The cybersecurity refrain when encountering phishing emails invariably advises: "don't click on that link" and "report that email"—but new research from Drexel University and Arizona State University has revealed a problematic reality: Most major companies do little to support reporting and few take action to shut down phishing sites disguised as their own after they have been reported.
Recently presented at the International Symposium on Research in Attacks, Intrusions and Defense (RAID), an extensive investigation into reporting resources and processes—including an empirical test of their efficacy—revealed that less than half of Fortune 100 companies offer any channel for reporting these scams. And an experiment, to test the companies' response to reports of phishing attacks impersonating their websites, found that nearly 30% of reported websites were never accessed as part of an investigation and only 3% of the were ever blocked from access.
Most phishing emails include links to download malware or visit fake webpages that mimic popular sites. Recipients may be tricked into attempting to log in to the sites, divulging their account information to the bad actors behind them. Variations on this cyberattack, called smishing, which involves sending malicious links in text messages; and vishing, which uses voicemails, are also becoming more prevalent.
Despite ever-evolving cybersecurity techniques to detect and block the malicious scams, many still make it through countermeasures and into inboxes. In 2022 the FBI received more reports of phishing than any other type of cybercrime—totaling an 11-fold increase since 2018.
Because of this evasiveness, most companies provide cybersecurity training to help employees identify and instruct them to report phishing emails as a last line of defense.
When phishing emails are reported, the companies that are being impersonated in them can take steps to mitigate the scam, including updating their security systems, re-securing compromised email accounts and reporting the fraud to federal authorities and report any website listed in the email so that it can be taken down, or "block listed."
But research suggests that the rate of phishing attack reporting is strikingly low. A 2020 study by researchers at Arizona State showed that phishing sites are visited an average of 27 times before being reported.
In hopes of improving participation in anti-phishing measures, cybersecurity researchers from Drexel University's College of Computing & Informatics sought to better understand the reporting ecosystem that has generated such a low rate of participation. Their report, which is one of the first comprehensive studies to look at the attitudes and actions around phishing reporting, uncovered the challenges and concerns people face when reporting, as well as shortcomings in how the reports are handled.
"Although users are constantly trained and instructed on how to identify and report phishing emails, the reaction they receive in the actions taken—or, more often, not taken—by the companies to which they report creates a negative feedback that discourages them from reporting future emails," said Eric Sun, Ph.D., an assistant professor in Drexel's College of Computing & Informatics who helped to lead the research.
"Our research sheds a light on what it's like to be a reporter and a company that receives a phishing report in hopes of improving this cybersecurity environment."
The team approached its analysis from three perspectives, seeking to understand:
- The options the cybersecurity ecosystem provides to individuals who wish to report phishing attacks
- The actual experience in preparing to report a phishing attack
- The post-reporting response—what happens to phishing websites after reporting and what feedback is conveyed to reporters
It found that although there is a great deal of room for improvement in the guidance information and feedback provided by companies and enforcement institutions, individual reporting of phishing attacks remains a crucial part of cybersecurity efforts.
More: https://techxplore.com/news/2024-11-void-validates-victims-response-phishing.html
