with survey results, visit www.slashnext.com.
SlashNext is pioneering a more effective approach to real-time phishing site detection and phishing protection. With patent-pending SEER™ threat detection technology, SlashNext can detect malicious phishing sites in seconds with the power of adaptive machine learning in the cloud. SlashNext integrates seamlessly with customers’ URL filtration/blocking defenses for immediate phishing protection against today’s short-lived but highly-targeted phishing attacks, regardless of the attack vector.
SlashNext founder and CEO Atif Mushtaq previously spent nine years as a Senior Scientist at FireEye, where he was one of the main architects of FireEye’s core malware detection technology. SlashNext is headquartered in Silicon Valley and is backed by top-tier venture capital firms.