Technology is on the rise—and in a likely pairing, so is cybercrime. Globally, its costs are expected to reach $2 trillion by 2019, and it’s spreading fast. But today’s tech criminal masterminds aren’t just focusing on budding technologies. One of their most common forms of attack is through a “push model” phishing ploy that brings them right into unwary users’ field of access via the inbox.
In 2016, financial phishing attacks increased by 13.4%, to account for nearly 50% of all phishing attacks.
These malicious social engineers are using email and social platforms and connections to tap into organizations’ computer systems to take control of, damage, destroy, or extort personal data and money. In 2016, financial phishing attacks increased by 13.4%, to account for nearly 50% of all phishing attacks.
Phishing continues to evolve and mature, making it crucial for organizations to establish protocols and systems to protect against malicious attacks. Email security systems and even your most savvy IT department aren’t the answers. To outsmart the cybercriminal mind, you must first understand phishing as the competitive business that it is so you can strengthen and safeguard yourself against it. Consider this your guide to phishing and how to escape its hook.
The rise of phishing
Perhaps you’ve heard the term, and you know it’s problematic. But what exactly is phishing? Phishing is a product of a fast-moving digital age, when we just want to complete the task at hand—and hackers take advantage of our hurry. By embedding malicious links, or providing attachments that install malware when clicked or downloaded, they can hold your data hostage to demand ransom money or trick recipients into providing their personal data.
Placing phishing pages around the web for unsuspecting visitors used to be the vogue. But the phishing of today has evolved, and email phishing has superseded it in prominence. Why? It provides hackers an instant gateway and the ability to cast a wide net, or create a targeted attack strategy instead of waiting for untargeted web users to happen upon the page.
Today’s phishers have gone undercover to become more covert and virtually undetectable.
While the U.S. has labeled phishing as its top hacker threat, Australia has seen a major rise in phishing attacks, putting it ahead of Brazil, Canada and the U.K. as the top phishing target. In one month alone, phishing emails increased by 5.5%, increasing the number to 70.4%of emails. From 2015 to 2016, the continent saw an increase of 6.3 million phishing emails, and in the first half of 2016 alone, Aussies lost more than $375,000 through unwary email opens and link clicks. Reports show that 155M Aussie users in 2016 tried to access a variety of phishing pages, 73.5M of which were financial phishing schemes.
Today’s phishers have gone undercover to become more covert and virtually undetectable. And like any business looking to keep costs low and increase their profit margin, ill-willed social engineers have found a way to earn maximum dollars with little overhead. Cybercrime is cheap. Phishers looking to take advantage of underprepared or unpatched organizations need simply send an email, or masquerade as a known entity, to profit.
As phishing attacks become more commonplace, hackers are finding new ways to target individuals and organizations. Here are 3 of the most common strategies phishers are utilizing through email.
Spear phishing attacks
Like its name states, these are pointed, targeted attacks aimed at individuals or organizations. Hackers already have enough knowledge about an organization to position their email in a way that converts to a click. When Democratic National Convention (DNC) staff received an email from “Google” prompting them to change their password, Russian hackers used their compliance to install malware and access private information. One survey found that spear phishing attacks cost an average of $1.6M and make up 91% of cyberattacks.
These sophisticated attacks take more time and effort—but have pulled the wool over the savviest tech eyes. Google and Facebook staff fell prey to emails requesting payment for goods from a “known” brand, and lost $100M. This onslaught of Soft Targeting is prominent in Australia, where hackers mine information to assume the identity of a contact, major brand, or CEO, and distribute designer malware throughout the organization. Once they’ve assumed an identity, unwary businesses are on the hook and at their whim.
Ransomware has boomed in popularity since 2015. In March, 2016, 93% of phishing emails flooded inboxes with ransomware. It’s now become the most common form of attack, most often in spear-type campaigns. The most famous example was the recent, and most costly, WannaCry outbreak. Hackers infected computers and files in at least 150 countries, encrypting information and demanding ransom money in bitcoins to decrypt the data, resulting in billions of dollars in loss.
Why phishing is such a threat
Email phishing attacks are unnerving, masquerading as the good and safe, only to infect and destroy. At a basic level, it kills productivity by making data inaccessible or forcing IT departments to turn their energy to addressing problems and hacks. It puts entire organizations, their staff, and their customers at financial risk. Since it doesn’t cost much to launch an email campaign, what is simple and cost-effective for hackers can cost everything for victims. A phishing virus spreads like wildfire because it is capable of taking over a computer system, emailing itself to users and customers in the network, taking on identities, and wreaking havoc and destruction.
Phishing: Signs to watch for
Lest you be lulled into a false sense of security by technology systems, know that cybersecurity is constantly evolving and hackers are strategically staying outside of the security bubble. Hackers are in tune with their target audiences and the digital world. But sophisticated as they might be, they can’t eliminate the red flags, and there are plenty if you look for them. With more people and companies than ever using social media, knowing how hackers position their messaging to get you to click is crucial. Here are some of the top email subject lines and tactics hackers use to draw on existing platforms for clout.
They also tend to use these more general sets of subject lines to entice and lure recipients into opening emails and clicking therein.
Other red flags:
- Mistakes: Misspellings and grammar mistakes, as well as a suspicious or generic look to an email, can tip you off that something isn’t right.
- Links and downloads: Thoroughly examine emails with links or downloads before taking action, even if the request or document appears to have been sent from within the company or by someone you know.
- Requests for personal data: Never give sensitive information by email; ignore these requests to save your data and financials.
- Immediacy: Slow down and examine emails and prompts for immediate action, such as changing passwords.
- Online payments: When paying online, ensure that the site is legitimate and has the padlock symbol on the right side of the search bar.
- Hyperlinks: Phishing emails contain URLs and hyperlinks that aren’t what they appear to be. Hover your mouse over questionable links to see if the addresses match.
Since the WannaCry ransomware outbreak, organizations have become more aware than ever of their vulnerability to cyberattacks.
Steps to guard against phishing threats in your organization
Phishing has become a fact of the digital world, and as companies become more technologically oriented, the threat increases. Follow these steps to protect your organization and your network from the wiles of strategic hackers.
- Don’t give in to false security
Too many companies give in to false notions that their security systems will prevent attacks. But cybercrime is ever-evolving, and preventative technology hasn’t been able to keep up. Staying wary, and preparing not only for phishing attempts but also for what to do in the aftermath, could save your company time and money. Use an external partner to conduct a phishing test to see how susceptible your staff are.
- Ramp up security
There’s more to serious protection than email security alone. Strengthening and securing your email gateway systems is crucial to protect against malicious outbreaks. Email security shouldn’t exist in an IT silo. It involves your entire company, so it should be part of your overall risk management program.
- Update company systems
The WannaCry hackers used an outdated Microsoft OS as an entry point. Keeping your systems and applications up to date can minimize the risk of hackers who have had time to weasel their way into older systems.
- Train staff to be aware of threats
Only 25% of IT leaders believe their staff is adequately prepared to identify a cyber threat. But your employees should be your top line of defense against cybercrime. By training them to recognize the signs of malicious attack attempts, you can safeguard your company from the ground up.
Since the WannaCry ransomware outbreak, organizations have become more aware than ever of their vulnerability to cyberattacks. Developing a strategic understanding of how phishing works and establishing a line of defense is your best weapon for staying off the hook. Get an external partner to conduct a phishing test here.