How long do Phishing campaigns last?

Nicolás Bruna Blog No Comments

How long do Phishing campaigns last?

In my day-to-day work in the field of information security awareness and training, I often get questions related to the duration of Phishing campaigns. This is because one of the most effective methods to measure an organization’s level of exposure to this type of attack is to simulate the attack itself and observe how users behave when faced with a real—but harmless—Phishing scenario.

Let Them All Fall!

When launching a Phishing simulation, one of the most common questions people in charge ask is how long it should last. Most often, the initial instinct is to run simulations for several weeks or even months. The goal seems to be giving enough time for as many people as possible to fall into the simulated trap, but if we analyze the behavior of real Phishing campaigns, we can see that this is not the best approach.

Catch Me If You Can

According to a Webroot report, the average duration of a Phishing campaign is 15 hours, with a minimum of 15 minutes and a maximum of 44 hours. Additionally, 84% of the analyzed Phishing campaigns lasted less than 24 hours, showing a clear trend: Phishing campaigns are short-lived, and there’s a reason for that.


Lifecycle of a Phishing attack in hours – Source: Webroot

Not long ago, a single Phishing attack could last for several weeks or months, hosted on a specific domain owned by the attacker. While that may have seemed like a good idea, it gave organizations enough time to detect and block the emails or websites the attacker was using, effectively protecting their users. Security companies would blacklist these domains or IPs, taking that Phishing attempt out of the game.

That’s why attackers have evolved (and not just in this area…) and reduced the time their Phishing campaigns remain active on a given domain, making detection harder. They also use legitimate domains—ones they have compromised—to host their malicious content, making them harder to block via blacklists. A specific page of a given domain that is safe right now could be compromised the next second and start hosting Phishing content.

Back to the Main Question

Considering all of the above, and remembering that the most frequent question is how long a simulated Phishing campaign should last, if we want to stay true to reality, it shouldn’t extend beyond two days. That way, we can gather statistics that better reflect what actually happens in real Phishing campaigns launched by cybercriminals, without skewing the data with less likely scenarios.

Share:

Share on LinkedIn Share on Pinterest Share on WhatsApp
Post Tags :
Prev Post

Next Post

Nicolás Bruna

Product Manager de SMARTFENSE. Su misión en la empresa es mejorar la plataforma día a día y evangelizar sobre la importancia de la concientización. Ha escrito dos whitepapers y más de 150 artículos sobre gestión del riesgo de la ingeniería social, creación de culturas seguras y cumplimiento de normativas. También es uno de los autores de la Guía de Ransomware de OWASP y el Calculador de costos de Ransomware, entre otros recursos gratuitos.

Leave a Reply

Search

Recent Posts

Tag cloud

advice awareness behavioral change best practices consciousness and awareness cyber security Cybersecurity Hiding statistics information security phishing phishing simulation campaign smartfense training and awareness user hardening whitelist

Spanish Blog

In the spanish blog we have hundreds of posts to read

Go to the Spanish Blog