If the number of high-profile breaches last year is any indication, cybercriminals are getting craftier. In 2019, the cybersecurity world saw the rise of new types of phishing attacks, plus brazen attempts to access networks through a variety of clever, new techniques. Cybercriminals stop at nothing to steal the most valuable thing that any organization owns: its data.
Staying safe in the era of cybercrime is no small feat. Everyone is a target—not just Fortune 500 companies. According to Verizon’s yearly cybersecurity report, at least 43 percent of all breaches targeted small companies.
Tried-and-True Phishing: The Oldest Trick In the Book
Phishing has been around for many years, but it remains one of the most popular forms of cyberattack. In 2019, Verizon found that phishing was the number one threat for companies of all sizes.
There are many types of email phishing examples out there. Everyone is familiar with those shady emails claiming to be an heiress needing help transferring money into the country. Another type of phishing attack is known as a social engineering or social deception attack. In this attack, a criminal creates a counterfeit email that mimics a legitimate communication from a bank or other organization from which a person might be expecting an email.
Sometimes, the criminals ask for sensitive information with a good story. Sometimes, that email presents some tale about a payment receipt, a frozen account, or fraudulent activity detected. It closes with a convenient link for the user to “log in” and investigate. However, when a user enters information into the form, a keylogger steals the credentials to the actual account. The thieves then empty whatever account was provided before the user can react. Attacks like this were—and still are—incredibly common in social media, where thieves harvest account info and use hacked accounts to spread spam links, generate ad income, and/or harvest more account info to be sold to the highest bidder.
According to Small Biz Trends, employees receive an average of four to five phishing emails every week. Once, typos and poor designs made them easy to catch. Today’s phishing emails, however, are professionally crafted and sent from spoofed emails, making them much more difficult to spot.
Phishing can be hard to combat. The cybersecurity experts at CDS have put together a business guide to preventing and handling phishing attacks.
Spear Phishing: A Targeted Attack
Spear phishing is one of the more specialized types of phishing attacks. Spear phishing involves a targeted email sent to a specific person or organization. Like phishing, it consists of counterfeiting emails that the business or person might be expected to receive. Unlike phishing, the cybercriminal carefully researches and selects the target. These emails are often personalized and very difficult to spot.
Kaspersky notes that spear-phishing most commonly occurs when a hacker is either trying to access company-specific networks or archives or when they’re trying to install malware on a specific computer. Hackers may also try to use spear phishing as part of a digital extortion campaign, where they claim to have access to contacts or sensitive information and demand money in exchange for not releasing damaging materials. As a result, major companies and government offices see a much higher number of spear-phishing attacks than others.
Since successful spear phishing requires a cybercriminal to research his or her target before creating an email, organizations can take a few steps to protect themselves. First, train employees not to freely hand out their work contact information or post it where it’s publicly available online. Likewise, provide a list of login URLs to employees and instruct them never to include links in emails, or click on any links they may receive. Furthermore, never use a work email for personal accounts, such as banking, online shopping, or social media.
Business Email Compromise Attacks: Spear Phishing Like a Boss
While spear phishing targets a relatively narrow set of industries, Cisco’s 2019 email security report found the business email compromise (BEC) type of attack in nearly every industry it surveyed. In this type of phishing attack, a hacker spoofs (or sometimes hacks) the email of an executive or higher-level manager. He or she then sends emails to subordinates instructing them to carry out seemingly legitimate business functions. Some attackers even go so far as to register deceptively similar domain names with only minor changes. This is known specifically as a homograph attack, and is very difficult for even the most well-trained human to detect. Subtle changes might include changing the letter ‘m’ to the letters ‘rn’ (‘r,’ followed by ‘n’) or using Unicode characters that look like normal letters in popular domains, such as this “ɡ” imposter that’s nearly impossible to spot with certain fonts (note the difference side by side: g, ɡ).
Cisco found that the BEC attack was among the types of phishing attacks that became most prominent in 2019. Alone, BEC attacks resulted in $1.3 billion in losses for companies worldwide.
Protecting against BEC scams is difficult because hackers spoof addresses, send personalized messages, and have the advantage of the psychology of authority. However, a clearly written policy describing when, where, and why employees can expect to receive emails from superiors can help spot unusual requests. Likewise, encourage employees to always confirm suspicious emails from colleagues by reaching out to them in another way.
Get Managed Technology Services to Stay Safe From Phishing
Many more types of phishing attacks are arising as hackers figure out how to use this proven strategy in more innovative ways. Keeping your email safe in 2020 will be challenging. However, a managed services plan can provide the infrastructure, monitoring, experienced engineers, and other proactive measures necessary to keep a network safe. Likewise, employee education is critical to identifying scammers and hackers, no matter how clever they may be.
Unsure of how to prevent phishing attacks? CDS provides InfoSec training to help organizations stay ahead of cybercriminals. Contact us today to discuss your challenges with phishing emails.