The Anti-Phishing Working Group reported observing over 1.2 million phishing attacks in the third quarter of 2022, breaking a record set only the previous quarter. That number should hardly be a surprise; the reason it is such a popular form of cybersecurity attack is simple: it works.
As much as the security industry endorses the idea of defense-in-depth, there are really only two layers of protection between the attackers behind a phishing campaign and the successful compromise of their target:
The anti-phishing ecosystem – Although the word “ecosystem” suggests a large and diverse set of prevention or detection technologies, it is mainly comprised of a series deny-lists which are used by mail gateways and web proxies to neutralize or prevent access to malicious links and sites. These lists can be effective for unsophisticated, large-scale campaigns but categorization is a lagging indicator and—even if it wasn’t—over 37% of phishing site traffic occurs after the site has been identified as a phishing site. Moreover, research has found that evasion techniques “may delay or completely prevent” a site from being added to a deny-list.
Security awareness training – Many organizations provide training to their employees to help them spot the tell-tale signs of phishing and avoid getting hooked. Unfortunately, phishing campaigns are becoming increasingly sophisticated, employing tools like ChatGPT to make the email language more convincing and incorporating UI redressing attacks such as Browser-in-the-Browser (BitB) and clickjacking that are intended conceal (or present extremely convincing versions of) the very things users have been trained to look for.
The role of the browser in phishing attacks
While Business Email Compromise (BEC) and other forms of financial fraud may rely almost exclusively on email, browsers and the web are critical when the attacker’s goal is credential harvesting. Successful phishing campaigns require evading detection long enough to lure a sufficient number of users to a site that appears realistic enough to trick them into entering their credentials, meaning that the real damage from phishing does not occur in the email client but in the browser.
Better protection with enterprise browser security
It is both unfair and unhelpful to embrace the mindset that “humans are the weakest link”, but any effective anti-phishing strategy must include a backstop for the human element because attacks are becoming more convincing, and mistakes will happen. An errant click shouldn’t be the only thing standing between business as usual and a ransomware outbreak.
Seraphic Security analyzes hundreds of page attributes and parameters at runtime, giving it the ability to detect phishing sites in real time without relying on deny-lists or other data feeds. More importantly, because it works alongside the end-user, evasion techniques (such as CAPTCHA) that often fool security “bots” are ineffective.