Spear phishing and the art of the scam
From mom-and-pop businesses to the largest enterprises, people are an organization’s greatest strength. But from a security standpoint, your people are also your organization’s greatest vulnerability.
In the context of information security, “social engineering” is the act of using psychological manipulation to gain access to restricted physical or digital spaces, or to trick people into sharing sensitive or confidential information. “Phishing” is one of the easiest, most common ways for scammers to gain access to data people normally hold close, like Social Security numbers, account numbers, login IDs, and passwords.
Phishing is the Swiss Army knife of scamming tools, an effective tactic that can work through multiple vectors including voice calls and SMS text messaging. But the simplest, most popular route runs through your email inbox using fraudulent websites and deceptive links. It relies on your trust in the purported sender to signal you to action, by evoking a sense of fear or urgency--even simple curiosity.
Beyond personal identity theft
In late 2017, for example, you might have received an email that featured the PayPal logo, informing you that some of your recent transactions had been flagged as suspicious activity. It asked that you click on a link to verify your information, directing you to a legitimate-looking page where you were asked to type in your personal information, including your credit card’s full number, expiration date, and security code.
That’s a “traditional” phishing scam, originating as spam emails broadcast to thousands or millions of users. It could mark the beginning of a descent into the nightmare of personal identity theft for an individual. When the inbox belongs to your company and you’ve been targeted by a phishing network, the stakes quickly multiply.
Increasingly, phishing networks are taking aim at organizations rather than individuals. Phishing groups deliberately select higher-value targets like your business and spend time gathering information on your company and its people, then use that info to craft a message that will resonate with specific employees or departments.
These “spear phishing” attacks are the fastest-growing cyber-threat to organizations (Webroot reports that around 1.4 million new phishing websites are created every month). Because of their contextual sophistication--a message might mention a recently attended industry conference, for example, or appear to come from a top-level executive within the company--spear phishing emails can slip through filters more easily than spam.
Three out of every four companies surveyed last year experienced phishing attacks. The cost of a successful phishing attack on a mid-sized business: $1.6 million on average, including lost employee productivity, direct financial losses, damage to company and brand reputation, and loss of intellectual property. According to the FBI, US businesses lose $500 million a year to phishing scams.
A particularly dismal statistic from a recent Cloudmark survey: 97% of end users fail to spot at minimum 1 in 4 phishing emails. Which of your people are most at risk of exposing your organization to malware, ransomware, or drained bank accounts? IT and finance departments are top targets, followed by sales, CEOs and CFOs.
Phishing attacks aimed at C-level executives, also known as “business email compromise” (BEC) scams, CEO frauds or “whaling,” can devastate a company. Symantec estimated in its 2017 Internet Security Threat Report that over 400 businesses are targeted by BEC scams everyday--mostly small- to mid-sized organizations.
Ransomware--malicious software, most often delivered by a phishing email, that seizes an organization’s information or control of its systems and holds them hostage for payment--was found in almost 40% of breaches in which malware was identified. Most breaches -- 68% -- took months or longer to discover.
Spear phishing is the top mode of delivery for advanced persistent threat attacks. While the mixture of likely threats within various industries may vary, none are safe. The Human Factor 2016 research report from Proofpoint makes plain that phishing victims do the heavy lifting for cybercriminals: running attackers’ code, handing over credentials, even directly transferring funds to them. Manufacturing, professional services, healthcare, retail, finance, IT--across every vertical, when it comes to data security, the truth holds: humans are the weakest link.
An ounce of prevention
The key to foiling phishers comes back all the way around: to the people who comprise your organization. A 2017 analysis by Cofense PhishMe found that employee training, well-run phishing tests and rigorous reporting could slash the susceptibility of organizations to rates as low as 5% despite the implacable increase in phishing attempts.
What are some first steps your organization can take to protect itself and its assets? Remind your employees to be wary of messages
- claiming to be from Google, Yahoo, Dropbox, Paypal or Facebook (phishing attack impersonation favorites),
- containing requests to click on links or open attachments,
- with a strong sense of urgency (like paying a “vendor” invoice by 3pm today),
- that appeal to human greed, fear, or other strong emotions, or
- which request input of sensitive data such as passwords.
Verify information before responding. Look up phone numbers and URLs yourself rather than clicking on links. Avoid posting too much personal information online; attackers can use it to tailor their messages and look more legitimate to users. Forward suspected phishing emails to email@example.com, firstname.lastname@example.org, and to the organization the message claims to be originating from. Work with your managed service provider to find tools and training with a proven track record of reducing successful phishing attacks. The return on investment could be worth everything to your business.