As Cybersecurity Awareness month gets underway, we take a deep dive into phishing, the most common and costliest cause of a data breach. From stolen credentials to malware dropped by a malicious link, more than 90% of all data breaches start with phishing the fraudulent sending of emails to obtain confidential information. It's the sharp tip of a very dangerous spear, yet organizations are still struggling to identify and prevent these increasingly sophisticated attacks.
Phishing is not a new phenomenon. In the 1990s, the only way to access the Internet was to dial-up for a fee, but you could take advantage of a thirty-day free trial to access the internet via an AOL floppy disk. To avoid paying after the trial period ended, some people found a way to change their screen names, making it look like they were AOL administrators. Using these fake screen names, they would phish for log-in credentials to continue accessing the Internet for free.
In the years since then, phishing attacks have evolved into many different types:
Types of phishing:
- Mass Mailing Phishing: one of the most common phishing methods used by scammers. Cybercriminals send the same constructed format to many targets in the hope that they get a catch. Their goal: to trick recipients into clicking a link that installs malware or asks them to share confidential details (like login credentials or financial information).
- Shared Document Phishing: phishing emails disguised as messages from legitimate individuals or companies, like Dropbox or Google Drive. In this case, recipients are notified that files have been shared with them.
- Spear Phishing: an email or electronic communications scam targeted towards a specific individual, organisation or business. These scams use information available about the person or business (e.g. on LinkedIn or the company website) to more effectively trick the recipient, making them more likely to click a link or attachment.
- Whaling: even more sophisticated and highly targeted phishing attacks - aimed at high-value targets such as senior executives - masquerading as a legitimate request.
- Business Email Compromise (BEC): BEC attacks involve fraud and deception, often targeting employees with access to company finance processes, who are duped into transferring funds to accounts controlled by the criminal. A compromised employee email account may be used to request payment to an alternative account (controlled by the attacker) or to notify the supplier's customers of a change in the invoice payment details.
Today, 54% of successful phishing attacks end in a breach of customer or client data. Of greater concern is that the practice is on the rise. Indiscriminate mass mailing phishing attacks rose 12% year-on-year (2020 - 2021) while increases in reported targeted attacks were even higher with spear phishing/whaling up 20% and BEC up 18%.
The negative effects phishing can have on a business are varied and sometimes irreversible. They include lost revenue, direct financial loss (for example through ransomware pay-outs), loss of intellectual property and sensitive data, reputational damage and disruption to operational activities.
Signs of phishing
The first and most important step in combatting phishing threats is being able to recognize the signs of a suspicious message.
A common red flag is an email that demands urgent action. This could be the threat of a negative consequence, or lost opportunity unless action is taken immediately. Attackers often use this approach to rush recipients into acting without checking credentials.
Bad grammar and spelling, as well as unfamiliar greetings, should also ring alarm bells. Emails from sources that are unfamiliar with the style of interaction used in your business should immediately arouse suspicion.
Be on the lookout for inconsistencies in email addresses, links or domain names. If an email originates from an organization corresponded with often, check the sender's address against previous emails. You can check if a link is legitimate by hovering over it to see what pops up. If an email allegedly originates from one place, but the domain name reads something else, it's likely a scammer at work.
Remember that most work-related files are now shared using tools like SharePoint, OneDrive or Dropbox. Therefore, even internal emails with attachments should always be treated with caution.
But be aware that scammers may send emails that appear to come from legitimate file-sharing sites or include links purporting to be for SharePoint or OneDrive. In these cases, the link is actually to a fake login page that mimics the real file-sharing site's login page to steal the user's account credentials as they log in.
Finally, and it might seem obvious, but don't automatically respond to requests for any sensitive information or immediate payment. Any time you are redirected to a login page, rather than clicking on any included link, open a browser and manually type in the known URL or search for the referenced organization. Many search engines can detect unsafe sites and will give you a warning. Any time you are told a payment is due or bank details have changed, refrain from taking action unless you are 100% certain the email and its content are legitimate. For example, contact the sender over another communication method using contact details already on record, before changing bank details or sending any monies.
Phishing in 2022
While the majority of social engineering attacks are still delivered by email, one-third of IT professionals have reported an increase in social engineering delivered via other communication platforms in the last year. These include attacks delivered via video conferencing platforms (44%), workforce messaging platforms (40%), cloud-based file-sharing platforms (40%) and SMS (36%).
Phishing on social media is becoming increasingly common, and in Q1 2022, LinkedIn users were targeted in 52% of all phishing attacks globally.
According to Proofpoint's 2022 State of the Phish report, employees at 74% of organizations have been sent fraudulent text messages (known as smishing), and the same percentage have been targeted on social media.
Hybrid Vishing attacks also reached a six-quarter high in Q2 2022, increasing 625% from Q1 2021. Vishing is the fraudulent practice of making phone calls or leaving voice messages purporting to be from reputable companies to induce individuals to reveal personal information. These hybrid threats differ from traditional vishing by first interacting with the victim via email. The actor includes a mobile number within the body of the email as a lure, which is designed to trick the victim into calling and submitting sensitive information to a fake representative.
Another new scam, which has been dubbed Ducktail, is a type of spear phishing that targets people in managerial, digital marketing, digital media and human resources roles. The attack begins with the fraudsters identifying potential Facebook Business/Ads users on LinkedIn and sending a message inviting them to open an attachment. However, the attachment contains malicious software that extracts stored Facebook session cookies for each browser that it finds, allowing the attacker to take over the Facebook account.
Strengthen your defenses
Cybercriminals now employ varied and sophisticated methods for their phishing scams; therefore a multi-layered approach to security is the best defense. This means maintaining multiple, layered lines of defense combining technical detective and preventative measures with people-based measures, such as education and awareness of the threat, as well as reporting and response measures. The reality is that even with these layered defenses your people and your business may still fall victim, so you need to plan to know how to respond to recover and minimize the damage or disruption caused.
Phishing attacks: defending your organization is available from the UK National Cyber Security Centre and provides a multi-layered set of mitigations to improve your organization's resilience against phishing attacks, whilst minimizing disruption to user productivity.
Make it difficult for scammers to reach your users by enabling email anti-spoofing controls (DMARC, SPF and DKIM) and encouraging partners and suppliers to do the same. Check incoming emails for spam, phishing and malware so that suspect emails can be filtered or blocked before they reach the intended recipient. Help users spot potential attacks by configuring your email system to flag emails where the reply email address is different to the from email address (a sign of email spoofing) and to color code or add a banner to highlight emails received from outside the business.
You might consider employing Managed Security Services to deal with alerts and suspicious activity. These third-party professional monitoring and management services work with organizations to protect hardware and data from potential cyberattacks.? They carry out all the detecting and fixing of cyber vulnerabilities. As well as benefitting from agreed service levels and 24/7 support, outsourcing can reduce staff training costs.
However, never underestimate the value of training your staff to be aware of phishing. 72% of infosec and IT professionals surveyed said their organization's current security awareness training program has lowered phishing failure rates. Training can be tailored to the user and their role in the business, for example, making sure procurement and finance staff know of the risk of BEC scams and have defined processes and procedures that will raise suspicions.
It's impossible to prevent? phishing attacks? by purely technical means, which is where phishing awareness comes in.? Your staff are simultaneously your biggest vulnerability and your first line of defense against such attacks.
Encourage and support questioning of suspicious emails or just unusual requests even if they appear to be from important individuals. Make sure your employees have the confidence to ask: is this genuine? Crucially, do not punish users if they get caught out. It discourages them from speaking out in future.
No organization, big or small, is invulnerable to phishing, so it's essential to understand how you might be targeted and what you can do to prevent a breach.
But think beyond your own organization. Consider how your outgoing communications appear to your suppliers and customers. Is the recipient expecting the email, will they recognize your email address, how will they know any included links are genuine? Help your suppliers and customers protect themselves from phishing, and give them a chance to detect attacks for example by letting them know that 'we will never ask for your password', or 'our bank details will not change at any point.
Contact the VikingCloud team for more information.
.png)
