Why Phishing Attacks Are Successful


You’re smart. You’re the type of person who double and triple checks everything. You lock your doors, activate your alarm system at home, and you think twice about giving away payment information on websites.

You’re a security-conscious IT professional, and there’s absolutely no way you could fall victim to a phishing attack. You know the signs and have a finely honed sixth sense for scams that never lets you down.

Unfortunately, nearly everyone thinks like that. Yet, scammers continue running successful phishing campaigns. Email continues to be the most popular attack vector. What gives? Today, we’ll discuss what makes phishing campaigns so successful.

The law of averages

In the 2018 edition of Verizon’s Data Breach Investigations report, they claimed 4% of people will fall victim to any given phishing campaign. That number seems small, but it’s enough to cause serious damage. If you support a company with 50 employees and they’re hit with a general phishing campaign aimed at email addresses for the company, two employees should end up clicking links. This is enough for attackers to cause serious damage by stealing credentials or downloading malware to a device. If the attackers gain persistence, they could spend months running recon on your network with the intention of causing potentially extinction-level damage. This isn’t just hypothetical—a report by Accenture found that 85% of organizations have fallen prey to phishing or social engineering attacks.

Phishing schemes don’t take a lot of technical know-how or elbow grease to run. Criminals can mass spam a list of email addresses and, if they get even a miniscule number of people to click, they can make decent money. Simply put, getting a ton of “at bats” virtually guarantees a few home runs.

The law of knowledge

While the law of averages supports general phishing schemes, more sophisticated criminals can score larger hauls when they tailor campaigns to the victims. It takes effort, but the payoff can be enormous.

It starts with reconnaissance, usually using open source intelligence (OSINT) techniques. OSINT is a framework where people use freely available data to gather information. OSINT is often used for legitimate purposes—whether national security, private investigations, or penetration testing. But cybercriminals can use OSINT techniques to profile their victims before they launch their campaigns.

We won’t go into specific OSINT tools or techniques here, which can get extremely sophisticated. But simply put, criminals can discover information about people such as their addresses, positions in organizations, interests, and personal connections. If they follow someone’s social media long enough, they can understand someone’s writing style and enough interests to create something convincing. For example, if they know the CFO of an organization, read their social media posts, mimic their writing style, and can figure out a few of the internal applications being used, they could try to send a convincing fake invoice to the CEO of a company (especially if they’re small or not overly tech savvy). These attempts get even more successful if the scammer has compromised the organization with some level of eavesdropping method like placing a keylogger on key devices.

The law of attention

Beyond this, remember that everyone can fall victim to a scam. You can reduce your risk, but you can’t eliminate it. Even security professionals with years of experience make mistakes. All scams rely on flaws inherent in human nature. While many think they’re “too smart” to fall victim to scams, intelligence doesn’t play as much a role as you may think.

You could boil down the success or failure of phishing to peoples’ attention spans. If your attention is split, then your guard is down. That’s when it’s easy for a convincing phishing scam to sneak past. Put yourself in the shoes of an overworked manager. They’re running on few hours of sleep, have had three stressful calls back to back, and are working on the budget for the coming quarter. They’re under a tight deadline and their boss is breathing down their necks. Under this level of pressure—which certainly isn’t uncommon among management—making a mistake is almost inevitable. Attention is a finite resource, and that can easily be exploited. We’re flawed human beings. All of us. That’s what makes phishing scams so successful.

Your weapon: the law of redundant checks

Reducing the risk of successful phishing attacks comes down to redundant systems and safeguards. For starters, on important decisions like financial transactions, implement and maintain a consistent process of in-person checks. If someone receives a request to cut an important check, have them verify the request is legitimate—preferably by speaking to someone in person.

However, there simply are no guarantees. Whenever humans are involved, mistakes can happen. That’s why it’s important to have additional email protection in place. SolarWinds® Mail Assure uses collective intelligence from managing nearly two million mailboxes to find active spam and phishing attempts. If we detect a threat in one area of our user base, the entire user base gets protection. Email protection helps prevent people from receiving malicious emails in the first place, giving you added insurance against stressful moments when users drop their guards. Learn more about how Mail Assure can help you today.

Guest blog courtesy of SolarWinds MSP. Read more SolarWinds MSP blogs here.