Phishing Dip: Calm Before the Storm?
RSA Researcher Says Decrease Not Consistent with TrendsPhishing attacks took a surprising dip in August, according to an analysis of global online fraud trends by security vendor RSA.
See Also: Mitigating Identity Risks, Lateral Movement and Privilege Escalation
But Limor Kessem, RSA's lead cyberintelligence expert, says it's not time for celebration just yet. In fact, Kessem says phishing attacks tracked in September are likely to offset August's curious dip.
"There is always fluctuation, so we have to look at trends that cover a longer time lapse," Kessem says.
RSA's key findings included:
- Phishing attacks globally dropped 17 percent in August, compared to the previous month;
- 45 percent of August's attacks were aimed at consumers in the United States, United Kingdom and Australia; and
- U.S. banking institutions saw a 7 percent decrease in attacks in August that misused their brands.
Still, phishing attacks feigning to be from U.S. banks and credit unions accounted for two out of every three attacks in August. And relative to quarterly trends, August's dip appears to be anomalous, Kessem says.
For example, phishing attacks increased 79 percent in the second quarter of this year, compared with the first quarter. Kessem says it's likely phishing attacks again increased from Q2 to Q3, although RSA hasn't completed its latest quarterly analysis. And year-to-date, phishing attacks are up 185 percent compared to 2011, she adds.
So what contributed to August's dip? That's anyone's guess, Kessem says. What is clear is that phishing attacks are here to stay.
"Phishing is celebrating its 16th birthday," Kessem says. "We used to think it would go away after two years."
But today, attackers are using Trojans, malware and crimeware, she says. "And we can expect to see more and more."
U.S. and U.K. Top Targets
In August, 80 percent of the phishing attacks that RSA tracked were aimed at U.S. consumers under the guise of U.S. brands. In fact, 45 percent of phishing schemes across the globe were aimed at English-speaking countries - the U.S., U.K. and Australia.
Kessem says that's reflective of an ongoing trend. "Those attacks are the most successful because of the strength of the currency in those markets," she says. "And the attacks are easier, because they can use the same language, so they can cast a bigger net."
Mobile Malware
Banks and businesses in most global markets have improved their ability to mitigate the phishing risks posed to online users and accounts, Kessem says. But an increasing area of concern is the mobile channel, where it's clear mobile vulnerabilities are getting fraudsters' attention.
"Users have to understand quickly that the risks and the threats they face on the PC are the same threats they face today on the mobile platform," she says. "It's just another channel to enter the Internet, and we definitely see a need for banks and others to educate more and raise awareness."
But mobile browsing and malicious downloadable applications are not the greatest worry, Kessem says. Text-based phishing attacks, better known as smishing, are quickly proving to be more concerning.
"We are seeing more SMS blasts that are going to phones, and the attacks are worse than what we see in e-mail, because of user behavior," she says. "If a user gets an SMS, they usually think it's more legitimate."
What the Trends Mean for Banks?
Most financial institutions are doing more than they were three to five years ago to address phishing threats, Kessem says. But re-evaluation and improvement is always needed.
"Banks have to use technology to protect the transaction right where it happens: on their website," she says. "And there are technologies adapted for the banking industry that are designed to authenticate users to address some of those threats."
Education is part of the equation as well. But organizations understand they have to secure digital assets from every perspective, Kessem says. "They are securing them with technology from the inside: the servers, the website," she says. "This is a given in today's environment."
For banks, in particular, detecting and quickly disabling attacks are essential.
The technical makeup of these attacks is a lot more advanced than it used to be, Kessem says. "We are seeing more automation, which means the phishing attacks come with a lot more modules, and that means banks have to be more sophisticated in their approaches as well."