Phishing campaigns leading to breaches have been steadily rising for the past two years,
In 2019, we expect phishing attacks to surpass web application attacks to become the number one attack vector leading to a breach.
In this article, we look more specifically at the problem of phishing and fraud that peaks during the holiday season, beginning in March and continuing through May.
Based on data from a variety of sources, we look at phishing and fraud trends over a year, the top impersonated companies in phishing attacks by name and industry, the growth rate in phishing attacks, and the fastest growing targets.
We looked at how phishing works, the most common and successful phishing lures, what happens when a phishing attack is successful, and what types of malware can be installed.
We analyzed attacks that started with phishing attacks to provide context to the impact of phishing.
We also analyzed what percentage of phishing domains leverage encryption to appear more legitimately like the sites they are impersonating, and malware sites that leverage encryption to hide from typical intrusion detection devices.
As with most threats, phishing can be fixed by informing people and creating protective technology, so we close out the article with a list of recommendations to defend your business against phishing and fraud.
Spring in Israel isn’t just about blooming flowers and holiday vacations.
It’s also peak season for phishing when scammers use email, text messages, and fake websites to trick people into giving up their personal information.
It’s the best “hacking time” when phishers and fraudsters take advantage of people when they’re distracted: businesses aren’t working, key staff members are on vacation, and record numbers of online holiday shoppers are searching for the best deals, spending more money than they can afford and looking for last-minute credit.
Holiday season or not, phishing continues to be a major attack vector for one simple reason: access is everything and phishing attacks give attackers access.
Login credentials, account numbers, social security numbers, email addresses, phone numbers, and credit card numbers are all pure gold to scammers they’ll steal any information that will give them access to accounts.
Some of the worst cyber-attacks we read about in the news (or affected by personally) are actually multi-layer attacks that use phishing as their initial attack vector.
While the technologies and methods of phishing scams are well-known and have not changed much over the years: a psychological hook is used to lure victims into trusting imposter web forms and applications,
the phishing campaigns have become more effective due to people who voluntarily provide so much useful information about themselves online and because so much information is for sale as a result of large-scale data breaches it’s getting easier for scammers to specialize their phishing campaigns, making them more effective.
The most common Phishing methods are probably something you’ve encountered at least once, in your digital life, the most successful phishing lures play on people’s emotions to get them to open an email and click on something. Here are some of the most common lures and how to identify them:
Bills or invoices: Money always gets peoples’ attention.
“Due Invoice” phishing email purportedly is being sent from a large company’s executive to a vendor, urging them to respond to the email message about their overdue account.
The worried target will click the link or open the attached file to know more about the case, thus starting the attack successfully.
Try looking at the Email address if it seems shady and don’t open links or files from unknown senders.
Account lockout: A fake alert appearing to come from a familiar account (like Facebook, Instagram or Google) telling the user they’ve been locked out of their account until they “click here” to provide additional information.
Mostly if you look carefully at the email, the fake “From” email address is the tipoff that this is a scam.
However, everything else about the email will look fairly convincing because of it’s a copy of a legitimate email that was cloned by scammers.
Text messages: Text messages are often much more difficult to identify as a scam because they are generally brief and have fewer graphical elements (like a familiar logo) to tip off the user.
Try looking for weird or unprofessional wording and avoid clicking on links in text messages from unknown senders.
Authority figures/executive staff: Employees often respond quickly to email requests from upper management or executives.
Phishing email with the “Urgent” subject line was supposedly sent by the CEO to an employee. (While receiving “work emails” notice the “EXTERNAL EMAIL” warning label,
If you are using a company email there should be an internal email and would never be marked as External.)
Order or delivery information/confirmation: Emails containing links where the recipient can check the status of an order or confirm receipt of a package (Try remembering if you ordered something online from that store,
also avoid clicking links and call the company with the Order ID:# to verify you are truly a customer, often the recipient isn’t even a customer).
Recruiting and job search: Email from a recruiter or high-profile individual of a competitor urging the recipient to open an attachment to view a resume or job description.
(As before, first, you don’t open any file from an unknown sender, try looking at the email or contacting the recruiter via phone.)
“Trusted Friend” lures: These emails play on the victim’s trust and familiarity with the sender.
They appear to come from a friend or co-worker (who often was previously phished and compromised) and contain an attachment to review or a link to a website.
A particularly convincing version of this used an email subject line of “Documents” and contained a URL that appears to go to a Google URL (but not Google Docs).
Instead, it points to the scammer’s site, which was hosted on Google, making it look legitimate.
(As always, don’t click URL’s or open files, if your friend or co-worker has never contacted you via emails, this should trigger a warning to you,
contact that person and find out if they really sent you that mail.)
Bank account notification: Email appearing to come from the victim’s bank saying “click here to login and get your bank statement.”
(Never give your bank login to any website asking for it via link, if you need any online banking, go directly to your bank website and make sure you log out after you are done.)
The dangers of Phishing attack:
Well, depending on the type of data that’s stolen personally identifiable information (PII); financial, healthcare, or educational details; credit card information scammers will carry out different types of crime.
When they have login credentials especially for bank accounts, as they can quickly log in, take over the account, and then drain off all the cash.
Sometimes they’ll pivot and go after other targets.
In other cases, say, with stolen credit card data, the thieves try to sell that data on the darknet.
In turn, the buyer might do any of the following:
Create fake credit cards: by loading card numbers onto card blanks (cash out services) and using them in ATMs to get cash, or online to make purchases.
Buy services: like Netflix, Spotify, Steam, Webhosting or online games for a fraction of the original cost.
Use the card numbers as part of another scheme: such as buying fake domains or web services to support other scams and hacking endeavors. Sell stolen card numbers online.
Everyone,
security pros and individuals alike need to know how to defend against phishing and fraud. While it’s in an individual’s best interest to stay informed about the latest scams, they can never be expected to see or understand the warning signs the way security professionals do.
We can’t overemphasize the importance of user awareness training, especially since phishing scams continue to get more sophisticated and aggressive.
Many users don’t take phishing seriously, thinking the odds of it happening to them are slim, or if it does happen, the impact might only be minor.
Users need to be aware that phishing can be extremely harmful to them as individuals and as companies.
If you want your company and employees to be protected of phishing scams or social engineering you may contact us, we have the technology, our Red Team Operations, and user awareness training to keep your digital space protected.