According to a new research by Drexel University and Arizona State University presented at the International Symposium on Research in Attacks, Intrusions and Defense (RAID), many Fortune 100 companies do not report the phishing scams that happen by using their names in links. Many scammers use phishing links or emails of a well-known brand to steal the personal information of people who click on the links. Even though there are many measures being taken to reduce it, there has been an unimaginable increase in phishing attacks.
If a phishing attack uses a company name, that company can easily report the attack so cyber security experts and authorities can take suitable measures to mitigate the scam. But the rate of reporting phishing attacks is very low and a 2020 study suggests that a phishing link is clicked an average of 27 times before it gets reported. Many users are trained and instructed on how to report a phishing email but only a few actually do it.
To see how companies perceive reporting phishing links, the team of researchers looked at three perspectives – how cybersecurity companies provide appropriate measures to people who report phishing attacks, what is the experience of individuals preparing to report a phishing attack and what is the post-reporting responde of reporters and cybersecurity companies.
When a phishing attack is reported by a company, those companies often do not care about what happens after.
The researchers did an experiment and made fake phishing links by using names of different companies and organizations. They used the website links of some companies and sent them to a number of people. The researchers found that 29 out of 39 cybersecurity companies reached out to reported sites when the phishing scam happened but only 19 of them replied to the reporter. The reporter had no clue about what happened to the phishing site, whether it was taken down or not.
The researchers say that cybersecurity companies should improve how they respond to reports and should quickly reply to any queries. People should be given advice and solutions about how to be safe from phishing attacks and what measures should be taken if they become a victim.
Image: DIW-AIgen
Read next: Beyond Simple Math, AI Hits a Wall—FrontierMath Shows Where It’s Stuck
If a phishing attack uses a company name, that company can easily report the attack so cyber security experts and authorities can take suitable measures to mitigate the scam. But the rate of reporting phishing attacks is very low and a 2020 study suggests that a phishing link is clicked an average of 27 times before it gets reported. Many users are trained and instructed on how to report a phishing email but only a few actually do it.
To see how companies perceive reporting phishing links, the team of researchers looked at three perspectives – how cybersecurity companies provide appropriate measures to people who report phishing attacks, what is the experience of individuals preparing to report a phishing attack and what is the post-reporting responde of reporters and cybersecurity companies.
When a phishing attack is reported by a company, those companies often do not care about what happens after.
The researchers did an experiment and made fake phishing links by using names of different companies and organizations. They used the website links of some companies and sent them to a number of people. The researchers found that 29 out of 39 cybersecurity companies reached out to reported sites when the phishing scam happened but only 19 of them replied to the reporter. The reporter had no clue about what happened to the phishing site, whether it was taken down or not.
The researchers say that cybersecurity companies should improve how they respond to reports and should quickly reply to any queries. People should be given advice and solutions about how to be safe from phishing attacks and what measures should be taken if they become a victim.
Image: DIW-AIgen
Read next: Beyond Simple Math, AI Hits a Wall—FrontierMath Shows Where It’s Stuck