Phishing By The Numbers
Most people know what an email phishing scam is and have learned not to click links in unexpected emails. In fact, according to Verizon’s 2019 Data Breach Report, click through rates are at an all-time low – down to 2.99%.(2) This good news has developed through increased training, practice and sophisticated software screening tools, significantly lowering the incidence of people falling for the earliest types of phishing—helping the Nigerian prince who offers payment in return or clicking a link in an email from www.Amaz0n.com.
Unfortunately, while this good news represents progress, it does not mean that phishing is slowing down; it’s just changing form, morphing into more malicious and obscure versions of the same types of cons that have been around for centuries. In fact, the same Verizon report indicates that phishing is the top threat action in breaches, and email attachments are the top means of spreading malware.(2) A 2019 email security practices survey by Barracuda Networks found that 31% of respondents had experienced a business email compromise (BEC) attack, and 75% admitted to receiving brand impersonation emails in the last 12 months—with many experiencing more than one event.(3)
What’s New: Phishing Sophistication
So what types of phishing attacks are used today? The ones that work now are much more sophisticated than past scams, relying on elaborate schemes with multiple attack vectors that increase their chances of success. Like the con artist in the BB&T story, today’s scammers are aware of current events and the training people have had, and they are changing their tactics accordingly. They often research their victims before initiating contact. By choosing topics a victim is interested in or dropping personal details into the scam, they sound especially convincing and trustworthy. They also avoid attachments and embedded links because screening software typically looks for these indicators to identify and delete fraudulent messages. Without them, the messages are much more likely to reach their targets.
Spear Phishing Matures
Spear phishing is targeted phishing. That means the con artist has done some research before launching the scam and is tailoring the scam story to the victim(s). Unlike a general phishing scam, spear phishing attacks are designed to target victims who have something of specific value to the attacker—money, access to information, or data. Spear phishing is not only the fastest growing version of phishing, but has also increased in sophistication in the last few years as attackers take advantage of new technologies to hide their tracks. These technologies include email spoofing, Caller ID spoofing, and IP spoofing. Another new technology allows phishers to use server-parsed HTML (SHTML) attachments, a file format most often used by web servers, to direct a victim to a malicious site upon clicking the attachment. This begs a reminder to always check the file format of an attachment and the URL of a linked site to confirm you ended up where you intended.
To learn more about the different spear phishing techniques and how to spot them, read GLS’ article, Spear Phishing Exposed.
Business Email Compromise (BEC) On The Rise
Business Email Compromise, or BEC, is another phishing technique that has seen exponential growth. According to the FBI’s 2018 Internet Crime Report, BEC/EAC (Email Account Compromise) report the highest victim losses of all 30+ cybercrime categories tracked by the Internet Crime Complaint Center (IC3), with 2018 losses totaling $1.3 billion. This is more than 3.5 times the 2nd category, which is Confidence Fraud/Romance, which totals $362.5 million.(4)
BEC is a type of spear phishing whereby a scammer identifies a target using online information about an organization. The target generally has the ability to execute financial transactions or provide valuable data. The scammer then assumes the identity of someone who has authority over the target, such as an executive within the organization. Through emails that appear to come from that authority, the scammer begins to slowly gain the target’s trust, leading to a request for the target to instigate a business transaction such as a wire transfer or to share confidential data. BECs often use the same elements as general phishing attacks—target mid-level personnel, use spoofed email domains and addresses, emphasize time-sensitive transactions and sometimes specify a need for secrecy. Since the assumed identity is often the CEO of the company, especially with small- and medium-sized businesses, BEC is also referred to as CEO Fraud.
To learn more about best practices for identifying and thwarting BEC attacks, read GLS’ article, Fighting Back Against BEC.
Brand Impersonation and Brandjacking
Brand impersonation or brandjacking is when scammers send phishing emails that appear to come from trusted vendors. In the past, incorrect logos, unprofessional text, misspellings and poor grammar were often indicators that a message was a phish. However, many of these indicators are now disappearing as phishers have stepped up their game. Microsoft, Facebook and financial institutions including Paypal are the most often impersonated(5) across the board, with scams impersonating Docusign and Dropbox holding a high position in the corporate arena.
Brandjacking messages typically have two goals: credential theft, malware download, or both. They may include links to malicious websites that are also extremely realistic. In addition, hackers have significantly increased their reliance on speed. One of the reasons these scams are so difficult to detect and prevent is that the websites may only be active for hours. As soon as the victims enter their credentials, the websites disappear, along with any leads.
Be Aware: New Scams Target New Channels
As you may be aware, the goal of many scammers is to steal account credentials. One of the newest ways hackers are making use of this loot is to launch phishing scams from compromised email accounts that they access with the stolen credentials. The phishing messages are particularly convincing because they come from verified email accounts with a reputable company domain and originate from the organization’s own servers.
Having use of an email account also gives the scammer access to the victim’s contacts. They exploit the victim’s relationships by launching phishing attacks internally to colleagues on the victim’s contact list, as well as externally to business and personal contacts. In 2019 alone, about 14% of organizations have been the victim of a lateral phishing attack. And once an organization is infiltrated, over 50% end up with multiple compromised accounts.(6)
Search Engine Phishing
This is a relatively new scam where someone creates a fake webpage that mimics a real business website. Using the same SEO tactics as are used when creating a real website, the phisher sets up the fraudulent one so that it shows up in search engine results. Unsuspecting users click the website link, thinking they are going to the legitimate business website. Any information entered is sent to the scammer, who is often hoping to steal a username and password you have used repeatedly and will open access to many of your online accounts. Common signs of search engine phishing include free giveaways or ridiculous discounts, emergency warnings that require a download to fix, credit card offers from obscure banks, or job applications that ask for sensitive information even before scheduling an interview.
Social Media Phishing
Have you ever read or answered a sharing survey on Facebook? Or replied to a personal question on Instagram? Posts and comments like these are turning social media platforms into ideal phishing venues. Publicly shared personal details put posters at risk of becoming phishing targets — sometimes only because they have shared enough information that the scammer can easily create a profile and story to trick the target. Also, there is the added bonus for phishers, as they may also earn a commission from another source for getting a user to click on a link.
Attackers may also phish for personal details in Comments sections or Chats in social media. Check out a recent blog post on how this scenario unfolded during the public interest in April the Giraffe and the birth of her new calf.
Blackmail — demanding money from someone as a payoff for concealing private or compromising information — has been documented since the earliest civilizations. According to Barracuda Networks, blackmail’s digital footprint is now one of the fastest growing cyber scams too. One in 10 spear-phishing emails (11%) is designed to extort money from employees in exchange for hiding allegedly scandalous video or images found on the victim’s computer.(7) Due to the embarrassing nature of the situation, this crime is likely underreported whether the victim pays the ransom or not.
No one is immune to these types of attacks, at home or at work, not even GLS’ Technical Director.
Older Phishing Schemes Still Used Daily
As a senior engineering manager at Mimecast recently stated, “Simple still works.” They have found that general types of phishing attacks still take the approach of casting a wide net to try and catch victims. However, they are also using new technologies to make them more effective, such as using a base HTML element to mask a malicious URL in a phishing email in order to bypass anti-spam filters in threat detection tools. Below are some “old school” phishing techniques that are still used and for which users must remain alert.
Phishing is a catch-all name for deception scams that rely on social engineering to trick a victim into sharing sensitive information. Although phishing scams can take many forms, most people think of phishing as a mass email with a fraudulent request to reply to the message, click a link and enter personal information on the resulting website or open an attachment that could contain malware. Phishing emails may impersonate a vendor you trust, a service provider, a colleague or even a family member. The sensitive information requested might be a username and password, birthdate, social security number, credit card number, etc.
Smishing is phishing by SMS text messaging apps. All types of phishing scams — basic phishing, spear phishing, BEC, whaling, etc. — can have a texting component. Scammers can spoof texting IDs, telephone numbers and caller IDs to make it appear that messages are coming from known colleagues or trusted organizations. In addition, be aware that team collaboration tools like Slack and Microsoft® Teams have become the latest venue for SMiShing scams. Always research and verify text message legitimacy, just as you would with any other message type. Also remain on guard and never click embedded links.
Vishing is phishing by telephone. It can be mass-audience phishing, for example the common voicemail messages supposedly from the national tax agency, threatening legal action if overdue tax payments are not made immediately. Another example is the “IT support scam” where a phisher randomly calls employees of a company offering to help with “the IT issue they reported.” Eventually, they reach someone who had reported an issue and they infiltrate the company as they provide supposed help.
Vishing can also be spear phishing. Sometimes scammers choose a target from a long list of possibilities, like the story at the beginning of our article that targeted customers of BB&T bank. Other times, vishing is used to gather specific information for a BEC or Whaling scheme in the making. The best way to protect yourself is to never share any sensitive information when someone initiates a phone call with you. Look up the number from a trusted source and return the call yourself.
Whaling is phishing that targets the “big phish.” Company executives, who generally juggle many priorities that keep them very busy and under a lot of pressure, are susceptible to “lack of attention to detail.” This quick decision-making is an art that also makes them susceptible to con artists who impersonate trusted colleagues (other c-suite executives, board members, attorneys, etc.) and request large payments for a task or project that seems legitimate at the time. It is only upon further scrutiny of the details that the scam is uncovered – usually too late. When successful, whaling often leads to the largest type of phishing payday for the scammers.