Phishing Attacks Continue to Increase

Phishing Is the Leading Attack Tactic and It Will Get Worse

Organizations have seen cyber breaches through email or phishing attacks increase year after year, yet somewhat surprisingly organizations have not been able to improve their defenses against the tactic. In a survey conducted by Industry Inbox with 280 executive decision makers across diverse industries throughout EMEA, organizational leaders discussed their email security strategy – the insights were eye-opening. In the survey, 47% of the executives’ organizations had been attacked by ransomware the previous year, 31% were victim to an email attack and were ultimately compromised, and 75% admitted to having been attacked with an e-mail that impersonated a trusted brand that they recognized. In a separate report produced by Barracuda Networks the organization found that 83% of all email attacks were focused on brand impersonation.

 

Eighty-Seven Percent of Executives Said Phishing Attacks Will Get Worse

The Industry Inbox survey will likely help put increased visibility and urgency on the rising new wave of email threats. Of the 280 respondents, a significant majority (87%) suggested that email threats would increase in the coming year as they had for previous years. The vast majority (75%) also said they had experienced an increase in email attacks over the past three years against their own organization and employees. Phishing, spear-phishing and whaling have existed for over 30 years at this point; however, spear-phishing and whaling have become sophisticated and as a result incredibly successful over the past 3 years.

Attackers are increasingly doing research and leveraging social media to uncover information about their victims in order to personalize the attacks. In the case of whaling, rather than simply spoofing an e-mail address, attacks send e-mails to company employees by impersonating a senior executive. The e-mail requests funds or access to financial information and in the vast majority of cases the requests are filled by employees without question.

 

Organizations are as Vulnerable as Ever to Phishing Attacks

Many organizations are admitting to being vastly unprepared when it comes to email security, with 94% of the 280 respondents in the survey admitting that email is the most vulnerable part of the organization in terms of overall security. Finance departments experience more attacks than any other department in most organizations, with 57% identifying it as the most targeted department. An emerging trend that was uncovered in the survey was that 32% identified customer support as the most attacked department in their organization. Based on most data analyzed from other attacks in previous years customer support is being targeted more often because the customer data to which they have access and because they are overwhelmed by e-mails and are the most likely to inadvertently open a phishing e-mail and start the attack chain.

 

Employee Education is Key to Thwarting Phishing Attacks

Clearly, organizations could thwart many of the phishing, spear-phishing and whaling attacks by training employees to spot e-mails that are impersonating brands, spoofing e-mail addresses, or have links that have no connection to the e-mail content itself. The lack of training is leaving most employees uneducated concerning phishing tactics and, in most cases, even unaware of security protocol. Over half the organizational leaders surveyed (56%) said that some employees do not adhere to security policies.

Organizations are starting to take steps in the right direction concerning employee education and fortifying e-mail security with 38% of them increasing their security budgets next year, and over a third (36%) planning to implement instant messaging applications such as Slack or Yammer, to reduce email traffic.

Interestingly, instant messaging solutions, especially Slack, as it is quickly becoming the standard platform for many organizations, has its own security issues. Slack messages are not encrypted because, for the most part, organizations do not want Slack to encrypt messages. IT security in most organizations want to handle the encryption themselves or simply use Slack for non-sensitive communications.

 

Seventy-Six Percent of Businesses Suffered a Phishing Attack Breach

In a separate study with Wombat Security, now part of Proofpoint, 76 percent of businesses suffered a security breach as part of a phishing attack. The survey found that the average employee gets 16 malicious emails per month which is a 65 percent increase over last year.

In addition, 30 percent of phishing messages are opened by employees, according to Verizon data, and 12 percent of the most unfortunate employees click on the malicious link or attachment that starts the attack chain. The breach, on average will cost a mid-sized business roughly $1.6 million per successful phishing attack according to the Ponemon Institute.

To emphasize the point, as many as 87% of 280 decision makers in the Industry Inbox survey have predicted email threats to increase in the coming year so let’s take a few minutes to provide 6 ways you can protect yourself, your fellow employees and your customers.

 

6 Easy Ways to Stop Phishing Attacks

Browse securely with HTTPs

Always use a secure website shown by https:// and a security “lock” the icon in the browser’s URL address bar. The http designation (without the “s” for security) is less secure because your data is not encrypted.

 

Watch out for shortened links

When you receive a suspicious e-mail requesting that you click on a link, hover over the link to make certain the link is taking you to a site that is at least related to the content and brand of the e-mail. Always be wary of clicking on links in emails; the most common phishing techniques use links that have been renamed or shortened to mask that they are taking you to a site that is unrelated to the e-mail.

 

GDPR Phishing Attacks

In May 2018, the European Union introduced the General Data Protection Regulation, a new regulation designed to standardize data protection law across the EU. This legislation forced organizations to send a flood of emails that we all have received on a daily basis since the law was passed. In addition, because the law affects most Canadian and American companies, North Americans received just as many phishing scams as our European friends.

Cybercriminals capitalized on this opportunity by impersonating companies like Airbnb and sent out phishing messages from a bogus e-mails address that had nothing to do with company – @mail.airbnb.work. The email said that Airbnb hosts would not be able to accept new bookings until they accepted a new privacy policy which was contained in a link to a website where cybercriminals collected login credentials and financial information from the unsuspecting victims.

 

Billing Scams

Changing financial information due to a change in banks, checking accounts, expired credit cards is common and scammers are taking advantage of it. For example, with more than 150 million subscribers, the Netflix brand was used to scam thousands of unsuspecting victims. A number of Netflix phishing emails have circulated since last year, asking recipients to update their payment information to avoid having their account suspended. The link in the email leads to a fairly well-designed website that steals the victims log-in credentials and payment information.

 

Phishing messages have commonalities – Identify them

Phishing attacks can look sophisticated; especially many of the whaling, spear-phishing and brand impersonation e-mails. One of the easiest ways of identifying phishing e-mail is to familiarize yourself with language that is often used in the fraud. This often includes:

• Typos, grammatical errors, and phrasing that sounds like it would likely not come from a corporation.
• Requests to verify your account, address, banking information, and other sensitive information by re-entering that information on another site or landing page.
• Openings that start with “Greetings, Customer, or Sir or Madam” rather than using your real, full name.
• Language that has an unreasonable date to complete the request like “Midnight tonight” or worse yet “Immediately.”

 

We hope these 6 recommendations help you avoid the various phishing attacks that have ensnared many of the good, unsuspecting folks out there. If you get a suspicious e-mail, contact us, we would be happy to walk you through a solution!