Vulnerability Management

Phishing Scams: Fact or Fiction?

By Karl Sigler

Phishing attacks can do a considerable amount of financial damage to a company and impact its reputation. These scams can target companies of all sizes and in all industries. Facebook and Google are unfortunately both recent examples of how dangerous a phishing scam can be. This past year, the tech giants were robbed of more than $100 million USD after a cybercriminal targeted them by impersonating an Asia-based manufacturer that both businesses regularly use. In this instance, the United States Justice Department was able to arrest the alleged cybercriminal, but that hasn’t stopped other hackers from developing and deploying phishing scams of their own.

This past year, the frequency of phishing scams has risen by 11 percent to become the second highest method of cyber compromise. Implementing effective security solutions and internal processes is the best way to ensure your organization is protected from phishing (or any other types of) cyber attacks. That said, phishing scams, in particular, can be tough to spot, because criminals use tricky social engineering techniques to lure unsuspecting victims into providing information that will help them move stealthily inside the organization’s networks.

Because phishing is so prevalent, companies have had to train staff to be more aware of scammers’ typical tactics, such as being on the lookout for “urgent” emails about invoices or shipping notices, or messages that claim the user’s account will be locked or disabled if a certain action isn’t taken immediately. To stay one step ahead, cybercriminals have adapted their methods to evade the tips being frequently shared by the security industry, continuously creating new, clever strategies to deceive victims.

Below we’ve dispelled four common phishing myths to help employees and outside partners be even more adept at identifying these crimes. 

Myth 1: Phishing Emails Are Easy to Detect

As organizations move toward digital transformation, employees are having to become more and more tech-savvy. This has created the belief that employees should be able to spot a phishing scam right away if it were to land in their inbox or if they receive a questionable phone call, but this is not the case. Cybercriminals know that today’s employees understand technology, and have therefore developed ways to make scams more difficult to catch.

Attackers often use targeted spear phishing and well-planned strategies to exploit a user's knowledge. Hackers will research third-party vendors or partners the company or individual works with regularly, then craft a spoofed email that includes correct names and job titles, which makes the faux emails more authentic looking and harder to detect. Within the fake email, the attacker will include a call-to-action, such as requesting the recipient click on a (malicious) URL or download important information (a.k.a., spyware). The attacker can then use information obtained from this initial interaction (e.g., login credentials, account privileges, etc.) to gain access to the victim’s email account, then masquerade as that person. Once a criminal has access to a user’s system, they can dive further into a company’s network by requesting even more sensitive data from other employees.

Businesses should make sure that their employees are aware of these new, advanced phishing techniques and caution them to pay special attention to anything that requires the employee to click on a link or download a document. Employees should keep an eye out for requests that seem out of the ordinary even if it is coming from someone they know. For example, they may receive a downloadable paystub in their inbox at an odd time or perhaps the tone of an email seems a bit off. Emails that suggest a high level of urgency or something time critical in order to lure them to open an attachment or click on a link should definitely raise suspicion.

{tweetme}"Cybercriminals know that today’s employees understand technology, and have therefore developed ways to make scams more difficult to catch." - @ksigler #InfoSecInsider #infosec{/tweetme}

Myth 2: Phishing Attacks Only Target Entry-Level Employees

Due to less IT training and workforce experience, entry-level employees may seem like the easier target of cybercriminals. But phishing attacks can target any employee, and more senior staff typically have greater access to more “crown jewels.”

Extremely targeted attacks called “whale phishing” use highly customized and personalized emails to target C-level executives or other prominent individuals within an organization. Similar to spear phishing mentioned above, whale phishing, or “whaling,” requires research and background knowledge on the part of the cybercriminal. However, unlike spear phishing, which often target small groups of employees, whale phishing is more precise, usually only targeting an individual that has access to extensive sensitive or privileged information, like payment data, merger and acquisition information, or new product plans. In these cases, the attacker might request that the target provide sensitive data or payment information on a malicious site created to mimic a third-party vendor. Past whale phishing attacks have imitated subpoenas, fake messages from the FBI, or IRS, or similar legal issues.

Senior staff should continue to educate themselves on these new techniques and raise an eyebrow whenever they are asked to provide sensitive information via email. In any case, it’s always a good idea to verify the contents and purpose of emails like these either face to face or over the phone (not using any phone numbers contained in the email itself). 

Myth 3: Spending A Lot on Security Solutions Means Better Protection

The right combination of tools, techniques, and processes is still the best protection against phishing attacks, but relying on the latest and greatest shelfware can often give you a false sense of security. Making sure that you have the right security solution in place, with a team that knows how to use it, is extremely important.

The first step in creating the best security posture for your organization is knowing your assets. Find out who has access to what, which third-party vendors or partners are connected, and who has control over and access to payment information and sensitive data. From there, you can determine what security controls you need in place to keep private information private. Doing so may include the acquisition of new technologies or adapting your current resources to your requirements. If your organization doesn’t have bandwidth for an infosec team, maybe look for a managed security solution. If you have a large infosec team, make sure you have firm processes in place for each person, ensuring that your network is continually monitored. An ideal security process assures that your organization is always checking incoming emails, scanning for potential malicious links or attachments, and stopping “bad” before it reaches an employee. Since phishing scams are becoming more sophisticated and there is a potential for an attack to get through automated tools, educating employees on what to look out for is a vital line of defense.

{tweetme}"The first step in creating the best security posture for your organization is knowing your assets." - @ksigler #InfoSecInsider #infosec{/tweetme}

Myth 4: All Cybercriminals Want the Same Information

It is a common belief that cybercriminals are only phishing for money, creating the misconception that if an employee simply avoids any emails requesting payment information they will avoid becoming an entry point for a phishing scam. While hackers often phish for payment information, phishing attacks can also give a criminal access to launch a deeper internal threat. For example, gaining access to email addresses or login credentials saved on an employee’s computer could open the door for not just further threats within your company, but potential access to partner companies or third parties.

Since cybercriminals look for a variety of information, it is best to take proactive precaution. Looking at the above myths, it is advisable to fully understand the realities of today’s phishing scams and how they are evolving. Start by understanding your assets and what technologies and controls you already have in place to protect them, then determine where you might be lacking and your greatest areas of risk. You can then formulate a phishing-resistant strategy that includes training your employees to notify the proper resources when a malicious email makes it to their inbox, selecting the right security solution to protect your company assets and network, and looking to a managed security service to provide additional insight and technical knowledge. Of course, the final step is keeping your security team and employees educated about best practices which will help ensure your company doesn’t become the next victim.

Interested in learning more about this topic? Join us at InfoSec World 2018 in Orlando, Florida where we'll be hosting a talk titled, "Life After Phishing: What's Next?"

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.