In cybersecurity the familiar is dangerous. Because of this, we must qualify what we “already know” and refresh our knowledge. Without this attention, cracks in the system grow until huge threats can fit through and shatter that complacency, along with business reputations and accumulated wealth. As in healthcare, cybersecurity continuing education isn’t just a best practice, but the only method that actually works. Phishing is a prime example.
By now, we all know phishing and the standard precautions it requires: be suspicious of links in email, double check URLs by hovering over links, and corroborate events that have supposedly triggered a message by going directly to the sender’s company website.
Easy. Almost second nature. Unfortunately, it’s also ineffective. Rote as those precautions may be, phishing remains the easiest and most prevalent way to introduce malware and steal valuable information from people and businesses. A recent Verizon report shows that email is used as an attack vector in 92.4% of the cases they compiled.
92.4%. And you can bet those phishing emails weren’t all riddled with misspellings and other obvious indicators. So, how is phishing still catching so many users?
Email Tactics: New Applications of Old Tricks
We can assume a certain percentage of users just don’t pay enough attention. Of course, one could debate that percentage, but I’d venture to say it’s not the majority. I feel your skepticism overworked IT department, but hear me out.
Even if most users did blindly click through whatever landed in their inbox, the automated precautions most enterprise systems use, like email scanning and quarantine programs, chop down that vulnerability.
So the question remains: how?
Let’s look at two tactics. One works consistently and the other appears to be gaining greater traction: event-specific phishing and Business Email Compromise (BEC) attacks—an oldie and a goody if you will.
Event-specific attacks succeed because they’re lent an air of legitimacy by outside events. Further, depending on the event, some users may be ill-informed about the event details and so more susceptible than usual.
Take the EU’s General Data Protection Regulation (GDPR) compliance for example. The shift to GDPR-compliant sites confused some folks, and their confusion proved an ideal phishing opportunity. As notices went out about the new privacy rules, cybercriminals capitalized both before and after GDPR came into effect, impersonating companies from Apple to Airbnb to get credit card and identity information.
Threat actors even use mundane, cyclical events, like the beginning of the year. For a more granular look at this tactic and others, check out this page of the latest scams affecting the University of Chicago. You’ll find very few strokes of genius, but you most likely will spot something innocuous and event-related.
What’s a BEC Attack?
The FBI started tracking Business Email Compromise attacks in 2013. This should give you some idea how much they’ve increased and the kind of threat they pose. In this gambit, emails arrive with no clickable link bait or malicious content. Instead attackers establish a relationship through impersonation and grooming. On some occasions, they even go so far as to interact with targets in real time. BEC attacks require enough information to convince targets a coworker or their boss (or even CEO) is sending the messages, and requesting money or information transfers. As such, these attacks are highly targeted, but for that reason they can also be highly effective.
But attack vectors vary. Email is only one.
Beyond Email: Alternative Phishing Vectors
On the other side of the coin, because users are on the alert for email phishing, they tend to drop their guard when not working in email.
As more businesses incorporate Microsoft Teams and messaging apps into their business processes, phishing has migrated right along with them. The same can be said of phishing for SaaS credentials (Slack, Dropbox and Microsoft Office 365 just to name a few), and phishing over mobile devices and cloud storage. To make no mention of search engine phishing or web ad phishing.
And bear in mind that AI-assisted phishing is just around the corner. More on that later. For now, familiarizing yourself and your team with the latest phishing tactics, say in an intranet communication (probably not via email so as not to desensitize them) or as part of your periodic releases, may be a good security practice to put in place.
You and your communications team know your organization best and what gets the word out most effectively. Just don’t forget to leverage that valuable knowledge when it’s time to broadcast information on the latest phishing threats.
By Tenea D. Johnson
Founder, Progress By Design