Companies spend a huge amount of time and billions of dollars on security technology to keep threat actors out — on firewalls, IPS systems, endpoint security, and the like — and employees are letting those bad guys in by clicking on phishing links. In fact, a recent F5 Labs report says phishing was the root cause of 48 percent of the breaches they investigated.

This corroborates my own research, as I have talked to many people that do penetration testing and they told me the number one way to breach a company is by stealing a user’s credentials via phishing. Indeed, one of them showed me how quickly they could do up a mock email from the CEO that entices a user to click and enter user information. Another interesting thing he told me: In about 90 percent of the cases, he can get the credentials in under four hours.

[ Check out these 11 phishing prevention tips for best technology practices, employee education and social media smarts. | Get the latest from CSO by signing up for our newsletters. ]

Phishing is a global problem that’s reached near ubiquity

The F5 Labs report also highlights how widespread the use of phishing is by threat actors: A whopping 75.6 percent of the websites taken offline by the F5 SOC were phishing sites. A distant number two, at only 11.3 percent, is malicious scripts, and URL redirects are 5.2 percent. What’s interesting is that the latter two are typically used in conjunction with phishing, so reducing it should lower all top three types of fraud.

Mobile phishing reared its ugly head in this report at 2 percent and is likely to see a rise in the next few years. Anything security professionals can do now to educate workers today will have a bigger payoff in the future.

Phishing is more than mass emails

The report outlines how phishing works, which is important because many non-security individuals I speak to think it’s just mass emails sent out with the hopes that someone clicks on it. That might have been true when the King of Nigeria was asking for help bringing $300 million out of the country, but it’s not the case anymore. Phishers are great at stealing personal data from poorly secured websites that can give a small nugget of personal information. For example, if a salesperson joins a local business group to build up some contacts and that information is stolen, the phisher can direct an email there looking like it was from the group. It’s the high level of personalization involved in phishing that separates it from just a few years ago.

This is one reason why I tell security and business leaders that there is no such thing as a small breach. A retailer may get breached and think they dodged a bullet when the hackers weren’t able to steal credit card information. Maybe they only snatched people that signed up for a loyalty card, which is seemingly harmless. The fact is this type of data can be used to focus the attack and create an incentive to click on a link.

Phishing gets more sophisticated

Another finding in the report that should be cause for concern is that 93 percent of phishing domains offer a secure version (https) of the site, making them seem legitimate. Early phishing websites were shoddy and filled with errors, but not so today. Newer sites are near identical clones of the brands we have all come to know, love, and above all else, trust. The report shows the top 10 impersonated sites are all technology or financial services organizations. These are sites many of us visit routinely, and many individuals wouldn’t think twice about receiving an email from them.

Webroot The top 10 organizations phishers impersonated from Sept. 1 to Oct. 31, 2018 (left). The top 10 targets by industry (right).

Employee education is the best defense against phishing

Knowing now that phishing is a significant problem that can give the bad guys a back door into the company raises the question of what to do about it. Without a doubt, the best first step is user training. Educate employees to look for anomalies. Any time an email includes a link or attachment, particularly Zip and PDF files that are easy to hide malware in, the individual should be skeptical. If it’s an email from a co-worker check to see if the sender's email looks legitimate.

I went into my own spam box to look for an example. In one, the users signature line showed an email of info@company.com, but the return email was company@vip.163.com (I anonymized the company name). This mismatch should be an immediate red flag and avoided. Other notable things to look for are shortened URLs, certificate warnings, emails with an “urgent” alert, or emails that are unexpected.

If a user has been directed to a website, they should carefully inspect the URL to see if it’s legitimate. Phishing sites often use URLs that are close to the original company as a way of fooling people. For example, a fake F5.com site could be something like “FFiveSecurity.TV”, which might look legitimate but isn’t. If there’s any question, educate the user to go to a separate browser session and reach the company that way.

User training is often overlooked, but the report did manage to quantify the impact. The average click-through rate of phishing links when companies do five or fewer training events is 33 percent. This drops to as low as 13 percent with 11 or more. The key here is that organizational leaders need to be persistent with awareness training.

Security tools to catch phishing emails

Protecting against phishing is more than just education. There are a number of security tools that can be used. Below are a few that were mentioned in the report that, to me, are no-brainers:

Email labeling that identifies emails from outside the company

Antivirus software to catch malware when the user clicks on a phishing link

Web filtering to block known phishing sites

Inspection of encrypted traffic to see inside https sessions

Single sign-on, which reduces password fatigue and has been proven to limit phishing attacks

Multi-factor authentication to prevent credential theft

Access controls to limit employees from reaching critical systems

Fraud detection to quickly find infected endpoints

Phishing has become the top challenge for security professionals and, as the F5 Labs report indicates, has gotten out of control. However, all is not lost. A combination of user training and cybersecurity tools can help minimize the risk and limit the damage.