Don't fall for dangerously convincing phishing attacks. Read and share our complete guide to keeping your network and business safe from malware.
Can you tell the difference between a legitimate email and a phishing email?
In the last year, phishing attacks have seen a significant increase as attackers continue to refine their tactics and share successful types of attacks within their communities. Specifically, they've taken advantage of the malware-as-a-service offerings on the dark web to increase the efficiency and volume of their attacks. In fact, 91% of cyber-attacks and their resulting data breaches now begin with a spear phishing email message.
Let's dive into the evolution of phishing, how it works, and what it looks like. And as cyber criminals continue to victimize employees through their technology, we'll stress the importance of a multi-layered defense against phishing attacks: combining advanced security technologies with educated employees.
The evolution of phishing in recent years
In 2016, the volume of attacks increased dramatically, fueled by dark web services such as free phishing kits and phishing-as-a-service.
Phishing campaigns are generally more successful when they use contextually relevant lures. Between 2013 and 2015, phishing attack trends followed consistent and predictable patterns. This was not the case in 2016. Instead of peaking at the end of the year, phishing attacks dipped in the middle of the year with a localized spike in attacks that took advantage of regionally specific events or periods of fear and anxiety. For example, uncertainty around the UK Brexit vote was used to target government departments in May and June 2016. And tax return season in the US saw IRS-themed attacks increase by 400% over previous years.
Improved efficiency and productivity
For the most part, cyber criminals are interested in money. Either they'll extort money from you using ransomware or social engineering, or they'll steal data and credentials that can be sold via dark web markets. As the phishing threat landscape evolves, so do the attackers.
Currently, 89% of phishing attacks are carried out by organized crime. As phishing is run like a business, attacks strategies have evolved in ways we can all identify with.
Free phishing kits
An interesting fact about the phishing ecosystem is that there are plenty of actors committing attacks, but only a small number of phishers sophisticated enough to write a phishing kit from scratch. Because of this, phishing kits are now widely available for download from dark web forums and marketplaces. They give attackers all the tools they need to create profitable phishing attacks: email, web page code, images, and more.
Attackers don't even need to know how to create malware or send emails anymore. "As-a-service" and "pay-as-you-go" solutions are increasingly available to attackers:
- Ransomware-as-a-service: Allows a user to create an online account and fill out a quick web form. The provider of the service then takes a "cut" of each ransom paid. e.g. Satan Ransomware - an online service allowing crooks to create their own virus in minutes and start infecting Windows Systems.
- Phishing-as-a-service: Allows users to pay for phishing attacks to be sent for them. Guarantees to only bill users for delivered email messages. e.g. spam sending service example - priced per email sent to an activated mailbox, with tracking available on click through rates.
Even better than marketing
These dark web services have freed up attackers' time so that they can concentrate on refining their campaigns and honing their nefarious skills.
Their tactics are allowing them to achieve the kind of results most sales and marketing teams would be jealous of, with phishing emails currently 6 times more likely to be clicked than regular consumer marketing emails.
How does phishing work?
Phishing is about convincing you to provide something valuable to the attackers. And, what started off as simply "phishing" has now developed into three branches of attacks: mass phishing, spear phishing, and the recently emerging trend of Business Email Compromise tactics, acting as a subset of spear phishing.
These are opportunistic attacks, taking advantage of a company's brand name and trying to lure the brand's customers to spoofed sites where they are tricked into parting with credit card information, login credentials, and other personal information that will be later resold for financial gain.
- Targeting the assets of individuals
- Typically consumers of a brand's products or services
- Impersonal batch and blast
- Focused on stealing personal data, such as login credentials
Emails impersonating a specific sender or trusted source are sent to targeted individuals within organizations to try to get them to take certain actions, like sending money to spurious accounts.
- Targeting the assets of a specific organization
- Typically an individual or specific group in an organization
- Spoofed (look-a-like) email addresses to aid conversion
- Impersonates trusted sources and senior executives
Even more targeted subsets of spear phishing have since emerged using social engineering to gather target data and increase conversions. These are known as CEO Fraud, Whaling, and most recently, Business Email Compromise [BEC].
Business Email Compromise
BEC attacks are so-named because they're associated with employee email accounts being compromised rather than the sender being spoofed. This makes attacks much harder to spot by end users.
- Targeting corporate information, access credentials, or funds from a company
- After attackers choose an organization to target, they will locate individuals within that business to attack by gathering data from sites like Facebook and LinkedIn to construct highly targeted and believable phishing emails
- The attacker then isolates that individual by making email messages at the very end of the day or week
Unlike mass or spear phishing campaigns, these attacks regularly target company funds. And unlike attacks from earlier years that would provide destination bank account information to would-be victims in PDF attachments, BEC attacks hold back such information until a positive response has been sent by the victim. After all, a fraudulent account will be the attacker's biggest expense in the attack. IT is an important asset to guard as it could be provided to the authorities if the victim realized the ruse early on.
BEC attacks are altogether harder to spot since the attackers compromise corporate email accounts to send from. In fact, the latest FBI figures show that a staggering number of businesses are now falling for these kinds of attacks, with losses in 2016 reaching #3.1 billion across 22,000 enterprises.
Spot the signs
So those fake invoices that arrive in your inbox telling you that someone bought an airline ticket on your credit card, and to please open the attached document for details if you want to dispute payment? That's mass phishing.
So are those fake emails that say they need you to confirm your company's address so that an undelivered item can be shipped.
Spear phishing, for the most part, is very much the same thing, except the bait is more specific. In the case of BEC attacks, the message might not contain any malicious links or attachments but instead, asks you to transfer funds - making the attack seem more believable.
Simply put, if a fake email starts with "Dear Customer", it's phishing. But if it greets you by name, it's spear phishing. And if it's from you boss's actual email, it's a Business Email Compromise [BEC] attack.
Of course, many spear phishing attacks are much more targeted than that. Well-prepared crooks may know your job title, your desk number, the sandwich shop you often visit for lunch, the friends you hang out with, your boss's name, and even the name of the supplier of your company's coffee beans.
The fight against phishing
Phishing emails come in a variety of shapes and sizes, and unfortunately, no single product will fully protect your business from phishing attacks. A multi-layered defense against phishing attacks, combining advanced security technologies and educated, phish-aware employees, is the only answer.
To properly protect yourself, you need multiple lines of defense.
- Stop threats at the door - Email and Web Protection
Your first opportunity to defend against phishing attacks and other email-borne threats is strong email and web filtering.
The best defense against phishing emails is your email gateway, blocking 99% of unwanted email at the gateway, including malicious attachments, content, and URLs - long before end-users even see them.
- Protect your weakest link - Users
Appropriate training and education are critical for ensuring that all your employees know how to spot and deal with these types of email messages. Check out "10 Telltale Signs of Phishing".
- Secure your last line of defense
If your click-happy end users inadvertently unleash potent, powerful malware onto your systems, there's still ample opportunity to stop the damage - and even reverse its effects of even the most advanced, unseen malware out there, and automatically clean up all trace of infections so you can get on with your day.
Make sure your company processes are understood and communicated, that you encourage employees to question requests that seem out of character from other employees and senior managers (no matter how senior) and perhaps most important of all, ensure you have a two-staged approval process for all significant fund transfer requests. All the defenses in the world aren't going to stop an employee from unknowingly sending large payments to a thief without some proper checks and balances in place.
Contact us if you would like to discuss your current cyber security strategy. Our IT Consultants can help you architect a multi-layered defense against phishing attacks.