What is Phishing Anyway?
You likely know that phishing isn’t exactly the angler activity you do on a boat or a dock or a lake to catch some real fish. The unique spelling is the first indicator of that. And no, it’s not a type of dance or stage dive you might try to pull off at a Phish concert. It does, however, derive its name from the concept of actual fishing.
Phishing is a cybercrime in which someone posting as a legitimate institution uses email, telephone, or text message to lure people into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. And it’s on the rise.
According to phishing.org, The first phishing lawsuit was filed in 2004 against a Californian teenager who created an imitation of the website “America Online”. With this fake site, he gained access to users’ credit card details to withdraw money from their accounts. The technique has morphed into many other versions and has grown with sophistication.
The Numbers say You’re Going to Need a Bigger Boat
With phishing, everyone is a target, and no one is immune. It’s ubiquitous.
According to a recent report by Vade, overall phishing increased dramatically in 2021, with a 284% spike in June over the previous year, for a total of 4.2 billion phishing emails. Yes, “billion”.
75% of organizations around the world experienced a phishing attack in 2020, according to recent research from Proofpoint. And 74% of attacks targeting US businesses were successful. Though 95% of organizations claim to deliver phishing awareness training to their employees, phishing remains the threat type most likely to cause a data breach. In fact, according to Verizon’s 2021 Data Breach Investigations Report (DBIR), 22% of data breaches involve phishing.
The cost is staggering, as well. The FBI reports victims lost $57 million to phishing schemes in just one year.
What is the most common vehicle? Email. Again, according to Verizon’s 2021 report, 96% of social engineering attacks are delivered by email, while just 3% arrive through a website, and 1% are associated with phone or SMS communications and malicious documents respectively.
There are many ways to protect yourself and your organization against phishing scammers (we’ll get to more of that later), but one of the best ways is to be aware of the most common techniques. Since cyber criminals evolve their malicious strategies, it’s good to stay one step ahead.
The Latest Phishing Scams
So what are some of the phishing techniques you may not have heard of yet? Here’s a sampling of a few:
Brand Impersonations
Brand impersonation is on the rise. It’s relatively easy for a scammer to completely mimic a brand you or your company uses and send correspondence asking for personal information that looks like it’s coming from a trusted source.
Brand impersonation can include everything from setting up a fake website to utilizing form sites inside Office 365 so that the correspondence looks like it’s coming from the infrastructure itself.
According to a report from Checkpoint, Microsoft is by far the most mimicked brand, accounting for a whopping 43% of all phishing attempts. A popular scam is hackers asking recipients to provide their Office 365 credentials to access their accounts. This provides a direct open door to people’s secure information.
The top 10 spoofed brands include:
Microsoft (related to 43% of all brand phishing attempts globally)
1 – DHL (18%)
2 – LinkedIn (6%)
3 – Amazon (5%)
4 – Rakuten (4%)
5 – IKEA (3%)
6 – Google (2%)
7 – Paypal (2%)
8 – Chase (2%)
9 – Yahoo (1%)
Brand impersonation campaigns like to capitalize on emotion. For instance, hackers pretending to be the IRS directed email recipients to click on a link to learn about the status of their tax returns.
“Spear” Phishing
Spear Phishing is a variation of fraudulent activity that includes personalizing email attacks to trick the recipient into believing there is a real connection with the sender. Spear senders can use the person’s name, position, company, work phone number, and other information to portray they are legit.
LinkedIn is a common platform for Spear Phishing, as well as other social media channels.
Some of the attacks include:
- Housing malicious documents on cloud services like Dropbox, Box, Google Drive, and others.
- Emailing employees en masse and gathering out-of-office notifications to learn the format of the email addresses used by internal employees.
- Using social media to investigate the organization’s structure and decide whom to single out for their targeted attacks.
“Whaling”
Whaling is similar to Spear Phishing, but the attacks focus on executives within an organization.
The criminal’s goal is to gain access to an email account of a CEO or other high-ranking executive to authorize fraudulent wire transfers to a financial institution of their choice. They can also leverage that same email account to request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web.
The techniques used are very similar to Spear Phishing. According to Naked Security, one prime example of an actual Whaling attack involved Evaldas Rimasauskas. He staged whaling attacks in 2013 and 2015 against two large US companies by sending out fake invoices while impersonating a legitimate Taiwanese company, stealing over $122 million.
How You can Avoid the Lures
Phishing is not going away. So how do you keep up with it?
There are many ways in which you can safeguard yourself and your business. At ISOutsource, we take pride in helping our 650+ clients avoid fraudulent attacks. It’s what we live and breathe. Some simple techniques can include:
- Use Multi-Factor Authentication (MFA) on all personal and business accounts, internal and external tools and sites
- Use separate emails for home and business
- Use separate complex passwords for all accounts
- Use a password manager
- Conduct extensive security training for all your employees, including sending spoofed emails companywide to see how employees respond
- Ensure all of your sensitive and personal data is stored, secured, and backed up properly
- Have a third-party IT partner with expertise in security to perform continuous remote monitoring and remediation of your systems
- Have the right productivity applications in place to detect and prevent phishing attempts
Additionally, you can create multi-layered defenses by implementing technical controls. Some examples include:
- SPF (Sender Policy Framework record) – the SPS records help identify mail servers that are authorized to send email on your behalf. This helps identify, detect, and prevent spammers and potentially phishing appearing that it comes from your domain.
- ATP (Anti-phishing protection) – configure your email providers like Microsoft and Google with built-in anti-phishing settings.
- DNS Filtering / Web filtering – implement and enable DHS filtering to filter out phishing sites
We’re always here to help. If you need some insight into your own practices, don’t hesitate to reach out! Or sign up for our newsletter to receive related information right to your inbox. No phish involved.
About ISOutsource
ISOutsource is a modern technology consulting company and was recognized as a ‘Top 10 Security Solutions Provider’ by a leading magazine among many other accolades during the year 2021. We are well-positioned to serve and grow our client base in Washington, Oregon and Arizona helping them move from reactive to transformational in their use of technology.