The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Similar documents
Evolution of Spear Phishing. White Paper

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

Best Practices Guide to Electronic Banking

with Advanced Protection

EBOOK. Stopping Fraud. How Proofpoint Helps Protect Your Organization from Impostors, Phishers and Other Non-Malware Threats.

Security & Phishing

The Cyber War on Small Business

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

TABLE OF CONTENTS Introduction: IS A TOP THREAT VECTOR... 3 THE PROBLEM: ATTACKS ARE EVOLVING FASTER THAN DEFENSES...

Proactive Protection Against New and Emerging Threats. Solution Brief

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Office 365 Buyers Guide: Best Practices for Securing Office 365

KnowBe4 is the world s largest integrated platform for awareness training combined with simulated phishing attacks.

The Credential Phishing Handbook. Why It Still Works and 4 Steps to Prevent It

Integrated Access Management Solutions. Access Televentures

BRING SPEAR PHISHING PROTECTION TO THE MASSES

Bringing the Fight to Them: Exploring Aggressive Countermeasures to Phishing and other Social Engineering Scams

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

Keep the Door Open for Users and Closed to Hackers

Panda Security 2010 Page 1

ELECTRONIC BANKING & ONLINE AUTHENTICATION

What can we lose not implementing proper security in our IT environment? Aleksandar Pavlovic Security Account Manager Cisco

RSA FRAUDACTION ANTI-PHISHING SERVICE: BENEFITS OF A COMPREHENSIVE MITIGATION STRATEGY

Governance Ideas Exchange

CE Advanced Network Security Phishing I

New Zealand National Cyber Security Centre Incident Summary

Imperva Incapsula Survey: What DDoS Attacks Really Cost Businesses

Phishing Activity Trends Report October, 2004

WHITE PAPER THE SOCIAL MEDIA FRAUD REVOLUTION A STUDY OF THE EXPANSION OF CYBERCRIME TO NEW PLATFORMS

5 Trends That Will Impact Your IT Planning in Layered Security. Executive Brief

Trustwave SEG Cloud BEC Fraud Detection Basics

Webomania Solutions Pvt. Ltd. 2017

The 2017 State of Endpoint Security Risk

Machine-Powered Learning for People-Centered Security

Automated Context and Incident Response

Perimeter Defenses T R U E N E T W O R K S E C U R I T Y DEPENDS ON MORE THAN

Unique Phishing Attacks (2008 vs in thousands)

Advanced Threat Control

Phishing: When is the Enemy

RSA INCIDENT RESPONSE SERVICES

Kaspersky Open Space Security

Why you MUST protect your customer data

Security in India: Enabling a New Connected Era

Connecting the Dots. A Cyber Detective Story A CYVEILLANCE WHITE PAPER JANUARY 2015

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

REPORT. proofpoint.com

HP Fortify Software Security Center

Cyber Crime Update. Mark Brett Programme Director February 2016

GLBA. The Gramm-Leach-Bliley Act

Are we breached? Deloitte's Cyber Threat Hunting

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

WHITEPAPER. Protecting Against Account Takeover Based Attacks

Combating Cyber Risk in the Supply Chain

THE EVOLUTION OF SIEM

CYBER SECURITY AND THE PENSIONS INDUSTRY Karen Tasker 1 February 2018

Are you safe? Your business growth strategies are at the heart of the cyber risks your organization faces

Verizon Software Defined Perimeter (SDP).

Small Business Is Big Business in Cybercrime A TrendLabs Primer

RSA NetWitness Suite Respond in Minutes, Not Months

2018 Edition. Security and Compliance for Office 365

Real estate predictions 2017 What changes lie ahead?

2015 VORMETRIC INSIDER THREAT REPORT

Cyber-Threats and Countermeasures in Financial Sector

Safeguarding Your Dealership from Fraud

9/11/ FALL CONFERENCE & TRAINING SEMINAR 2014 FALL CONFERENCE & TRAINING SEMINAR

RSA RISK FRAMEWORKS MAKING DIGITAL RISK MANAGEABLE

HEALTH CARE AND CYBER SECURITY:

Insider Threat Program: Protecting the Crown Jewels. Monday, March 2, 2:15 pm - 3:15 pm

Proofpoint, Inc.

mhealth SECURITY: STATS AND SOLUTIONS

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

How technology changed fraud investigations. Jean-François Legault Senior Manager Analytic & Forensic Technology June 13, 2011

Kaspersky Security Network

Understanding the Changing Cybersecurity Problem

The Top 6 WAF Essentials to Achieve Application Security Efficacy

FOR FINANCIAL SERVICES ORGANIZATIONS

Whitepaper on AuthShield Two Factor Authentication with SAP

Cyber Insurance: What is your bank doing to manage risk? presented by

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

AND FINANCIAL CYBER FRAUD INSTITUTIONS FROM. Solution Brief PROTECTING BANKING

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Building Resilience in a Digital Enterprise

Issues in Using DNS Whois Data for Phishing Site Take Down

MITIGATE CYBER ATTACK RISK

State of the Phish 2016

How to Fight Back against Phishing A guide to mitigating and deterring attacks targeting your customers

Mobile Field Worker Security Advocate Series: Customer Conversation Guide. Research by IDC, 2015

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Tackling Cybersecurity with Data Analytics. Identifying and combatting cyber fraud

But it Was Such a Little Phish February 2016 Webinar

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Webroot Phishing Threat Trends

DDoS MITIGATION BEST PRACTICES

Thanks for attending this session on April 6 th, 2016 If you have any question, please contact Jim at

Phishing Activity Trends

Cybersecurity and Hospitals: A Board Perspective

Best Practices in Securing a Multicloud World

Getting over Ransomware - Plan your Strategy for more Advanced Threats

Transcription:

The Cost of Phishing Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

Executive Summary.... 3 The Costs... 4 How To Estimate the Cost of an Attack.... 5 Table of Contents Reducing the Costs of Attacks.... 9 Summary.... 11 The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks 2015 Cyveillance 2

Executive Summary Phishing is not a new threat, but it is one that continues to impact any organization that maintains an online presence. In recent years, phishing attacks have become more complex and increasingly paired with embedded hybrid malware. Phishing attacks that include mobile malware are another threat that has grown exponentially, exposing the private information of millions of mobile device users. Highly organized threat actors are targeting organizations and their staff members with directed social engineering attacks, gaining access to local networks, stealing intellectual property, and spreading trade and national secrets into the open source public Internet. Social engineering, specifically spear phishing, is on the rise. Criminals use personal information, gleaned from public posts, to craft personalized messages that trick people into opening attachments and clicking on malicious links. These simple, yet sophisticated attacks provide deeper levels of access to data and networks, causing significant financial harm. How much do phishing attacks really cost organizations? Many studies have attempted to seek an answer to this very question. A July 2013 study published by the British House of Commons, Home Affairs Committee claims that the overall cost of cyber crime to the UK is estimated at 27 billion in 2012, with more than 600 million directly attributable to phishing attacks. The phishing threat is growing, victimizing consumers and businesses on a global scale. Customers of both well-known brands and lesser-known companies alike have fallen victim to this pervasive form of online fraud. According to the APWG Global Phishing Survey in the first half of 2014, the number of unique phishing websites detected increased 58 percent over the prior year. In fact, over the past six years, Cyveillance has detected more than 1.5 million phishing attacks targeting over 3,600 brands across the globe. Organizations often have a difficult time assessing how phishing affects their finances, as there are numerous factors to take into account when trying to measure the cost as well as the impact phishing has on customers, productivity and reputation. In this report, we provide a model that can be used to illuminate the costs related to phishing attacks, in a manner that can be easily adjusted to any organization s specific business model or support process. The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks 2015 Cyveillance 3

SECTION 01 The Costs Phishing can cost organizations thousands of dollars per attack in fraud-related losses. Although some of the costs can be measured easily, others are far more difficult to quantify. The two categories of cost that phishing affects are usually referred to as hard costs and soft costs. Hard costs associated with phishing can be measured directly in terms of dollars, time and effort. Typically, these costs are related to the following: Fraudulent charges associated with compromised credit cards Cash withdrawals or pump and dump schemes from compromised online trading accounts Employee time spent dealing with the fraudulent transactions Customer support calls Soft costs are the intangible costs that are much more difficult to measure. These costs can have a long-term impact on an organization s brand. The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks 2015 Cyveillance Soft costs typically include the following: Customer trust in online applications Customer satisfaction Brand reputation 4

SECTION 01 How To Estimate the Cost of an Attack There are many factors to consider when estimating the costs of a phishing attack conducted primarily via email. To provide an approach that produces a realistic estimation, below is an example of a typical attack which illustrates the basic anatomy of a phishing attack. As it clearly shows, the costs dramatically increase as the attack continues and the greatest cost savings occur if the attack is stopped quickly. The following example will show explicit details of how the costs easily escalate. Regular domain name, hijack legitimate website Copy and build phishing webpage or site Phishers send spam email, SMS, Vishing Total Cost $$$ Number of victims per hour The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks 2015 Cyveillance Figure 1 Consumers click thru email, submit PII 5

In our example (Figure 2) we start with the number of spam emails sent by the phisher, which is usually very high. From this initial emailing, we estimate that 10 percent or fewer of the emails actually pass through anti-spam systems. Of the 10 percent that pass through these filters, half will be opened by users. As shown in the example below, 10 percent of the individuals who open the emails will click on the link(s) contained in an email, and of those who click on the link(s), only 10 percent will actually fall for the scam by entering their personal credentials into the fraudulent web page. Although this may seem like a small percentage, the actual number of people affected is substantial, as the number of spam messages that the phisher sends during the initial attack tends to be quite large. Who Will Eventually Click Figure 2 Spam emails sent 5,000,000 Percent filtered by spam filters 90% Percent of people who get the email that will eventually open the email Percentage of those who will read the email and click on the link to the attack web page Of those who clicked on the link, percent that fall for the attack 50% 10% 10% Total number of people successfully phished 2,500 Cost Assumptions * Cash cost per customer compromised $1,800 Personnel per-hour costs for each hour a site is up * The cost assumptions above are based on input and feedback from financial institutions of varying size. Many organizations have their own specific values for the average costs of credentials (login, credit card, etc.) compromised by a criminal and the per-hour costs of responding to an attack. $400 The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks 2015 Cyveillance 6

Attack Details: Hour percent of all victims scammed who are scammed during this hour of the attack Victims during this hour Cumulative victims to date Cost for this hour Cumulative Cost over the first 72 hours 1 0.03% 0.625 1 $ 1,525 $ 1,525 2 0.80% 20 21 $ 36,400 $ 37,925 3 1.25% 31.25 52 $ 56,650 $ 94,575 4 2.50% 62.5 114 $ 112,900 $ 207,475 5 5.00% 125 239 $ 225,400 $ 432,875 6 6.00% 150 389 $ 270,400 $ 703,275 7 7.50% 187.5 577 $ 337,900 $ 1,041,175 8 8.00% 200 777 $ 360,400 $ 1,401,575 9 9.00% 225 1,002 $ 405,400 $ 1,806,975 10 9.25% 231.25 1,233 $ 416,650 $ 2,223,625 11 7.00% 175 1,408 $ 315,400 $ 2,539,025 12 6.00% 150 1,558 $ 270,400 $ 2,809,425 13 3.75% 93.75 1,652 $ 169,150 $ 2,978,575 14 3.00% 75 1,727 $ 135,400 $ 3,113,975 15 2.00% 50 1,777 $ 90,400 $ 3,204,375 16 1.50% 37.5 1,814 $ 67,900 $ 3,272,275 17 1.25% 31.25 1,846 $ 56,650 $ 3,328,925 18 1.00% 25 1,871 $ 45,400 $ 3,374,325 19 0.95% 23.75 1,894 $ 43,150 $ 3,417,475 20 0.95% 23.75 1,918 $ 43,150 $ 3,460,625 21 0.90% 22.5 1,941 $ 40,900 $ 3,501,525 22 0.90% 22.5 1,963 $ 40,900 $ 3,542,425 23 0.80% 20 1,983 $ 36,400 $ 3,578,825 24 0.80% 20 2,003 $ 36,400 $ 3,615,225 48 0.20% 5 2,258 $ 9,400 $ 4,083,825 72 0.10% 2.5 2,346 $ 4,900 $ 4,250,925 93.8% 2346 4,691 $ 4,250,925 $ 4,250,925 The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks 2015 Cyveillance 7

Malware-based Phishing Victims per Hour 250 200 150 100 50 Victims per Hour for the First 72 Hours Cost for This Hour $450,000 $400,000 $350,000 $300,000 $250,000 $200,000 $150,000 $100,000 Total Cost per Hour for the First 72 Hours Malware-based phishing is any type of phishing attack that attempts to download malware to a user s machine. Traditional phishing attacks typically only provide a phisher with a single compromised credential or set of compromised credentials that are only valid for a short period of time. Malware-based attacks 0 $50,000 download malicious software to a user s 1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 Time in Hours 1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 Time in Hours computer that may go unnoticed for an extended period of time. This software steals sensitive information or allows a Cumulative Victims Over the First 72 Hours Cumulative Cost Over the First 72 Hours fraudster to gain unauthorized access to 2,500 $4,500,000 not only the user s computer, but to any 2,000 $4,000,000 $3,500,000 network resource the user can access. Total Victims 1,500 1,000 500 _ 1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 Time in Hours Total Cost $3,000,000 $2,500,000 $2,000,000 $1,500,000 $1,000,000 $500,000 1 4 7 10 13 16 19 22 25 28 31 34 37 40 43 46 49 52 55 58 61 64 67 70 Time in Hours The duration of the phishing attack is a key factor in determining the overall costs of a specific attack. As specifically illustrated in the attack detailed above, we can ascertain that the majority of costs associated with a phishing attack occur within 24 hours of the attack s launch and after that period, the costs associated with an attack level off significantly. In our example, 2,500 users were victims of the phishing attack. If the same phishing attack were malware-based, then up to 25,000 users could be infected with malware. The reason for such a larger exposure is that with a malware-based attack, the user simply has to click on the link to the phishing website; he or she will be exposed to the malware infection regardless of whether or not credentials are provided to the scammer. The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks 2015 Cyveillance 8

SECTION 02 Reducing the Costs of Attacks Any organization currently targeted by phishers, or at risk for such attacks, must develop and implement a comprehensive phishing protection and response plan in order to prevent or minimize the direct costs of phishing attacks. The plan should provide response guidelines that cover every phase of an attack in the fastest, most efficient manner. Duration is a key factor in the overall cost of a phishing attack, and most costs are incurred in the first 24 hours. Thus, speed of detection and takedown are key. The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks 2015 Cyveillance Based on the analysis in the previous section, we note that most costs are incurred during the first 24 hours of an attack. Because of the length of this critical period, speed of detection and takedown of the attack are the two key areas that organizations must focus on to reduce the costs of a phishing attack. Organizations should place equal emphasis on both areas when developing and implementing a phishing protection and response plan. 9

An effective phishing protection and response plan should include the following key objectives: 1 2 3 4 5 6 7 Identification of Compatibility Creation of Creation of a Minimization Reduction of Proactive the appropriate with existing effective internal solid phishing or avoidance of financial losses protection of stakeholders processes and and external response negative customer associated with your corporate and clear procedures (your communications escalation path experiences online fraud reputation communication plan must work processes (preserving of their within the daily consumer responsibilities operational flow confidence in using of business) online services is crucial to ensure continued growth) Depending on the size of an organization and the availability of resources, the best decision may be to outsource the core parts of phishing detection and response. An anti-phishing service provider should easily be able to reduce the costs of phishing significantly. The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks 2015 Cyveillance 10

Summary Phishing is a problem that will grow and evolve over the foreseeable future, as criminals will continue to use the scams as an effective means of generating significant profit. The attacks constantly adapt to technology, becoming more sophisticated in an attempt to outpace countermeasures for detection. Phishing attacks not only have increased substantially the costs associated with running a business, but also have affected security and customer confidence negatively. While there is no silver bullet to eliminate all costs associated with phishing, organizations can focus on addressing attacks during the most dangerous time, the 24 hours following the launch of the attack. The costs associated with a phishing attack are directly proportional to the amount of time that it takes an organization to approach the attack. Thus, the better prepared an organization is to detect and take down phishing attacks proactively, the more likely that the organization will be able to prevent and/or recover from attacks. By developing a proactive plan, an organization can greatly reduce the amount of time wasted and money lost due to a potential phishing attack. The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks 2015 Cyveillance 11

Cyber Threat Center While your network may be secure, do you have visibility beyond the perimeter? Security is no longer about what you can see. What you can t see is where the true threats hide. Cyveillance offers an easy-to-use platform that enables security professionals the ability to see beyond the perimeter. Our solutions identify cyber and physical threats and risks across the globe, allowing you to mitigate and eliminate them before they disrupt your business. We go beyond data to provide the threat intelligence that you need to achieve your organization s business goals. Contact us today to learn more and get a free trial. www.cyveillance.com/cyberthreatcenter Using security intelligence technology can save companies up to $2.6 million when compared to companies not using security intelligence technologies. 2014 Global Report on the Cost of Cyber Crime. Ponemon Institute; HP. 3 Dec. 2014. http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report A study by Verizon has shown that the targets of 85 percent attacks are small businesses with less than 1,000 employees. Verizon, 2012 Data Breach Investigations Report, http://www.verizonenterprise.com/resources/reports/ rp_data-breach-investigations-report-2012-ebk_en_xg.pdf

Cyveillance is the leading provider of cyber threat intelligence, enabling organizations to protect their information, infrastructure, and employees from physical and online threats found outside the network perimeter. Founded in 1997, Cyveillance delivers an intelligence-led approach to security through continuous, comprehensive monitoring of millions of online data sources, along with sophisticated technical and human analysis. The Cyveillance Cyber Threat Center, a cloud-based platform, combines web search, social media monitoring, underground channel information, and global intelligence with investigative tools and databases of threat actors, domain names and IP data, phishing activity, and malware. Cyveillance serves the Global 2000 and the majority of the Fortune 50 as well as global leaders in finance, technology, and energy along with data partners and resellers. For more information, visit www.cyveillance.com. Cyveillance is a wholly-owned subsidiary of QinetiQ, a FTSE250 company which uses its domain knowledge to provide technical support and know-how to customers in the global aerospace, defense and security markets. For more information, visit www.qinetiq.com. 11091 Sunset Hills Road, Suite 210 Reston, Virginia 20190 888.243.0097 703.351.1000 www.cyveillance.com info@cyveillance.com Copyright 2015 Cyveillance, Inc. All rights reserved. Cyveillance is a registered trademark of Cyveillance, Inc. All other names are trademarks or registered trademarks of their respective owners

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback