There are many ways to protect yourself and your organization against phishing scammers, but one of the best ways is to just be aware of the more recent techniques. Since the cybercriminals are always evolving their malicious strategies, it’s good to stay one step ahead.
What is Phishing Anyway?
You likely know that phishing isn’t exactly the angler activity you do on a boat or a dock or a lake to catch some real fish. The unique spelling is the first indicator of that. And no, it’s not a type of dance or stage dive you might try to pull off at a Phish concert. It does, however, derive its name from the concept of actual fishing.
Phishing is a cybercrime in which someone posting as a legitimate institution uses email, telephone or text message to lure people into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. And it’s on the rise.
According to phishing.org, The first phishing lawsuit was filed in 2004 against a Californian teenager who created an imitation of the website “America Online”. With this fake site, he gained access to user’s credit card details to withdraw money from their accounts. The technique has morphed into many other versions and has grown with sophistication.
The Numbers say You’re Going to Need a Bigger Boat
With phishing, everyone is a target, and no one is immune. It’s ubiquitous.
According to a recent report by Vade, overall phishing increased dramatically in 2021, with a 284% spike in June over the previous year, for a total of 4.2 billion phishing emails. Yes, “billion”. Granted, a lot of those are spambots, but the threat is real.
75% of organizations around the world experienced a phishing attack in 2020, according to recent research from Proofpoint. And 74% of attacks targeting US businesses were successful. Though 95% of organizations claim to deliver phishing awareness training to their employees, phishing remains the threat type most likely to cause a data breach. In fact, according to Verizon’s 2021 Data Breach Investigations Report (DBIR), 22% of data breaches involve phishing.
The cost is staggering, as well. The FBI reports victims lost $57 million to phishing schemes in just one year. And many of these cases are hard to track down.
What is the most common vehicle? Email. Again, according to Verizon’s 2021 report, 96% of social engineering attacks are delivered by email, while just 3% arrive through a website, and 1% are associated with phone or SMS communications and malicious documents respectively.
There are many ways to protect yourself and your organization against phishing scammers (we’ll get to more of that later), but one of the best ways is to just be aware of the more recent techniques. Since the cybercriminals are always evolving their malicious strategies, it’s good to stay one step ahead.
The Latest Phishing Scams of 2021
So what are some of the phishing techniques you may not have heard of yet? Here’s a sampling of a few:
Since the start of the pandemic, cybercriminals have been testing the waters with all kinds of fraudulent representations in an effort to gain access to people’s personal information. Sadly, the majority of these targets are the elderly.
Some of these examples are:
- Emails requesting proof of vaccination for any type of activity or employment
- Requests that you to pay out of pocket to receive a shot
- Advertising fake COVID-19 antibody tests in hopes of harvesting personal information they can use in identity theft or health insurance scams
- Offers for protective or preventative products such as masks, test kits and household cleaners
- Fake offers to help distribute government relief checks and other stimulus efforts
These are just a few. To keep up with it all, you can visit the Federal Trade Commission (FTC) website’s coronavirus page with updated news and scam alerts.
Brand impersonation is on the rise. Given the advances in technology, it’s relatively easy for a scammer to completely mimic a brand you or your company uses and send correspondence asking for personal information that looks like it’s coming from a trusted source.
Brand impersonation can include everything from setting up a fake website to utilizing form sites inside Office 365 so that the correspondence looks like it’s coming from the infrastructure itself.
According to a report from Checkpoint, Microsoft is by far the most mimicked brand, accounting for a whopping 43% of all phishing attempts. A popular scam is hacker’s asking recipients to provide their Office 365 credentials to access their account. This provides a direct open door to people’s secure information.
The top 10 spoofed brands include:
Microsoft (related to 43% of all brand phishing attempts globally)
1 – DHL (18%)
2 – LinkedIn (6%)
3 – Amazon (5%)
4 – Rakuten (4%)
5 – IKEA (3%)
6 – Google (2%)
7 – Paypal (2%)
8 – Chase (2%)
9 – Yahoo (1%)
Brand impersonation campaigns like to capitalize on emotion. For instance, hackers pretending to be the IRS directing email recipients to click on a link to learn about the status of their tax return.
Spear Phishing is a variation of the fraudulent activity that includes personalizing email attacks in order to trick the recipient into believing there is a real connection with the sender. Spear senders can use the person’s name, position, company, work phone number, and other information as a way to try and portray they are legit.
LinkedIn is a very common platform for Spear Phishing, as well as other social media channels.
Some of the attacks include:
- Housing malicious documents on cloud services like Dropbox, Box, Google Drive, and others.
- Emailing employees en masse and gathering out-of-office notifications to learn the format of the email addresses used by internal employees.
- Using social media to investigate the organization’s structure and decide whom they’d like to single out for their targeted attacks.
Whaling is similar to Spear Phishing, but the attacks are even more focused: Namely, focused on executives within any given organization.
The criminal’s goal is to gain access to an email account of a CEO or other high-ranking executive to authorize fraudulent wire transfers to a financial institution of their choice. They can also leverage that same email account to request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web.
The techniques used are very similar to Spear Phishing. According to Naked Security, one prime example of an actual Whaling attack involved Evaldas Rimasauskas. He staged whaling attacks in 2013 and 2015 against two large US companies by sending out fake invoices while impersonating a legitimate Taiwanese company, stealing over $122 million.
How You can Avoid the Lures
Phishing is obviously not going away. So how do you keep up with it?
There are many ways in which you can safeguard yourself, your business and your family. At ISOutsource, we take pride in helping our 650+ clients stay clear of any fraudulent attacks. It’s what we live and breath. Some simple techniques can include:
- Use Multi-Factor Authentication (MFA) on all personal and business accounts, internal and external tools and sites
- Use separate email for home and business
- Use separate complex passwords for all accounts
- Use a password manager
- Conduct extensive security training for all your employees, including sending spoofed emails companywide to see how employees respond
- Ensure all of your sensitive and personal data is stored, secured and backed up properly
- Have a third-party IT partner with expertise in security to perform continuous remote monitoring and remediation of your systems
- Have the right productivity applications in place to detect and prevent phishing attempts
Additionally, you can create multi-layered defenses by implementing the technical controls. Some examples include:
- SPF (Sender Policy Framework record) – the SPS records help identify mail servers that are authorized to send email on your behalf. This helps identify, detect, and prevent spammers and potentially phishing appearing that it comes from your domain.
- ATP (Anti-phishing protection) – configure your email providers like Microsoft and Google with built-in anti-phishing settings.
- DNS Filtering / Web filtering – implement and enable DHS filtering to filter out phishing sites
We’re always here to help. If you need some insight into your own practices, don’t hesitate to reach out! Or sign up for our newsletter to receive related information right to your inbox. No phish involved.
ISOutsource is a modern technology consulting company and was recognized as a ‘Top 10 Security Solutions Provider’ by a leading magazine among many other accolades during the year 2021. We are well-positioned to serve and grow our client base in Washington, Oregon and Arizona helping them move from reactive to transformational in their use of technology.
Mark Pendolino is the Senior Director of Marketing at ISOutsource.
He has years of experience in the technology sector, particularly in professional services and SaaS products. Mark has worked at both large, medium, and small organizations, working to understand the challenges business clients feel every day. He holds a bachelor’s degree in Technical Communications and a master’s in Communication in Digital Media.