Atif Mushtaq, Founder & Chief Product Officer at SlashNext, Inc. talks about the impact of phishing attacks today while diving into a few projected dangers users need to be prepared for in this chat:
_______
Hi Atif, we’d love to hear about your journey through the years and what inspired the story of SlashNext!
I started SlashNext when I saw phishing and social engineering strategies begin overtaking malware as the biggest online threat to businesses. While malware sandboxes matured, and successfully examine suspicious files, there were no technologies available to effectively “sandbox” and detect web pages used in phishing attacks.
At the same time, fast-moving, short-lived phishing attacks allowed cybercriminals to stay one step ahead of security controls.
I therefore assembled a team of cybersecurity professionals in Silicon Valley and oversees to develop a faster, more effective approach to phishing site protection.
Read More : SalesTechStar Interview with Mariya George, Co-Founder and President at Cleareye.ai
What are some of the biggest shifts in cyber and phishing attacks today that you feel businesses (as they strengthen remote work and relate IT processes) should also be focusing on?
First and foremost, phishing attacks are growing exponentially — 42% in the past year – and they’re getting past even big brand email defenses. It’s step one in 95% of successful cybersecurity attacks and an urgent issue considering the average cost of a corporate breach is $2.8 million.
You should also know that cyber criminals have become far more sophisticated in behavioral targeting, many of which use AI and automation technologies to launch massive quantities of highly targeted phishing 2.0 attacks that look like they’re coming from trusted sources.
Even cybersecurity professionals fail to realize that automated email security systems – even from big brand names like Microsoft and Proofpoint – are blind to these 2.0 attacks. In our free risk assessment service, we see an average one in five email users have live phishing attacks sitting in their inboxes right now.
And that’s just the tip of the iceberg. 85% of phishing happenings outside of email across every communication channel conceivable, from team messaging platforms and SMS/iMessage to social media and social gaming platforms. With everyone using the same devices for work and personal use, it’s startling to realize that few of these channels are protected..
We’d love to hear a few key highlights from SlashNext’s State of Phishing Report?
Overall, we saw a 3000% increase in COVID-19 themed phishing URLs last March as cybercriminals launched thousands of new phishing pages every hour to harvest personal information. By July, phishing threats topped 25,000/day (+30% over 2019 numbers), and they peaked at 50,000/day in December. In early 2021, attacks soared above 80,000/day.
Traditional phishing 1.0 protection — that depends on domain reputation, URL inspection, and human forensics — was not enough. Attackers were constantly innovating around them. For example:
Of the tens of thousands of new phishing sites that went live each day, most were hosted on legitimate domains that sailed past standard domain reputation tests, but hosted malicious pages. Up to 90% of the phishing URLs we detected were hosted either on a compromised domain or on legitimate cloud services like Amazon, SharePoint or Google.
- Bot-enabled phishing attacks were too fast for human forensics to stop. Short-lived phishing URLs moved on within 40-45 minutes to avoid detection.
- HTML phishing attacks delivered malicious payloads straight into browsers and apps, bypassing infrastructure defenses, and we saw a 600% increasein mobile SMS phishing attacks.
How should companies be enhancing their protection with multi-layered defenses today?
We strongly recommend a layered approach that fights AI-enabled attacks with AI-enabled defenses both on premises and in the cloud. The safest approach detects attacks before they’re launched, identifies malicious attacks with near 100% accuracy, and blocks users from clicking on them. Technology must also be supplemented with on-going awareness training and common-sense policies.
A few top trends / predictions you have for phishing attacks as they evolve – the projected dangers to prepare for?
We anticipate seeing bad actors continuing innovation as the numbers and types of phishing attacks continue to grow exponentially. Beyond phishing schemes perpetrated in corporate email, we’re seeing a dramatic increase in attacks across business collaboration tools Teams, Zoom and Dropbox, mobile devices, and mobile-specific attacks on social networking sites.
We’re also seeing more sophisticated scams where cybercriminals attempt to scare people into taking an action, or respond to alarming messages embedded in browser extensions; and social engineering schemes. We also expect phishing attacks to become more individualized and therefore appear more credible. The more a bad actor knows about you, the more convincing the attack will be, and the more likely it will be effective.
Read More: SalesTechStar Interview with Mark Magnacca, President and Co-founder at Allego
SlashNext is exclusively focused on phishing defense for business, delivered through real-time, end-to-end phishing defense services for users.
Atif Mushtaq has spent most of his career on the front lines of the war against cybercrime. Before founding SlashNext, provider of real-time AI phishing defense services, he spent nearly a decade as a senior scientist at FireEye, where he was one of the main architects of FireEye’s core malware detection system. Mushtaq has worked with law enforcement and other global agencies to take down some of the world’s biggest malware networks.