The complexity and volume of cyber attacks are increasing in tandem, as enterprises and small and medium-sized businesses alike continue to find themselves on the bad end of a cyber attack. To make matters worse, new cyber crime tactics are being conceptualized at this very moment – largely in response to new threat vectors such as the Internet of Things and smart-city infrastructure.
While protecting the cutting-edge of technology will be a herculean task unto itself, cyber security specialists will also continue to face threats via one of the most commonly leveraged communication platforms in the modern world: email. Phishing scams are oldies but goodies. When they target email accounts, or other work-related account information, they can wreak havoc in the enterprise.
Phishing scams: The basics
In 2012, Trend Micro conducted research that shed light on how spear-phishing scams are typically executed, who the prime targets are and most importantly, why they are so favored by hackers. Among the findings was the revelation that email was the most common medium for spear-fishing tactics. Typically, an individual will receive a seemingly harmless email, often from what appears to be a trusted source. This first part is where hackers can get really creative and extra malicious, and it’s the reason Trend Micro refers to phishing as a “highly targeted” attack method. The email must appear authentic, and it must come from a logical enough source that a user would actually believe the message to be viable. For example, some hackers use the holiday shopping season as a way to get users to open links to fake deals, or download malicious files disguised as coupons.
Other less timely, but equally vicious ploys use an already hacked email account to execute more phishing scams. An email from an important client may appear in an employee’s inbox, requesting that he or she download the attached .PDF. Any message included in the body of the email will be general, for example “Please see the attached file and get back to me,” so that there is little indication that something might be amiss. Should the employee download the file, malware can then infiltrate a system. Trend Micro notes that most scammers have stopped using .EXE files because they are too conspicuous. Instead, they will typically use .PDF, .DOC, .XML or other regularly used file types within an industry. Depending on the specific business targeted, the cyber criminal may even favor one file type over another.
According to Trend Micro, 94 percent of spear-phishing emails will incorporate the use of attachments in their targeted attack. In a corporate setting, users are generally more cautious about opening links to unknown Web locations. Furthermore, because many organizations rely on file sharing for collaboration, it is more difficult to frame a believable message for why a corporate user should open a link than it is to simply request that the attached file be reviewed. This highlights the main reason why hackers continue to use phishing scams: They get the job done. For this reason, many technology specialists believe that phishing will continue to cause problems in 2016 and beyond.
The severity of the situation is increasing
Nowadays, in-depth Google searching is sometimes all it takes for a hacker to find the email address of his or her next target. With more hands-on, savvy methods, there is almost no limit to the degree of information a cyber criminal can acquire. Take the recent example of the email hacks orchestrated against CIA Director John Brennan. The culprit was a teenager who, according to Wired, managed to get Verizon to divulge Brennan’s personal data by posing as one of the company’s technicians. Included in this information was Brennan’s AOL email address. The hacker then contacted AOL, and was able to use the previously acquired information from Verizon to reset the account password. Just like that, a teenager hacked the top-ranking CIA official’s personal email account.
No sensitive or classified data was leaked as a result. While this scam does not fit the classic mold of a phishing scam, it still exemplifies just how resourceful cyber criminals have become. Imagine, for example, that the teenager had taken this ploy a step farther, and attempted to use the CIA director’s account in attempt to scam other high-level officials. The event highlights the fact that one successful email breach can have far-reaching, severe consequences to an organization.
That said, email is not the only venue for phishing. By mimicking employee login portals, hackers are able to capture login information allowing them to steal millions of online health records. Once again, this highlights just how crippling a phishing attack can be to an organization.
Throw in social engineering – researching and connecting with potential targets – and the growing threat of watering hole tactics – which implant malware into legitimate websites that targets are likely to visit – and it’s almost unsurprising that phishing has been instrumental in the majority of targeted attacks to date, according to Trend Micro. More importantly, this trend shows no signs of abating in 2016 and beyond.
Now more than ever, organizations must spare no effort to protect login information and email accounts. Security solutions such as email encryption from Trend Micro can help save companies a big headache and a handful of cash down the road. Contact Trend Micro today to learn more about how to avoid becoming the victim of a phishing scam.