In the past year alone, there has been a tremendous increase in the number of phishing attacks on businesses. On a daily basis, cyber attackers are continuing to refine their exploits by acquiring and sharing phishing malware on sale in the dark web. As a matter of fact, over 41% of corporations are reporting daily attempted phishing attacks.
In this article, the discussion will feature the evolution of phishing attacks, how you it works and how you can spot as well as prevent attempted attacks in your organization. Since cyber attackers are advancing their phishing technology on a daily basis, we will make a strong case on why you need to adopt a multi-layered defense approach that combines advanced security technology and educating your employees on phishing to make your organization impenetrable to attempted attacks.
How Has Phishing Evolved Over the Years?
In the past, phishing was mostly used in cyber-attacks targeting online banking. Criminals would clone your bank’s login page and prompt you to enter your details. On doing this, you would effectively give them control over your entire bank account.
However, today, phishing has evolved and become more complicated yet subtle. Instead of relying on selling fake pills or targeting online banking platforms, cyber attackers who use phishing just dangle a bait in front of you and wait for you to swallow it. Should you take the bait, you end up providing them with critical and valuable information unknowingly. In fact, did you know that 93% of the data breaches in companies involves phishing attacks?
How Common Are Phishing Attacks?
Do you think that your business is safe? Do you have an idea on the potential number of phishing attacks on your organization daily? The answer may surprise you. Below is a graph illustrating the attempted phishing attacks on most companies.
Which Are the Most Common Reasons for Phishing Attacks?
According to the Data Breach Investigations Report for 2018 by Verizon, the top reasons for phishing attacks include:
• Financial gain
According to the report, 59% of phishing attacks are motivated by financial gain. In order to gain financially; criminals harvest data with a view of reselling it on the dark web, infect organizational systems with ransomware and impersonate senior managers and manipulate employees to divert organizational funds or part with valuable data.
• To gain unauthorized access
According to the Data Breach Investigations Report, 41% of phishing attacks are perpetrated so that attackers can gain control of crucial organizational systems or take control of the network systems of a company with a view of stealing important data.
Since most phishing attacks are motivated by financial gain, attackers tend to target employees who have control over the resources of an organization. Attackers also tend to target employees who have control over the IT systems of an organization as well as business processes with a view of opening up the organization to a wide range of attacks such as extortion and ransomware.
Below is a diagram illustrating the organizational departments mostly targeted through phishing attacks.
Which Is the Most Common Attack Strategy Used in Phishing Attacks?
According to a recent survey of 3,100 organizations, it was apparent that Email is the most common vector used for cyberattacks in organizations. It is important to note that 53% of the cyberattacks that relied on Email included phishing attacks.
Cyber attackers mostly use phishing attacks as part of a pronged and highly complex attack technique. On clicking on a phishing email, it usually connects to a server that can control the network system and infect the entire organization with malicious software.
With the advent of live marketing, phishing attacks have only gotten more complicated. It is a fact that phishing emails are currently 6 more times to be clicked compared to regular consumer marketing emails.
Below is a diagram illustrating the most common attack vectors for most organizations.
Top Security Risks That Can Be Exploited to Carry Out Cyber Attacks
Given the fact that most phishing attacks rely on technology, most IT managers rank it among the top three security risks in their companies. Tech managers also risk people among the top three security risks since criminals are relying on human vulnerabilities to attack companies more and more with each passing day.
Below is a diagram illustrating the top security risks as per the results of a survey for 3,100 respondents.
How Are Most Phishing Attacks Carried Out?
1. Mass Phishing
These are attacks are which are sent out in an impersonal batch or blast and they typically take advantage of a reputable brand name to lure unsuspecting consumers. On clicking on an email, a person is usually redirected to a spoofed site where they are encouraged to part with credit card data, login credentials and other important data that the attackers can resell for financial gain.
Below is an image of a typical mass phishing attack.
2. Spear Phishing
This type of attack usually involves a cyber attacker targeting a trusted source or specific sender with an email to manipulate them to take certain actions such as send funds to another account. Attackers usually use look-a-like emails and target a specific organization. The attacker usually impersonates a trusted individual such as senior executives in the organization.
In fact, in a recent survey of 330 IT managers, 55% percent confirmed that their senior managers have been impersonated when spear phishing attacks were being carried out. To make spear phishing emails more realistic and enhance the chances that the receiver will act, most attackers gather data on the unsuspecting target using social engineering tactics such as CEO Fraud, Whaling and Business Email Compromise.
As shown in the diagram below, spear phishing emails and genuine emails are very similar.
3. Business Email Compromise
In this type of email phishing attackers focus on compromising email account of an employee instead of using a spoofed email address. These attacks usually focus on gaining access to the funds of an organization, corporate secrets and login credentials.
Attackers usually first spot a target company and then locate an employee within the organization. They then gather data from social sites such as LinkedIn, Twitter and Facebook so as to construct believable phishing emails.
Attackers then send the email to the employee while impersonating a high-level executive asking for important data. To increase the likelihood of compliance from the targeted employee, attackers usually add time pressure so that the employee does not have time to confirm the validity of a request.
How Are Email Phishing Attacks Evolving?
Instead of sending emails promising deals that are too good to be true, cyber attackers have moved on to sending mundane phishing emails that are harder to spot.
Below is a diagram containing the top ten phishing emails that most people fell for in a recent simulation training. As you will observe, these phishing emails contain very normal and mundane subject lines that are unlikely to raise eyebrows to the email receiver.
Below is an example of content in one phishing email.
Tips on How to Spot Phishing Emails
To spot and take care of a phishing email, remember this acronym:
P: Promises unbelievable things
H: Harasses you to reply
I: Insists you act now
S: Has a sense of urgency
H: Hit delete
For example, you may find a fake email saying someone telling you someone bought an airline ticket using your card and that you should open a document if you want to dispute the payment. That is a mass phishing email.
If you also see an email starting with ‘Dear Customer’, that is most likely a phishing email. If the salutation in the email contains your name, then it is a spear phishing email. If for example you receiving a doubtful email from your boss, it could be a business email compromise phishing email.
If you are ever in doubt about a suspected phishing email, you should contact your IT department so that they can handle the phishing attempt and make everyone aware of the phishing attack.
Tips on How You Can Combat Phishing
Cyber attackers can launch phishing attacks against your organization in all shapes and sizes. Since there is no ultimate defense against these attacks, your best hope for combating these attacks is to adopt a multi-layered defense involving the use of advanced security technologies and education to your employees.
At Intelecis, we recommend that organizations use a three-pronged approach that entails:
1. Teach Your Employees on How to Spot and Identify Phishing Attempts
When it comes to phishing attacks, your network users are your biggest vulnerability. It is therefore imperative that you train users how they can spot and avoid phishing attacks.
2. Adopt Pre-Delivery Measures
Given that most spam emails contain malicious files which may contain phishing malware, you should take steps to prevent phishing emails from reaching the inboxes of your users. Some of the technology that you should adopt includes:
• Anti-spam
• Sender reputation: Blocks unwanted emails from getting to the inbox of your users
• Sender authentication: Detects suspected spoofing, suspicious email subjects as well as suspicious email content
• Sandboxing: Gets rid of suspicious files outside your network
• Malicious URL blocking: Filters bad links
3. Adopt Post-Delivery Measures
This is the final defense for your organization. In case one of your employees clicks on a phishing email or a malicious file, they can only be saved by an end-point security solution. The ideal end-point solution should have anti-ransomware capability, anti-exploit capabilities and deep learning capabilities.
Intelecis Can Help Your Organization Fight Phishing Attacks.