Attackers hook nearly all phishing victims within mere minutes after the first user opens and clicks on a malicious email, attachment, or URL — then shutting down the phishing site URL and moving on after a few hours. With so much at stake, successful protection of an organization’s employees against the variety of different phishing scams require a high-speed, highly automated approach.
When it comes to defense against phishing attacks, the race against time matters because users are quick to open and click on these attacks. Security tools for email and web browsers are designed to provide protections against the majority of common and known phishing attacks and malware — but given the reality of sophisticated socially engineered phishing threats that continue to evolve and fast user time-to-click behaviors, most current security protections are too slow to be effective against zero-hour threats.
Data from various studies show that a variety of different attack vectors are being used and successful phishing attacks depend on a quick response from users:
- From over 1,400 simulated phishing attacks, the likelihood of the first user click on malicious emails occurring within 30 seconds was about eight percent. The likelihood of the first user click on malicious emails occurring within 60 seconds was about 30%, while the median time-to-first-click on malicious emails was just 134 seconds. (Aberdeen Research 2019)
- Empirical testing shows that by the end of the first 60 minutes, automated browser-based protections range from 77.3% to 89.5%, and increase over time to between 94.3% and 96.7% (NSS Labs December 2018)
- Attackers hook virtually 100 percent of their phishing victims within the first 4 to 8 hours — by which time they have shut down 75% of their phishing URLs and moved on. (Webroot 2018 Threat Report)
- 93% of confirmed data breaches involved phishing by getting users to click on malicious attachments or links through emails, plus the increasing use of social media and other methods like ads, browser extensions, freeware, instant messages, and pop-ups to attack organizations. (Verizon 2018 DBIR)
- Email phishing threats grew 250% in 2018, with attackers moving to multiple points of attacks during the same campaign, switching between URLs, domains, and servers when sending e-mails and hosting phishing forms. (Microsoft Security Intelligence Report 2019)
Email phishing is a major threat, but phishing attack vectors have expanded to target people via ads, pop-ups, social media, search, IM, SMS, rogue apps, and more. Security teams need to make sure employees are protected against these other phishing lures too.
A continued focus on the timeline of phishing attacks shows how much is at stake based on just the first few minutes of phishing attacks, and makes it clear why successful front-end protection of your organization’s employees against phishing attacks requires a high-speed, highly automated, real-time approach that is designed to operate faster than both users and attackers. The sheer volume of domain names and URLs and the speed at which they change only exacerbates the problem.
Analysis makes it painfully clear that manual efforts to identify, verify, and remediate phishing attacks by generalized IT staff is much too slow to be effective. For some CISOs, the solution for protection is simply to block all URLs for a couple days, but this practice also impedes users from conducting legitimate business tasks and reduces productivity.
This is an old-school and obstructive approach to security and risk that most security leaders have rightly been working to do away with.
Luckily there’s more automated and effective ways to detect and defend against phishing attacks at the beginning of their lifecycle. Security solution providers can combine the visibility and scale of a global, cloud-based security platform with continuous, automated analysis and correlation of data across billions of URLs per day — at speeds which are fast enough to turn detection of malicious phishing sites into more effective protection.
In addition, solutions that close the loop between detection and protection — like integrating with network firewalls or DNS services to automate blocking of malicious sites — are designed to move defenders even closer towards the vision of a dynamic, real-time defense. Blending real-time analytics, automation, and integration across a broad observation space reflects the agile, technology-based approach to security that defenders need to have going forward to successfully manage the highly dynamic risk of phishing attacks.
A combination of pre-delivery detection and protection and post-delivery protection and response, leveraging the expertise and focus of specialized solution providers, is by far the fastest and most effective approach in the accelerating race against time.
Compromising on any key phishing-specific security features can leave your organization vulnerable to today’s fast-moving, web-based threats. With tens of thousands of new phishing URLs appearing each day, it only takes one successful phishing attack to cause organizational mayhem.