Which is the bigger data threat: Breaches … or your users?

Quick, which is more of a risk to data: keyloggers or phishing?

That’s the question Google engineers and researchers from Berkeley teamed up to answer, and their results might confirm some of your worst fears.

Why? Because the study determined phishing is still a growing problem … which can be frustrating since responsibility for that falls predominantly on your users.

Accounts for sale online

The study looked over black market forums on the dark web for over a year, searching for the account login information from keyloggers, phishing and data breaches. Researchers found:

  • 788,000 accounts were compromised via keyloggers
  • 12.4 million accounts had been stolen via phishing, and
  • 1.9 billion accounts were from third-party breaches.

While there were more accounts up for grabs due to data breaches, the researchers determined that victims of phishing attacks were 400 times more likely to have information stolen than a random user.

In comparison, this was 40x more likely to happen to victims of keyloggers and only 10x more likely to victims of a data breach.

Of the accounts studied, 12% contained Gmail accounts where 7% of users had passwords that had been reused or linked to other services.

Using this study, Google was able to issue password resets for those affected accounts.

Popularity contest

Researchers found that 4,069 distinct phishing kits and 52 keyloggers were responsible.

The most popular phishing kit was a website that emulated Google, Yahoo and HotMail logins. It was used by 2,599 hackers to steal some 1.4 million credentials.

The most popular keylogger on the other hand — a program called HawkEye – was used by 470 hackers to steal the information from approximately 409,000 users.

The top brands both of these types of attacks targeted were Google, Yahoo and Hotmail.

And to no one’s surprise, the top 5 passwords were still 123456, password, 123456789, abc123 and password1.

But while you can teach users to have better passwords, it’s more pressing that they understand why phishing is so dangerous.

Why phishing?

Phishing is relatively easy to pull off and can be made more threatening by using social engineering, a kind of attack that’s more than just batch sending emails to a company’s users.

Phishing also has the chance to link to other accounts as more and more people link emails to other site logins.

There’s a chance, despite your best efforts, that your users are linking company emails to other services.

Does your company use Slacker or Skype? Or other internal apps linked to a company email?

Gaining access to a user’s email may just be the first step to a hacker’s attempt to compromise company data.

What can be done?

The best way to combat phishing attacks is to conduct internal tests to determine which users are clicking on suspicious links verses properly reporting the email to IT.

You can have the email link to a 404 error page if you’d like to keep the testing on the downlow, or to an informational landing page about the dangers of phishing.

Make these attempts as real as possible – related to your industry, using the names of coworkers, asking for commonly seen requests – because this is what hackers do.

Go over this data with your team and upper management so you can sort out which users are having difficulty.

This user group will then receive additional training.

The testing should be conducted repeatedly throughout the year so phishing attempts are never far from a user’s mind.

Getting over speedbumps

If you encounter any resistance from users while conducting tests, fall back on company policy or compliance reasons.

Users are less likely to get upset at you if there’s an overall reason for the tests.

However, if the resistance comes from above such as your C-suite, let them know that a breach or time and data lost by ransomware will cost more than any awareness training program or time lost from users’ workdays for training purposes.

Especially when these users are likely putting company data at risk.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy