Cyber security attacks continue to rise at an alarming rate, costing the individuals and companies that fall prey to them dearly. Such attacks caused over $2 trillion in losses in 2019 according to Juniper Research.
Cyber security attacks are commonly conducted through phishing emails says retired FBI agent Martin Jerge, who has more than two decades experience with the Federal Bureau of Investigation and with a Fortune 100 company investigating the latest cyber security, counterintelligence and criminal threats. He says that such emails may use multiple methods to try and extract vital information from their intended victims.
In some cases, phishing emails will attempt to install malicious software (malware) on victims’ devices so that their login or other information can be stolen. These infected files often take the form of invoices or other seemingly important work-related files.
However, with antivirus software becoming more efficient at detecting malware and other viruses before they can do damage, cybercriminals are increasingly relying on other tactics says Martin Jerge.
Phishing sites are the most popular alternative, with phishing emails directing recipients to these imposter sites, which mimic the look of the real McCoy so that victims won’t think twice about inputting their sensitive login information, which is then stolen. These sites are becoming harder than ever to detect, with many of them now using HTTPS so as to appear secure to visitors and their browsers.
According to the 2019 Phishing and Fraud Report published by F5 Labs, 21% of all breaches were due to phishing attacks, trailing only unauthorized email access (which itself can be due to phishing attacks). The report added that a staggering 71% of phishing sites now employ HTTPS, up from just 5% in 2016 and 20% in 2017.
In other cases, phishing emails might employ carefully cultivated data gathered from previous phishing attempts or other sources to trick recipients into willingly handing over important files or information. They might impersonate a company’s executive, an IT technician, or someone in the company’s supply chain, right down to convincingly spoofing their email.
Spearing vs. Whaling: How Phishers Target Their Victims
Phishing attacks are the overwhelming method used by cybercriminals to gain access to corporate networks, with the finance, education, non-profit, and health sectors being particularly susceptible to those attacks according to F5 Labs’ 2019 Application Protection Report.
The majority of successful corporate attacks are conducted via spear phishing, which targets a specific individual within that company, most often an executive or system administrator.
Martin Jerge says it’s become easier than ever for spear phishers to launch convincing attacks against their intended victims by leveraging all of the data freely available on social media sites like Facebook, Instagram, and LinkedIn to impersonate fellow employees, friends, or family members of the target, right down to accurately portraying the hobbies, interests, or past of the impersonated subject.
An equally hazardous method of phishing is through whaling, which is a specific type of phishing attack targeting high-profile employees such as high-level executives in the hopes that they will bite and cough up sensitive information. Whaling generally incorporates a higher element of social engineering because of its targeted approach. CI Security CTO Mike Simon states that phishing emails which get reported to the company are also received by an average of 15% to 20% of the employees of that company according to their research.
Regardless of the method used, the end result is a costly one for companies. PhishMe reports that mid-sized companies are hit with an average cost of $1.6 million per successful attack, while Deloitte notes that companies on the receiving end of a cyber breach can expect to lose one-third of their customers, regardless of the amount of monetary damage, if any, suffered during the breach.
Common Triggers and Motivations Targeted by Phishing Attempts
The rising tide of social-related cyber attacks highlights a key finding reported by PhishMe’s 2017 Enterprise Phishing Resiliency and Defense Report, which found that the emotional motivators behind the most successful phishing attempts has changed dramatically over the past few years.
Rising awareness of work-related scams is pushing down the number of successful phishing attempts using those triggers, while social, entertainment, and reward-based attacks are on the rise. Some of the most prevalent scenarios utilized by phishers to get clicks include holiday-based e-cards, guidelines or updates related to office parties or events, forms that must be signed, free giveaways or coupons, and warning alerts about diseases or grievances.
Holiday e-cards and shopping deals are particularly convincing and heavily utilized phishing attempts, which is why F5 Labs found that attacks spike during holidays and busy shopping periods, namely around Mother’s Day, Black Friday, Christmas, and New Year’s, when victims might be expecting such correspondence.
How to Successfully Thwart Phishing Attempts
Martin Jerge says there are several steps that individuals and companies can take to train and protect themselves from phishing attempts, one of the most important being the use of phishing simulators. These programs send out mock phishing attempts to a company’s employees, revealing the susceptibility of the company to such scams and the effectiveness of their phishing detection training methods.
Another step companies can take to protect their sensitive data is by encrypting it so that even if one of their employees accidentally falls victim to a phishing attempt and shares an important file, the attacker will have trouble reading and using it.
On an individual level, people should carefully inspect email links and the sender’s address before clicking through on any email, especially ones which stress that urgent action is needed and which supposedly come from large companies that are commonly used in phishing scams like Apple, Facebook, Netflix, Paypal, Amazon, and Microsoft.
If you have any doubts about an email’s authenticity (or even if you don’t), go directly to the website in question yourself through your browser or bookmarks rather than following a link.
Lastly, retired FBI agent Martin Jerge recommends limiting what personal data you publicly share on social media platforms. While small tidbits of data may seem innocuous on their own, all it takes is a few such bits of data for a phisher to build a convincing attack that can be used against you or someone you know to devastating effect.
This article does not necessarily reflect the opinions of the editors or management of EconoTimes.