To kick off National Cyber Security Awareness month, today we’re going to talk about one of the most common and effective online scams: phishing. In the last 12 years, phishing attacks have grown more than 5700%. Adding fuel to the fire, a phishing email is often the start of a much larger-scale cyber attack. According to the Verizon 2017 Data Breach Investigations Report, 43% of data breaches used phishing attacks. Why? It is considerably easier to persuade a user to click a link than to attack a reasonably well-defended network.
Typically seen in the form of emails, phishing is used to lure us into providing sensitive information, installing malware, or just confirming that we are live users ready for future exploitation. Email is not the only delivery mechanism; phishes can also be sent via instant message, social media, phone calls, or even in person.
In the past, phishing emails were much easier to detect. A common example is the “Nigerian Prince” email written in somewhat broken English with many errors, links were not obfuscated, and senders were obviously spoofed. While there are still plenty of examples like that, the general level of sophistication has increased substantially. A common theme that aligns with current business and consumer technologies are phishing emails with links to Microsoft Office 365, Google Drive, or iCloud. Another frequently used technique is attaching a malicious document disguised as an invoice.
Why do users still fall for the phish? Psychology is behind this.
Attackers use social engineering principles such as authority, familiarity, and urgency to persuade, coerce, or manipulate their targets into providing sensitive, private, or confidential information. In 2016, Mattel wired $3M to Chinese hackers based on a spoofed email that appeared to be from the company’s CEO. That would be the principle of authority in play. Phishing emails that claim that a user’s account has been suspended leverage urgency. Familiarity can take the form of an email that appears to be from someone the user knows.
Why do attackers still choose phishing? It’s one of the easiest ways to manipulate targets.
Based on what we discussed above, it doesn’t take too much time or effort to launch a successful phishing attack. As a result, it’s one of the more effective ways for attackers to get what they want, which is often financial gain or political/ideological motives.
Financial Gain. Whether a phish is used to steal an individual’s credentials, which are often reused across many platforms, or to access an entire financial institution, the outcome can be monetary in nature. Take the Carbanak banking malware – this attack was delivered via phishing emails with malicious attachments – and the hacker group behind it is estimated to have stolen between $500M and $1B USD.
Political and/or Ideological. Attackers typically target a specific organization or industry if they disagree with certain values upheld by that institution. The Democratic National Committee was hacked during the 2016 presidential campaign through a phishing email disguised to look like it came from Google, and in 2015 the U.S. State Department was similarly hacked.
How can we protect ourselves?
Recognizing signs of a phishing email is an essential part of avoiding a phish. Employees should be educated about phishing techniques, so they know to never click on obfuscated or shortened links. Links such as Click Here or http://ow.ly/ux3230fh3R2 are very difficult for users to identify as legitimate or not, and it is best to have them send messages to your security team for analysis rather than trying to make a determination themselves.
As phishing attacks become more sophisticated and targeted, creating a culture of security in your organization is the most effective way to combat phishing. Empower employees and vendors to spot phishes, and reward them for doing so. Be sure to have a specific address where suspicious emails can be forwarded for analysis. Outsourcing is also an option. LookingGlass Cyber Solutions provides services to assist companies with detecting and avoiding phishing attempts, as well as brand protection and monitoring.