Phishing attacks are moving from targeting a few key employees in businesses to much wider groups of employees, according to corporate security awareness training company PhishMe.
"Once they are in, attackers are using what they learn about the environment to attack bigger groups," said Scott Gréaux, vice-president of product management and services.
Some organisations are seeing phishing campaigns targeted at up to 250 employees at a time, but using slightly different fake emails to avoid detections systems, he told Computer Weekly.
Phishing attacks are also moving away from using attachments because of greater awareness among corporate users about the potential dangers of email attachments.
Instead, they are using emails about topical or local events likely to be of general interest to just about anyone in the organisation.
Another evolution of highly targeted phishing attacks is to use compromised email accounts to send malicious links to others in the same organisation.
"These are known as proximity phishing attacks because they come from the compromised accounts of people in other departments of the same organisation," said Gréaux.
Another recent trend, he said, is increased interest in companies involved in mergers and acquisitions. These organisations present an opportunity to compromise the smaller company and then use that foothold to target the larger organisation after the merger.
"Phishers are typically very patient and will gather information over longer periods of time than fraudsters, who tend to use information quickly for profit," said Gréaux.
Phishing continues as one of the top infiltration methods used by attackers. It has been cited at the starting point of several attacks on high-profile organisations, including security organisation RSA.
Although PhishMe focuses on user education for employees at large organisations, medium and small organisations are beginning to realise any business can be a target, said Gréaux.
The biggest benefits of awareness training about phishing activities, he said, are those with mature awareness programmes where users tend to be in a rut.
The training works by sending spoofed phishing emails to the employees, and if they click on a link, enter data into a form, or open an attachment that is risky, they are informed of the dangers of their behaviour.
They will also receive guidelines on how to protect themselves from phishing attacks and how to report any suspected phishing emails to their organisation.
The message that email users receive can be customised by the organisation using PhishMe as part of its user-awareness campaign.
PhishMe claims at least 80% retention of the message because email users experience first-hand how phishing emails work.
"Being told how to be more resilient is not the same as combining the message with experience; email users are psychologically closer to the event, which studies shows always means better retention than any form of push communication," said Gréaux.
The effectiveness of the training is validated by customer data, he said.
"For example, 57% of one organisation's users were susceptible to phishing emails, despite a long-standing security awareness training that included newsletters, security awareness events and a poster campaign," said Gréaux.
"Three months after the first PhishMe email, the proportion of susceptible users fell to 10%, and five months later, that was down to 3%."
The organisations then focused on that 3% and recorded a 75% improvement, with only 25% remaining susceptible.
"While it is impossible to achieve 100%, it is possible to reduce susceptibility and no security measure is 100% effective. Phishing awareness adds another layer to an organisation's defences," said Gréaux.
Most PhishMe customers also report an immediate increase in the number of reported phishing attempts, he said. "In some cases the number of reports has increased by twenty times, which shows the message is hitting home, and behaviour is changing," he added.
Another benefit, according to Gréaux, is that organisations can improve their response times because, by making users part of the extended security team, they are able to identify and follow up phishing-based attacks faster. It also reduces organisations' dependency on technical systems to identify potential threats.
