One of the more interesting English language colloquialisms is the phrase “fish or cut bait,” generally used to suggest a decision must be made. It derives from a time in which catching fish with bait often meant dividing responsibilities, with someone fishing while  another was cutting bait up to be used to catch the fish. In an odd way this catchy little phrase now applies to one of the most persistent cybersecurity threats in use—spear phishing.

In the face of determined efforts to educate the population about the use of spear phishing, the number of phishing attacks continues to rise dramatically. Why? Quite simply—they work really, really well.  Leading cybersecurity firm FireEye recently reported that “84% of organizations said a spear-phishing attack successfully penetrated their organization in 2015. The average impact of a successful spear-phishing attack: $1.6 million. Victims saw their stock prices drop 15%.”

English cyber firm Sophos just released a white paper titled, “Don’t Take The Bait,” that takes a look at why phishing attacks are on the rise. They suggest that more people are successfully “phishing” because a cottage industry has grown around the cyber equivalent of cutting bait.  The paper notes that it is ever easier for cyber criminals to acquire sophisticated fishing tools. “An interesting facet of the phishing ecosystem is that there are a large number of actors committing attacks, but only a small number of phishers that are sophisticated enough to write a phishing kit from scratch. Because of this, phishing kits are now widely available for download from dark web forums and marketplaces, and give attackers all the tools they need to create profitable phishing attacks: emails, web page code images, and more.”

The white paper goes on to report that “In fact, attackers don’t even need to know how to create malware or send emails anymore. As-a-service and pay-as-you go solutions permeate most online service technologies, and phishing is no different….”  Among those services, an enterprising person who wishes to phish can use a ransomware service provider who will take a cut of each ransom paid, or a phishing service provider who will guarantee that the user will only be billed for emails actually delivered. The Postal Service should be so efficient.

It is increasingly important that businesses respond to the emphasis on phishing attacks with a countervailing emphasis on education and training, and employ rigorous internal standards to diminish the prospect that an employee might inadvertently send information or money to a cyber criminal. Don’t think more about whether to do so, it’s time to fish or cut bait.

By Tom Davis, SDI Cyber Risk Practice

June 20, 2017