As data breaches persist, cyber criminals have also increased their proficiency in carrying out targeted attacks
2.8.19 – SIW – JOEL GRIFFIN
While popular culture might lead you to believe that today’s hackers are computer geniuses with intimate knowledge of network architectures who go about their days working in a dark, shadowy underworld clothed in hooded sweatshirts, the reality is much different. Aside from nation-state actors and organized crime rings that run hacking schemes like a regular 9 to 5 job, many malicious online actors are simple con artists with basic computer skills just waiting on some poor sucker to take their bait.
These fraudsters typically employ what are commonly known as phishing scams, which involve crafting an email in a way that seems to the average user like it is coming from a credible entity, such as a bank or an employer, but in actuality is a scam designed to dupe the victim into unknowingly turn over confidential information or click on a link that downloads a malicious link onto their desktop or mobile device. Some of these schemes even include highly detailed information about the recipient and/or people they know in much more targeted attacks known as spear-phishing attacks. Both of these attack methodologies have proven to be highly effective in recent years and have evolved greatly from the early days of the internet.
According to a study sponsored by Cloudmark and conducted by Vanson Bourne in 2016, 38 percent of firms polled in the U.S and UK reported that cyberattacks they suffered were the results of spear-phishing campaigns. In addition, the study also found that average phishing attack cost a mid-sized company nearly $1.6 million to remedy.
Given the success rate of phishing, it’s should come as little surprise that these types of attacks are on the rise. In fact, the “Enterprise Phishing Resiliency and Defense Report” published by PhishMe in 2017 found that phishing attempts had grown within the past year by 65 percent.
Unlike the Nigerian email or EU lotto schemes of old, Mike Gross, Head of Global Fraud & ID Product Innovation at Experian, says today’s phishing scams are much more sophisticated.
“These were very generic, random and everyone got the same message telling them there was a prince who had $15 million waiting for them in an account overseas and it required a lot of one-on-one attention if I wanted to make something very personalized,” he explains. “Now, with all of the breaches that have happened over the last several years with the advances in technology and automation tools that allow criminals to aggregate all of that breach data and put it into a big mail merge, they are much more easily able to target a campaign to a specific audience, referencing you by name, including information that might have been breached in one or multiple data breaches, and make it look like it’s coming from a friend or colleague.”
Now instead of getting a random email with rampant misspelling that would likely be rejected on the surface, users are receiving messages that look like they are from a financial institutions, retailer or service providers with information that looks legitimate. Another common phishing attempt used by fraudsters is to impersonate executives within a company to trick employees into sending them gift cards or, worse yet, W2s of their fellow coworkers.
“You can think of fraudsters as advanced digital marketers. That’s the skillset they need today to be successful and many of them are extremely successful at getting high click-through rates and the type of information they need – whether it is spear-phishing the CFO of a company to get information on their executive assistant or trying to target Millennials because I know they are much more prone to be interested in the latest picture sharing app,” Gross says.
And though technology has improved in being able to filter some of these messages out inboxes, Gross says that trying to mitigate fraudsters through the use of technology alone is analogous to a “dog chasing its’ tail” in that attackers are always evolving and developing ways to circumvent safeguards. Gross says that organizations need to take a layered approach to cybersecurity in order to keep phishing and spear-phishing schemes from being successful.
For example, one simple step companies can take is to require dual-authentication on any type of wire transfer from a business account. Gross also recommends that organizations provide comprehensive training for their employees so they can keep an out for the tell-tale signs of phishing emails.
“It is getting really challenging to tell the difference between a phishing email and a legitimate one because it is so personalized. You can’t have the same static training that you had 15 years ago. That won’t cut it today because people know how to spot those types of phishing attacks,” Gross adds. “What they don’t understand is how to recognize the latest types of phishing attacks… so organizations have to update their training on an on-going basis.”
Because scammers are always looking to take advantage of recent news events, Gross says that people need to be cognizant of that and more heavily scrutinize emails that try to play off those headline grabbing stories, such as the recent government shutdown.
“The best phishers are taking advantage of what is happening in our daily lives, so it is taking advantage of the news cycle. If something happens in the news cycle that is relevant, they know it is going to be top of mind for everybody so people are going to be more likely to click on a link about that topic,” he says. “Organizations have to continue to up their vigilance, continue to educate their employees but they also need some protections in place around things like filtering emails and protections to make sure if someone tries to visit a site that is a known phishing link that they have some blocks in place to prevent employees from hurting themselves or the business.”
About the Author:
Joel Griffin is the Editor of SecurityInfoWatch.com and a veteran security journalist. You can reach him at firstname.lastname@example.org.