Reeling them in: Don’t let phishing scammers get their hooks into your business
Welcome to Threat Intel’s #WednesdayWisdom column, a weekly read to help improve your cybersecurity knowledge and keep you informed on important developments.
Phishing is one of the oldest tricks in the book for online scammers.
However, even though it has been around for years, phishing emails have still been responsible for some of the most high-profile attacks of recent times.
“The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear phishing,” Homeland Security Secretary Jeh Johnson said recently.
Johnson has a point. John Podesta, Hillary Clinton’s campaign chief, had his email account hacked during the course of the US presidential campaign when he fell for a spear-phishing email. Colin Powell, former US Secretary of State, also saw his email account hacked after he fell for a spear-phishing email.
Meanwhile, the numerous celebs who fell victim to the ‘celebgate’ hack, which saw nude photos of celebrities including Jennifer Lawrence and Kate Upton leaked online, were also the victims of a sophisticated phishing scam.
Phishing or spear phishing?
Phishing attacks have been around for a long time and involve sending malicious emails to as many people as possible — thousands or even millions of people may be targeted with the same email, in the hope that even a small percentage will fall for the scam.
Phishing emails generally try to appear as if they are from a trusted source — such as a bank or business associate — and attempt to get recipients to download an attachment or open a link that will then infect their computer with malware.
Spear-phishing attacks are somewhat different. Spear phishing is highly targeted and was the attack method used to harvest information from Podesta, Powell, and the various targeted celebrities. Spear-phishing attacks generally have very specific goals, and attackers will normally do research on the victim and use social-engineering techniques to make the emails appear more convincing, as though they come from someone known to the victim.
As they are highly targeted and customized, spear-phishing attacks generally have a much higher rate of success than traditional phishing attacks.
Ups and downs
Symantec has actually observed a drop in the overall email phishing rate (not spear phishing) in the last few years — from 1 in 392 emails in 2013 to 1 in 1,846 emails in 2015, with a further drop likely this year.
However, Symantec research also found that the number of spear-phishing campaigns in 2015 increased, with the attacks becoming stealthier and more highly targeted.
Business Email Compromise (BEC) scams, which have been getting a lot of attention lately, are usually carried out using spear-phishing emails, generally after an attacker has studied the operations of a business.
Symantec research in 2015 found that the financial sector was the most targeted by spear-phishing emails. Some organizations were targeted with spear-phishing campaigns four times during the year. These businesses had to withstand the attack each of those times, while the attackers only needed to succeed once to have made their efforts worthwhile.
Protecting yourself
Software alone cannot guarantee protection against phishing campaigns, education for both employees and management is also key. However, ensuring you have good email security in place is a key first step in protecting you and your business from phishing attacks. These tips are also worth following:
· Be wary of emails asking for sensitive information, such as passwords, or banking or credit card details. If you are suspicious, call your bank or service provider directly.
· Do not reply to, download attachments, or click on links in suspicious emails.
· Be wary of emails that use scare tactics, such as threatening to disable accounts, unless you provide certain information.
· Watch out for generic requests, addressed to ‘Sir/Madam’ for example, that indicate the sender does not have any personal information about you or your account.
· Never use links in an email to connect to a website unless you are 100 percent sure they are genuine. Type the URL directly into the address bar to ensure you are connecting to a legitimate site and not one with an address that simply looks similar to it.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up to date with the latest happenings in the world of threat intelligence and cybersecurity.
