Secretary of Homeland Security Jeh Johnson said that phishing email is likely the agency’s biggest threat in cyber security. Johnson spoke at the Financial Crimes and Cybersecurity Symposium which was held this past November in New York.
“The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-fishing,” he revealed in his speech.
Cybercriminals have been finding ways to attack companies and individuals through email phishing since the 1980’s with seemingly no end in sight. The term ‘phishing’ purportedly came from Khan C. Smith, a widely known hacker and spammer who came to fame in the 1990’s. By the 2000’s phishing scams against large companies and individuals became a regular part of daily life with millions of people affected and millions of dollars lost to these attacks.
The frequency of attacks has grown from approximately 173,000 per year in 2005 to almost 1.5 million in 2015. The majority of the attacks are said to come from Russia and China.
One of the most notable phishing attacks occurred in 2011 when an employee at Fazio Mechanical in Sharpsburg, Pennsylvania opened a malicious email. The employee had access to Target’s network and when the email was opened, it gave hackers the ability to steal personal and financial data from 110 million people who had shopped at Target. The spear-phishing attack highlighted a major weakness in the company’s IT security and led to the subsequent firing of IT staff.
Aaron Higbee, CTO of PhishMe, a provider of phishing threat management, said that companies need to train their staff to “accurately identify and report suspicious email.”
Secretary Johnson seemingly agrees with this assessment. Homeland Security routinely sends out phishing emails to its employees as a training tool. Employees who fall for the fake phishing emails must take an online refresher course to ensure that they don’t fail to recognize a real threat.