PITTSBURGH, PA–(Marketwired – June 01, 2016) – In its newest Phishing Activity Trends Report, the APWG noted a 250% increase in phishing sites between October 2015 and March 2016 — and the 2016 uptick indicates an alarming trend. “We always see a surge in phishing during the holiday season, but the number of phishing sites kept going up from December into the spring of 2016,” said Greg Aaron, APWG Senior Research Fellow and Vice President of iThreat Cyber Group. “The sustained increase into 2016 shows phishers launching more sites, and is cause for concern.”
The report included a number of compelling statistics, including the following:
- A record-breaking 289,371 unique phishing websites were observed in Q1 2016.
- 123,555 of the unique sites — more than 40% of the total — were detected in March 2016.
- At 42.71% of attacks, the Retail/Service industry sector continued to be the most targeted. The Financial (18.67%) and Payment Service (14.74%) ranked second and third.
- More than 75% of the phishing websites observed were hosted in the U.S.
- 20 million new malware samples were captured during the quarter.
- China had the highest malware infection rate, with 57.24% of computers infected.
Security Awareness and Training Can Help Organizations Combat the Threat
Spam filters, blacklists, firewalls, and other technical safeguards do not stop all phishing emails from getting to end users. That can’t be disputed. Organizations that want to give themselves the best shot at reducing successful attacks from the wild — and the malware and ransomware infections that come with them — must educate their employees to recognize, avoid, and report phishing emails.
“Awareness and training are two sides of the same coin, but they are not one and the same. Being aware that phishing threats exist is not the same as knowing how to defend against social engineering attacks,” said Joe Ferrara, President and CEO of Wombat Security Technologies, a leading provider of cyber security education products and services. “Simulated phishing attacks, notification emails, and alerts are absolutely valuable and useful — but on an awareness front. They aren’t a substitute for education, and they will not, on their own, drive the level of behavior change that training can.”
Ferrara recommends that anti-phishing education programs utilize awareness efforts coupled with in-depth education for best results. He also recommends that organizations seek opportunities to deliver interactive security training rather than relying on presentations or videos. “Most of the cyber threats we’re seeing in play now are ones that end users physically interact with. Phishing emails, social engineering calls, employee impersonations, risky applications…these are just some of risks that users are encountering,” he said.
“Because the attackers are coming directly to end users, it’s critical that they learn the skills required to identify and avoid these attacks,” Ferrara said. “Being told what to do is far less effective than being shown what to do and getting hands-on practice that can then be applied in day-to-day situations.”