Phishing Trips: Is Your Company Being Taken on One?

Back in the good old days when vacation time came around, the expression was “Gone Fishing.”  Boy, how times have changed in this new age of technology and cyber hacking!

Phishing has nothing to do with the sport of fishing– it’s a critical element of Internet Technology. Phishing is a process where nefarious hackers attempt to steal your passwords with a purpose of fooling people into downloading malware.

Phishing is a process where nefarious hackers attempt to steal your passwords with a purpose of fooling people into downloading malware.

Phishing has become a critical problem for businesses of all sizes. In fact, recent statistics show that  93 percent of phishing emails now deliver some type of ransomware, malware or other type of cyber attack. The worst part of these phishing attempts is that people are easily baited and don’t even realize they’ve been had until the system is infected.

Cyber security experts suggest that phishing attacks come in all shapes and sizes, but usually target specific individuals within an organization, especially those who have access to sensitive corporate data.

Just recently, Verizon sent out a warning stating that as few as 10 phishing emails can have up to a 90-percent chance of reeling in a sucker. The problem is that most targets are not hi-tech gurus. They’re professionals in areas such as manufacturing, retail, real estate or other industries, but they’re unaware of the new bait and switch tactics taking place over the web. These folks often think they’re opening a trusted news channel, dating site or generic puppy training video when the boss isn’t looking – and what happens? Bang! They let malware, ransomware or a virus in.

What Do You Do?

So what should you and your staff be looking out for to stay safe? Here is a list of the most common phishing techniques:

1. Mass-Market Emails

The most common method of attack comes by tricking someone into thinking that email comes from a trusted source. The message and header seems familiar enough. It could say, “UPS is trying to deliver a package.” Or, “Hi remember me?” Or, “I’ve been trying to reach you.” I even got one recently that said, “Is this you?” Some attacks specifically target organizations and individuals while others rely on methods other than email to get inside.

2. Spear Phishing Is even More Pointed – Targeting You Personally

In general, phishing is about casting a wide net. Spear-phishing, like those in the recent Russian attacks in our election process, goes after specific targets. It makes sense to the cyber criminals: better to go after a select few organizations with money, resources and data than just sending out random emails hoping for a big catch. An attacker may target a government agency, or official, to steal state secrets or secretly control a state or national government official. They often succeed because the attackers carefully tailor information specific to the recipient or include a file name the target is interested in. One that recently worked contained a malicious Visual Basic for Applications (VBA) macro that contained malware called Seduploader.

3. Whaling: Phishing for The Biggest Catches

When the targets are an organization’s top executives it’s called “whaling.”The targets are: data, employee information, and cash that an executive has direct control over. Naturally, information stolen from an executive will be of higher value than that stolen from a regular employee.

This requires a little more work because the hacker needs to know who the intended victim communicates with and what the communication entails – customer issues, legal docs, or even privileged information from the C-suite. Attackers start innocently enough, using social engineering to gather specific information about the victim and the company before launching their harpoons.

4. Heard of BEC, Business Email Compromise? That’s A Hacker Pretending to Be The CEO

BEC scams and CEO email fraud targets key individuals, especially in the organization’s finance and accounting departments. By doing so, it seems an order is coming right from the top – tricking targets into initiating money transfers to unauthorized accounts. By monitoring an executive’s email activity for a period of time to learn about company processes and procedures, the attack email is made to look like it has come from a targeted executive’s account to a regular recipient. Looking important and urgent, it directs a wire transfer to the attacker’s bank account. The haul? Last year BEC scams accounted for more than $4.5 billion in actual and attempted losses.

5. Sending In The Clones

Clone emails are another clever way to fool employees and they work just as well as the originals. The body of the message looks exactly like a previous message, the only difference is the message has been traded for a malicious one. It may say “need to resend the original”  or “this is an update” to explain why the victim was receiving the message again. The hope is familiarity will soothe the receiver into opening the communication without thinking too much about it. Spearphishers even clone websites with fake domains to make the scam more difficult to detect.

6. Over The Phone Phishing Becomes Vishing

Vishing is “voice phishing” using a phone. Typically, the target gets a voice message disguised as a communication from a financial institution asking you to call a specific number and enter your account or PIN number to continue. The voice on the other end belongs to a hacker via a voice-over-IP service. Apple tech support communications are a favorite, using the fear of being hacked to do actual hacking.

7. Spreading Poisonous Messages Is Called Snowshoeing

It’s hard to keep up with the terminology, much less the forms of attack. “Snowshoeing” or “hit-and-run” spam is pushing out messages via multiple domains and IP addresses, so each address has a low volume of messages to avoid spam filtering.

“Hailstorm”, another barrage campaign, works like snowshoeing except with a short time span seeking to outsmart anti-spam tools that filter and block future messages with mass volume in limited time spans. But, usually by then, the hackers are long gone.

Learn to Recognize Phishing Lures

Most ordinary users are not good at recognizing a phishing attack while a savvy one may be able to. But that risk is too great to just leave it hanging out there. Because of that, do a risk assessment gap analysis to make it easier for users to recognize the seriousness of malicious messages. Simple defenses like spam filters are not enough; your organization should consider the implementation of an internal awareness campaign and train your staff to recognize different types of attacks to strengthen security defenses.

One Final Word

Be careful. That email or attachment may look like it comes from a trusted source, but who you may see as a pal, may only see you as chum.

If you would like more information, contact LP3. We will be glad to help you make an informed decision on cyber security for your business or organization.

For more information about our Security Awareness Assessment and Training Services, please visit our website.

Scott Lawler is CEO of LP3 and provides enterprise cyber security architecture advice to government and commercial clients.