As an IT security professional, you spend your day protecting your organization and managing risk. You handle the day-to-day tasks that help keep the criminals out, like monitoring log files, updating antivirus software, managing firewalls, and responding to cyber security incidents. You deal with threat vectors like phishing every day, but can you explain to your boss (or your boss’ boss) the seven things about phishing that he or she really needs to know?
1) Why should I care about phishing? Isn’t that an old trick?
Historically, phishing schemes involved criminals sending emails that appeared to come from a legitimate business that asked people for personal information, passwords, or other credentials. The attackers then used that information to hack into accounts, steal money, or otherwise compromise their victims. Since many people in the workplace now know to identify emails and links that are blatantly suspicious or fake, today’s hackers often successfully employ social media and mobile apps to conduct their attacks.
2) What are other types of phishing attacks?
Spear phishing is a personalized phishing attack. Instead of sending emails en mass, the criminal studies the target (using social media profiles or other publicly available information) in order to include personal details that make the phishing email seem very legitimate. Unlike general phishing schemes that use a person’s trust in a brand or company to trick them, spear phishing uses knowledge of a person’s friends, work, family, or other personal details to trick them into believing the email is from an acquaintance or legitimate businessperson. Spear phishing emails have been responsible for some of the largest data breaches, and remain a very successful way to infiltrate even the most sophisticated companies.
Smishing is phishing via cell phone text message. Usually smishing messages are sent to phones en mass via email, so the number displayed may be a “5000” number or something similar. Since many people do their banking online and get confirmation message via text, financial firms are often a target of smishing attacks. If the victim responds with their username and password, their account may be compromised.
Vishing is the telephone version of phishing. Criminals use social engineering techniques to fool people into thinking they are employees at banks, software vendors, or other legitimate companies in order to trick people into handing over credentials. People can also use this tactic and pretend to be someone to open new lines of credit.
3) Who is targeted most frequently?
Executives’ assistants, senior managers, and people in the media field are the most targeted by spear-phishing attacks, according to a 2014 Symantec study. This study challenges the common belief that CEO’s and VP’s are the most targeted because they have the most to lose. Really, it is their assistants that criminals see as the weak entry points, so they are often the targets.
While assistants and senior managers are the most targeted, mid-level employees are most likely to actually click on a phishing link. A study from Proofpoint Inc. found that employees who were not in management roles were almost twice as likely to click on a phishing email link as both middle management and executives. Training employees about phishing should be an important part of your security plan.
4) How much do phishing attacks really cost?
A 2013 study by the British House of Commons, Home Affairs Committee estimated that the overall cost of cybercrime to the UK was £27bn in2012, with more than £600m directly attributable to phishing attacks. Our whitepaper, The Cost of Phishing: Understanding the True Cost Dynamics behind Phishing Attacks, enables you to calculate the impact to your own organization, regardless of size.
5) Can phishing attacks be anticipated?
In some instances, yes. Many times criminals launch phishing campaigns that take advantage of tragedies, data breaches, holidays, sporting events, and even income tax return season. Another way to anticipate phishing attacks is through technology. If a criminal steals content from a website that has the Cyveillance Protected Site Seal and uses it to build a phishing kit, we can track the stolen code. If the website with this code makes a request to our host servers from an unexpected location, we can check it out and let you know if it is a phishing attempt.
6) How much do phishing attacks really impact organizations?
- $5.9 billion: Global losses from phishing attacks in 2013 (EMC)
- 37.3 million: Users who experience phishing attacks in 2013 (Kaspersky Lab)
- 53.95% of all attacks: Percentage of attacks on payment services firms, the most targeted industry (APWG);
- 24.26% of all attacks: Percentage of attacks on financial services firms, the second most targeted industry (APWG);
- 7.79% of all attacks: Percentage of attacks on retailers, the third most targeted industry (APWG)
7) How are rogue mobile apps related to phishing?
Rogue mobile apps are the latest version of the “old” phishing schemes. Criminals use the same tactics of social engineering and trickery, but apply them to mobile. Rogue apps pose as legitimate apps, and once they’re downloaded, steal information from the user’s device. As with traditional phishing, rogue mobile apps take advantage of companies with well-known brands and may also utilize text messages.
Regardless of what form they take, phishing scams are still very lucrative for criminals. So next time your boss (or her boss) asks why you need budget for an anti-phishing solution, or asks why they should be concerned about phishing attacks, you’ll be well-informed.