Enterprises spent over $2 billion in hard dollars on phishing prevention in 2023. In addition, they spent at least 10x that amount in lost productivity due to employee time spent completing periodic phishing awareness training. Such investments make sense when phishing is one of enterprise CISOs’s top three priorities. Yet phishing continues to lead the pack as the most successfully exploited threat vector. Does that mean traditional anti-phishing approaches are ineffective?
It’s kind of crazy to think about. Approximately 100 percent of enterprises deploy anti-phishing solutions. The technology isn’t new. The problem is well known. Yet it seems everything we’ve done so far hasn’t been enough to affect phishing’s top ranking on year-end threat lists.
It’s not like email security solutions can’t find deceptive links, or web gateways can’t spot a phishing page, or security awareness training programs don’t teach people to avoid being phished. That’s certainly why all these techniques are so widely used today. However, the data shows that attackers succeed in circumventing these controls.
How Multi-Channel Phishing Bypasses Traditional Anti-Phishing Tools
The reasons today’s enterprise anti-phishing stack doesn’t solve the problem aren’t complicated.
If an attacker doesn’t want email security or web gateway solutions to block their phishing attack, they simply find another way to deliver the phishing invite to the victim. Text messages, social media posts and direct messages, QR codes, and sponsored or high-ranking search results – there are nearly infinite ways to lure a victim into a phishing site that doesn’t involve email.
Not to mention the frequency with which bad actors discover and exploit bypasses of widely deployed email security systems. The situation is hardly any different with a secure web gateway. Even if one has ironclad anti-phishing technology, attackers will simply find ways to get around e-mail filters and convince victims to access scams outside of the web gateway.
Security awareness training is the correct last line of defense, but we all have weak moments. With GenAI in the mix, the phishing scams are getting very hard to spot, even for salty old paranoid security pros.
The greatest opportunity today to improve the business world’s phishing defenses is to close the gap in visibility that attackers often exploit. I don’t think that’s a bold statement. The challenge isn’t what to do, it’s how to do it.
The Next Generation of Anti-Phishing Software: Hunting for Phishing Externally
The next frontier in phishing defenses, like phishing itself, isn’t new at all. Threat-hunting techniques have been around for two decades, yet they haven’t been applied to phishing yet in a systematic, scalable way. After all, hunting for phishing threats across the entirety of the internet is a daunting task.
Several years ago, we started working to solve this problem at Allure Security. Our goal was to build a solution that is capable of proactively hunting down all types of phishing, without having to wait for a deceptive email to come in, or for a victim to realize they are being phished and bail out before it’s too late.
Our challenges were two-fold. First just building the intelligence into our systems to recognize a scam or phish when we see it – that was tough. Then, getting it to run at internet scale, where we need to examine tens-of-millions of pages every day, and do so economically – that was a monumental challenge. But we did it.
There has been talk of the concept of “hunting for phishing” out there, but they tend to be a playbook for an individual human to perform such tasks at a point in time. Allure Security has systematized this process outside enterprises’ perimeter. It’s automated. It’s continuous. And it can identify and eliminate phishing sites even while an attacker is still configuring the site, before a single message is distributed – regardless of the communication channel.
Catching Phishing Scams Before Traditional Solutions Do
Find me a CISO that doesn’t want to reduce their phishing risks. It’s not going to happen. By the same token, find me a CISO that wants to rip out their existing phishing defenses and start over from scratch. Ummmm, no – nobody wants that either.
Just like threat hunting adds a powerful layer of defense on top of malware detection techniques, hunting for phishing scams has the same potential to wildly increase the effectiveness of enterprise phishing protection programs.
Here’s how it works: We train our software to recognize our customer’s branding (logos, colors, fonts, taglines, etc.) and their critical interfaces with users (login pages are a good example). Our software continuously evaluates web pages, social media, mobile app marketplaces, ads, and other assets, leveraging our training to identify indicators of impersonation. An indicator might be something visual, such as a brand’s logo on a page, or it could be a technical indicator hinting that the site is running a phishing kit, or even just running on a network that’s often used for criminal activity. Those indicators tell our system to dig deeper, looking for additional indicators, until we can eventually confirm – is this thing benign or have we found ourselves a phish?
Every day we evaluate tens-of-millions of web pages, including scouring everything new and newly active across the internet, generally within two minutes of those new systems coming online and/or seeing traffic. This allows us to proactively find the scams and phishing sites as they are being set up, well before phishing invitations can be sent out to victims.
When we identify a phishing site or impersonation scam, we immediately begin our response process. This involves blocklisting the sites, both with the major browser and OS vendors – and by providing the intel to your anti-virus, email, and web security systems.
At the same time, we initiate a permanent takedown of the site or content, which is generally complete within a few hours. For phishing sites specifically, we have one last tool, decoy injection. We actually fill the phishers net with fake data that we generate to look just like the real thing. This breaks the attacker’s economic incentive and generally sends them off to find a softer target.
By adding an automated threat-hunting component outside the perimeter to existing phishing programs, enterprises can reap real benefits. Finding and stopping phishing scams before they have the chance to do damage is a game changer.
Closing the gaps phishers use to get around email and web gateways will make you sleep better at night. And all you have to do is turn it on. It takes no time to deploy it, nor any staff to monitor it. Sign us up and we’ve got it from there. Interested in seeing our solution in action? Sign up for a demo today.
