These are the top phishing scams you need to be aware of…
Despite investment in raising awareness and creating new and better protective technology, phishing emails continue to get through small business barriers and into employees’ inbox. Once they are there, you’re almost guaranteed to get someone clicking on them.
Phishing attacks are continually causing havoc for companies. Early in November 2017, experts spotted a new phishing campaign targeting Netflix. Emails claiming to be from the TV and movie streaming company targeted business accounts in an attack that could, if clicked on by unsuspecting employees, provide cyber criminals with login details for corporate IT systems. Despite widespread awareness around data protection and online safety, it seems many individuals still sign up for services (both business and consumer) using their business email, putting company data and information at risk.
But phishing is not just about users having their data breached, it’s more dangerous than that because of the additional information hackers can collect, like logins, geolocations, secret questions, phone numbers, and device identifiers.
Businesses are constantly reminding employees to watch out for phishing attacks, yet the message seems to not be getting across to individuals, particularly when they haven’t been affected by a phishing attack before. According to statistics from a phishing and ransomware prevention company, in early 2016, 93% of phishing emails successfully delivered ransomware to an email inbox. Further to this, a Verizon cyber security report found that an attack sending out just 10 phishing emails has a 90% chance that at least one person will fall for it.
Here, we outline some of the most common phishing attacks, to help small businesses understand what they’re up against and make their employees more aware of the threats.
Mass-market phishing is the most common form of fraudulent email attack. Generally, a mass-market email is where a cyber criminal pretends to be someone else to trick the recipient into giving something away. Whether it involves logging into a website or downloading software with malware attached. These sorts of attacks usually rely on email spoofing, which makes the email header (or from: field) look like it has come from a trusted sender.
The most common mass market phishing emails come from big and recognisable companies like UPS, FedEx, Apple IB, PayPal, and Office 365.
These attacks are constructed to target highly specific businesses and individuals. They are considered high-value victims and so are usually sent campaigns that are incredibly sophisticated, which makes them harder to spot. Cyber criminals will target just a handful of organisations or people with these phishing campaigns, instead of thousands of people, like the mass market attacks.
For example, a nation-state attacker might try and spear phish a specific employee that works for another government agency, or official, in the hope of obtaining state secrets.
Whaling is a particular type of phishing that involves going after a business’ top executives or managers. The victim is selected because they are considered very high value, and any information stolen from them will be far more valuable than what a lower level employee would ever be able to provide to an attacker.
Stealing a CEOs account credentials, for example, will allow an attacker to obtain data, employee info, and potentially money.
A whaling attack requires extra work on the phisher’s part, as they’ll need to know exactly who the chosen executive talks to and what they talk about. These attacks normally start with social engineering to glean data about the person and the company before creating a message that will be used to attack. Common types of messages include sending legal documents, faking customer complaints, or talking about company issues at an executive level.
Business Email Compromise (BEC)
BEC attacks target specific people in the accounting and finance departments, using CEO impersonation emails to trick victims into authorising money transfers to unauthorised accounts. The first step in this kind of phishing email is to gain access to the email of senior personnel, like a high-level executive or financial manager using either an existing virus/infection or staging a spear phishing attack.
The phisher will then sit and wait, monitoring the infiltrated email account to learn a company’s procedures and systems. The BEC attack usually takes the form of a fake email that comes from the victim’s account. Sent to someone in finance or accounts, it will be marked as important and will ask the receiver to wire money to an unfamiliar or external bank account.
These attacks can be incredibly lucrative. In America, the FBI’s Internet Crime Complaint Centre says these scams have generated more than $4.5 million and are a huge problem globally.
This type of phishing involves the attacker crafting an almost exact copy of a real message to make a victim believe that what they are sending is real. The message is sent from an email address that looks like the real sender, and the message itself will be styled in the legitimate email sender’s template. The difference, of course, is that the attachment or clickable link will send you somewhere with malicious intent.
The email will be based on a previously sent legitimate message. The fake phisher email will explain that it had to resend the original or create an updated version, making it arguably more convincing to the victim. Another type of clone email campaign may involve the attacker creating a whole clone website with a fake domain to further fool the victim.
Also called ‘hit and run’ spam, this kind of phishing campaign involves attacks pushing out emails via multiple IP addresses and domains. A single IP address will send a small number of messages to stop volume or reputation-based spam filtering software from detecting and block them. The likelihood of some messages hitting inboxes before the filters understand what they are is then a lot higher.
Hailstorm campaigns are like snowshoeing, apart from the fact that the emails are sent out over a very short amount of time. Hailstorm phishing will stop just when a spam filter spots them and updates to block them. However, by this point, the attackers will have already moved on to the next campaign.
Ultimately, there are several different strategies you can implement to keep your business protected from phishing attacks, but the first step is always awareness. When you and your employees know what they are looking for it can be easier for you to keep yourself protected. But software