Phishing
Is phishing a problem?
- In 2022 in the US:
- 300,497 phishing victims
- total loss of $52,089,159
- most common type of cybercrime
- Most enterprise network intrusions begin with phishing attacks
Types of phishing
- SMS
- Voice
- QR codes
Is this phishing?
Objectives
- Enter credentials
- Perform financial transaction
- Install software
- Trigger exploit
Motivations
- Financial (direct)
- Access to sensitive resources
- Account takeover
- Manipulating opinions
Targeting
- Untargeted
- Spearphishing
Who falls for phish?
“Not long ago, [I] received an e-mail purporting to be from [my] bank. It looked perfectly legitimate, and asked [me] to verify some information. [I] started to follow the instructions, but then realized this might not be such a good idea … [I] definitely should have known better.” — former FBI Director Robert Mueller
Why does phishing work?
- Systems provide limited authenticity indicators
- Easy to spoof
- People may not know what to look for
- People may be distracted
- Attackers try to invoke fear and/or urgency
What can we do?
- Detect phishing emails/websites before they get to the user
- Warn users about emails that might be phishing
- Educate users to identify phishing themselves
- Detect if users click on a link or enter their credentials
- Prevent attackers from using stolen credentials (MFA)
- Recover from attacks quickly
Does phishing prevention training work?
It helps
- Kumaraguru, P., Rhee, Y., Sheng, S., Hasan, S., Acquisti, A., Cranor, L. F., and Hong, J. Getting users to pay attention to anti-phishing education: Evaluation of retention and transfer. e-Crime Researchers Summit, Anti- Phishing Working Group (2007).
- P. Kumaraguru, J. Cranshaw, A. Acquisti, L. Cranor, J. Hong, M. A. Blair, and T. Pham. School of Phish: A Real- World Evaluation of Anti-Phishing Training. SOUPS 2009.
- P. Kumaraguru, S. Sheng, A. Acquisti, L. Cranor, and J. Hong. Teaching Johnny Not to Fall for Phish. ACM Transactions on Internet Technology (TOIT), 10(2), May 2010