If you’re trying to convince your boss to open up the purse strings for your anti-spam footprint, you’re going to need numbers. Let’s face it: you’re not going to convince the boss with vague claims like “spam costs a lot of money!” Whether you plan on upgrading your software solution or improve your training process, bosses need to justify the budgetary spend. Fortunately, if there’s one thing the security industry is good at doing, it’s coming up with numbers.
Unfortunately, the numbers don’t always agree with each other, but when drilling down into the research methods used, you can usually find a common theme and a ring of truth. That’s especially true for reports from firms that specialize in security. For example, the security firm RSA presented the results of its study on the first half of 2012 this week, and interestingly enough, the article posted on RSA’s blog points the finger squarely at phishing.
The article, entitled Phishing in Season: A Look at Online Fraud in 2012, doesn’t waste any time getting to the point: “Compared with H2 2011, end of June numbers show a 19% increase as phishers heavily target the UK, U.S. and Canada – and their associated brands – with the same old online trickery that continues to plague the world.” Now, 19% may not sound significant all on its own, but when combined with a dollar figure, it becomes the stuff that opens a boss’ wallet. According to RSA, the estimated losses due to phishing attacks in the first half of 2012 is $687 million US.
RSA notes that the “number was calculated using a lower attack uptime median and yet, it marks a 32% increase in losses when compared with last year’s equivalent (1H2011), and a slight decrease when compared with 2H2011.” RSA also pointed out findings from the Anti-Phishing Working Group, which found that the uptime of attacks were down from 15.3 hours per attack to 11.72 hours per attack, suggesting that each instance of a successful phishing scheme yielded less money for the cyber crooks. However, overall attacks were up, and that means everyone needs to be a little more mindful of the dangers of wily phishermen.
RSA also notes that the same short list of target countries remains unchanged, with the UK, US, Canada, Brazil, and South Africa topping the list of countries attacked by phishing schemes. RSA also points out that some countries revealed dramatic increases in phishing attacks during the first half of 2012. In Canada, phishing schemes were up a whopping 400%, an increase which is probably due to Canada’s economic stability and the near one-to-one ratio between the Canadian and US dollars. As RSA points out in the article, the fraudsters do love to follow the money.
Perhaps it’s just the accounting side of the war on spam, but researchers just love to apply numbers to the pesky stuff. But RSA takes it one step further, getting philosophical about the state of phishing in the world today. Phishing has been around for 16 years now – it seems like forever – and it still represents one of the top threats circulating the Internet today.
Why? asks RSA. “At the core of this seemingly simple threat,” they answer, “lies a powerful force– human emotion. Although phishing is a 21st century crime, manipulation, deceit and persuasion are not. “ The social engineering component of phishing continues to be a successful method for getting users to give up their personal information. When people act by feeling rather than acting rationally, they’re more likely to make the mistakes that become a part of that $687 million nugget that keeps phishers coming back for more.
Emotional triggers continue to be a source of success for the cybercrooks, says RSA. “Intended readers have to be convinced that they need to visit the URL for a reason valid and credible enough to cause them to impart their credentials and personal information.” We can’t ignore the key emotional triggers that enable successful phishing – the promise of rewards, plain old human greed, emotional response to false accusations, curiosity, the need to right a perceived wrong, and misplaced trust, are all emotional responses identified by RSA as triggers that line phishers’ pockets.
It’s somewhat odd to regard phishing as a success story that continues to thrive. One might assume that after 16 years and a glut of tombstone data about a scam that, in many ways, is as old as crime, people would know better. But you can’t ignore $687 million in six months.
Time to review that footprint…