Most IT Security Pros Underestimate Phishing Risks

Written by

Based on the results of a new survey, the vast majority of IT security pros fail to understand the actual risks of short-lived but dangerous phishing attacks on the web, said SlashNext.

Conducted over a five day period, a query of 300 IT security decision makers in midsized firms in the US found that 95% of respondents underestimate threats from phishing, revealing a lack of understanding and gaps in protection against modern, fast-moving phishing attacks.

According to the SlashNext 2018 Phishing Survey, most companies do not have adequate defenses against phishing threats on the web, a growing threat that many security pros fail to fully understand. Modern phishing tactics are commonly used to breach networks, a reality that only 5% of survey participants recognize, the report found.

The survey found that 14% of respondents think they experience in excess of 500 phishing attacks per month, while 45% of participants believe they are targeted with more than 50 phishing attacks per month. Yet, phishing attacks on the web differ from the more commonly understood phishing emails. The survey noted the particular distinction between the two is the short-lived duration of today’s fast-moving phishing threats on the web. 

Targeted phishing attacks have expanded into ads as well as coming in through search results, pop-ups, social media, IM and chat applications, rogue browser extensions and apps. Given the increasing frequency with which these threats on the web or in free apps occur, more than half of the survey respondents identified phishing attack vectors beyond email as their third most concerning threat. Only 32% of survey participants said their existing threat feeds and block lists provide sufficient protections.

Coming in as the top two concerns with regard to phishing attacks were spoofed websites and insufficient employee training. More than half (64%) of respondents expressed concerns with their existing employee awareness training.

“Phishing tactics have evolved to using very fast-moving phishing sites and attack vectors that evade existing security controls. And with such legitimate-looking phishing sites manipulating users, there is little to protect employees, not even phishing awareness training,” said Atif Mushtaq, CEO and founder of SlashNext, in a press release. “The solution involves a phishing detection system that can analyze and detect malicious sites like a team of cybersecurity researchers, but do it in real time to protect users.”

What’s hot on Infosecurity Magazine?