This post originally appeared on Arctic Wolf, October 8, 2021.
In March 2021, U.S. healthcare provider Elara Caring suffered a data breach thanks to a phishing email sent to two employees.
Soon after this initial blitz, additional phishing emails gave attackers further access into the organization's systems. The results were rather devastating: Personally identifiable information (PII) of more than 100,000 patients was compromised—including names, dates of birth, Social Security numbers, financial accounts, and driver's licenses.
Unfortunately, in terms of phishing attack victims, Elara Caring is just one of many. Among confirmed data breaches, phishing is, by far, the most commonly-used tool in a cybercriminal’s toolbox, according to Verizon's 2021 Data Breach Investigations Report (DBIR). Used in 36% of breaches, threat actors often turn to phishing as the first step in infiltrating an organization.
However, it’s not a one-and-done by any means. It's also used in other attack stages to further compromise credentials and gain lateral entry or escalate privileges.
Phishing: The Criminal Element of Social Engineering
From its origins at the start of the new millennium to today, however, phishing has basically turned our email inboxes into a danger zone. Simply opening an email and clicking on a link can have dire consequences.
Phishing involves fraudulent communication with the intent of stealing sensitive data (such as login credentials or credit card information), deploying malware into a computer system, committing financial fraud, or practically any other nefarious endeavor you might imagine.
Due to the prevalence of phishing, every business, regardless of its size or industry, is at risk. And since this type of attack relies on human error and has a high degree of success, phishing will always remain a favorite tool of threat actors.
Phishing Is a Never-Ending Issue
Phishing tactics have evolved through the years. One of the first mass-emailed phishing campaigns disseminated the infamous ILOVEYOU virus in 2000. Looking back, it was quite basic by today's "standards." All the incoming email message said was, "kindly check the attached LOVELETTER coming from me." Of course, it wasn’t a love letter. The attachment was an executable—and maliciously coded—text file.
Despite its simplicity, the campaign was terrifyingly effective. It infected millions of computers and inflicted an estimated $10 billion in total damages. That would be about $15.63 billion today. For comparison, the total adjusted losses reported to the FBI in 2020 due to business email compromise (BEC), one of the most prevalent types of phishing schemes, was only $1.8 billion.
Contrasting phishing schemes of yesteryear to those of today draws some sharp contrasts. Today’s phishing attacks are much more sophisticated and can fool even smart users on the lookout. Tactics now used by cybercriminals include:
- Spoofing email addresses from known sources
- Sending well-crafted messages that appear completely legitimate
- Impersonating well-known brands that people trust
- Creating authentic-looking websites that don’t raise any flags
The common thread between currently-evolved phishing tactics and the more rudimentary early attempts is that they continue to rely on the fact that people make mistakes—especially when compelled by hard-coded emotions, such as curiosity and fear.
Taking advantage of such emotions is what cybercriminals do. Getting people to become more skeptical about unexpected emails that raise these emotions to counter the appeal of phishing messages isn't easy. Despite the abundance of information about phishing and a growing awareness among organizations and users of the tactic, employees still fall victim to such attacks on a regular basis.
About 25% of workers say they've clicked on a phishing email link at some point in their career, according to researchers at Tessian. And in some industries, such as technology and financial services, almost half of employees have done so—proof positive that phishing campaigns don't just trick the gullible or ill-informed. The truth is, we’re all potential victims.
How Phishing Awareness Can Still Fail
Many organizations are turning to security awareness and education programs, which typically include some type of phishing simulation, to boost their organizations cyber hygiene and keep them better protected. What often happens, though, is these phishing simulation tools place too much emphasis on tricking employees.
Many in charge of such programs believe that their businesses have some tech-savvy people on board, so they want to be sure the phishing simulations they use aren't too easy to spot. From there, they often fall into the temptation to focus merely on tricking their employees. Unfortunately, that's the wrong way to approach the problem.
The goal of awareness is to train and educate employees—not to find clever ways to trick them. If you're trying to teach someone how to work safely in a dangerous environment, you're not going to expose them to a hazardous scenario just to watch them fail, right? Phishing is no different.
Periodic "tests" by themselves will not improve people's performance. They should just be part of an overall education program and used for assessing how well employees apply the things they learn from the education side of your program.
Education in this regard means making employees aware of the threats, training them how to spot a potentially sticky situation, and preparing them to sound the alarm. You want them to be proactive and openly communicate when something seems suspicious or that they’ve made a mistake —you don't want them to be fearful and hiding things that could fester into much bigger problems.
Instead of an unbalanced effort that just relies on phishing tests. There needs to be an educational strategy in place to properly educate employees about phishing—starting with the basics centered around the different types of phishing practices.
Let's dig into the different types of phishing scams, why they work, and how you can prevent employees from falling for these tricks.
Types of Phishing and Their Particular Schemes
Cybercriminals continue to come up with creative methods to use phishing to infiltrate an organization. While the majority of their efforts still focus on using email as their vehicle for attacks, they have branched out into other areas of your business that you need to be watchful for.
Seven Different Types of Phishing Tactics.
1. Email Phishing
Email phishing is a general term that describes any cyber attack that uses email as a method of contacting potential victims. These attacks are typically mass-emailed campaigns that cast a wide net as phishing “lures’ are sent to a vast number of recipients. These emails include a malicious link or attachment and try to get the person receiving the message to click on the link or open the attachment by expressing a sense of urgency, inciting fear or curiosity, or using some other enticing message.
Attackers will craft their messages in a way to try to make you comfortable so you’ll let down your guard. That’s why they often impersonate prominent brands with which you’re likely familiar, with Microsoft as the most frequently impersonated brand in 2020.
One massive campaign targeted millions of Office 365 users at businesses across 62 countries. It involved attackers posing as employers and other trusted senders. Links included in the emails directed recipients to web applications that looked authentic, but harvested login credentials.
2. Spear Phishing
Spear phishing typically involves a greater degree of social engineering. Such attacks target specific people with personalized emails that include valid information about the recipients to convince them of the sender's legitimacy. Cybercriminals may root around on social media for information or just use an educated guess.
Although these attacks take more planning, they're also more successful, making them worth the attacker's effort.
Two spear phishing attack on high-profile companies in 2020 demonstrated that attackers use this method to achieve a wide range of objectives.
One attack targeted employees at the widely used website hosting provider GoDaddy. The attackers were able to alter the DNS records of some customers, including the high-traffic website escrow.com, and pointed the web address to a third-party server instead. In the case of escrow.com, the home page displayed a vulgar message for several hours.
In the other attack, bad actors sent spear phishing emails to Twitter employees then took control of the accounts of numerous high-profile individuals, ranging from Elon Musk and Jeff Bezos to Barack Obama. The hackers sent tweets from about 45 accounts, promoting a bitcoin scam.
While spear phishing is used primarily as a tactic against celebrities or corporate employees, one fact is perfectly clear: You don't have to be a famous person or employed by a large company to be at risk.
Baiting is a phishing technique that uses an enticing offer or reward, such as a free movie download or giveaway prize. It can also involve physical media, like a USB drive, and come via physical mail. The drive may contain a file titled something like "HR highly confidential," counting on employees being curious enough they can't resist taking a peek at its contents. Once they click on the file, however, they deploy malware and compromise their system.
A few years ago, for instance, Chinese hackers reportedly sent letters with malware-laden CDs to government agencies. Instead of offering an irresistible freebie, the bad actors simply counted on the recipients' curiosity as enough of an impetus to load the CD.
Whaling targets big wins scored through hooking executives and other high-value individuals. Attackers up the ante on their social engineering efforts and often research as much information as they can on the target and use that intelligence to gain trust. This may take place over a period of months and involve repeated two-way communication.
But sometimes, the bad guys may simply stake their bets on the target making an absent-minded mistake, as appeared to be the case with the co-founder of an Australian hedge fund who clicked on a fake Zoom meeting invitation. The malicious link was the beginning of an attack that eventually resulted in $8.7 million dollars’ worth of payments for fictitious invoices. The company later went out of business due to the outfall.
Phishing that has abandoned email as its delivery method and resorts to scams Phishing via a phone call is called vishing. During vishing calls, cybercriminals often impersonate people of authority—like an IRS agent, a bank representative, or even a tech support person—to scare the target into taking action. The interaction moves fast. The caller tries to confuse and fluster the potential victim, making it a lot easier for the would-be victim to comply with the request.
Last year, customers of Ritz London were targeted in a vishing campaign that sought to steal their credit card information. The scammers first breached the hotel's reservation system, then used the booking information for social engineering exploits. Posing as hotel employees, they called guests who had upcoming reservations, spoofing the phone number so it appeared to be the hotel's number. Then they requested a new form of payment due to a “declined" card.
Smishing uses text messages (SMS) to send its malicious link. Anyone who owns a smart phone has likely received a text saying they won a prize or received a message with a similar lure. Attackers may also impersonate a legitimate company to entice the recipient to divulge sensitive information or download a malicious file.
One smishing scam that researchers discovered involved a fake Apple chatbot. The lure in this case was a free iPhone 12. All the potential victim had to do was accept the invite, prove their identity, and then pay a small delivery fee—giving the scammer the person's name, address, and credit card information.
7. Angler Phishing
Angler phishing moves the scam to social media. In one variation, the scammer sends a shocking message and link to a person's contacts. When someone clicks on a link, it installs a browser extension that the scammer then uses to do things like change the privacy settings, steal data, and spread the infection through the victim's social media contacts.
In another variation of this tactic, the scammer may hijack a direct message conversation between a brand and a customer and redirect the customer to a fake, malicious page, where the customer is tricked into compromising their information.
Why Phishing Works so Well
Even if you're aware of real-life risks, like road safety, accidents can still take you by surprise. It's the same with your email inbox or phone: You know the bad guys are going to try to trick you, but—even so—they still might really surprise you when you least expect it.
And that's what cybercriminals count on. They know that if they get lucky, you will click on a malicious link or download a malware-laden file at a time when you're focused on something else, in a hurry, or just simply not paying attention. Threat actors know most targets won’t take the time to analyze whether an email is legitimate— but instead, will quickly reply or take action without stopping to give it a second thought.
To improve their already reasonable odds in getting recipients to do the wrong thing, the bad guys use strategies that ratchet up the tension or provide credibility to the situation:
1. They make you panic and turn off your ‘calm’ or ‘logical mode’
Let's say they send you an email that looks like it's from your CEO, requesting you to urgently buys some gift cards for customers. This immediately puts pressure on you—after all, it's the highest-ranking official at your company and you better not disappoint the big boss.
The scammers use this tactic to get a knee-jerk reaction out of you. They know you're very likely to rush a response before properly evaluating the absurdity that your CEO would be in an emergency situation needing iTunes or Google Play cards.
2. They have more than enough information to sound legitimate
Most people share enough information on social media to make it possible for a stranger to get a pretty good picture of their lives. Social media is a social engineer's treasure trove.
Scammers can figure out where you've worked and for how long, who your manager is, and what your email and phone number is. And they don't stop there. They can easily find sensitive and personal information floating around on the dark web and use it to craft a believable trap. They’ll configure a backstory or reason for why they need you to take some immediate action or share some information with them. And, without much scrutiny, it may sound highly plausible, convincing you to give them what they want.
3. They know that most employees haven’t been properly trained to suspect them
Bad actors know that nearly all companies either don’t provide any security awareness training or are simply not providing it frequently enough for their workforce to retain what they learn.
According to the Ebbinghaus Forgetting Curve, people will forget 80% of what they've learned in less than a month. That’s why it should come as a big—and disappointing—surprise that only 6% of companies provide security awareness training monthly. And it means 94% of companies have employees who are sitting ducks, having just flat out forgotten everything they've been taught.
With the infrequency of effective training it’s no wonder why phishing still works. It’s become abundantly clear: Businesses must do a better job at preparing and training their employees.
Why You Need Better Employee Training and Education
Cybercriminals have an abundance of nefarious motives behind their actions. They employ phishing attacks in hopes to:
- Sell your data: Attackers monetize stolen data by selling it on the dark web to other bad actors, who perpetrate new scams.
- Try your data on alternate sites: Surveys show that 65% of people reuse their logins. Knowing that many people recycle their passwords, scammers will try the credentials harvested in one attack to gain access to other online accounts.
- Leapfrog through all your contacts, and impersonate you: By accessing your email, they launch attacks on the people in your contact list, infecting their systems or attempting to scam them.
- Lie in wait to deploy ransomware or wreak havoc: Phishing is often just one step in a multiphase attack. Cyber attackers often wait patiently for the opportune moment to achieve their actual goal.
- Use your information as their front door to launch an inside attack: Since they get in with compromised credentials, they're more likely to fly under the radar because security solutions like firewalls don’t typically flag logins that are using legitimate usernames and passwords. This gives the attackers the opportunity to further penetrate systems undetected—and any systems to which you connect.
What Can You Do?
Things would be so much simpler if you could just disconnect from the internet, not hire employees, or not allow anyone into your office. But that's not the reality in which we live and work. So, any business that relies on the internet and has employees will always be at risk.
And with systems now highly interconnected—and processes increasingly going digital, you need to take the time to evaluate the effectiveness of your approach when it comes to security awareness.
Are your preparing your employees to recognize and react appropriately and quickly when they face an attack? Are you educating your people based on current threat vectors, or are you still talking about the Target breach from 2013?
Threats change constantly so your training needs to keep up with those changes.
And you need to continuously evaluate what is effective for your employees.
If your employees (like at 55% of companies) do not have security awareness training of any kind or you're just providing it at onboarding, annually or even quarterly (like at another 39% of companies), you're leaving your company extremely vulnerable to an attack.
The only answer to an ongoing problem is an ongoing solution.
For over 25 years, InfoSystems has provided reliable IT solutions to build and maintain strong and secure systems for both SMB and enterprise organizations. Headquartered in Chattanooga, TN, our trusted team of experts specialize in traditional infrastructure, IT optimization and cybersecurity services, as well as next gen solutions such as hybrid cloud and automation, from partners such as IBM, Red Hat, Dell Technologies, Nutanix, Arctic Wolf and VMware.
About Arctic Wolf
We envision a future without cyber risk. Every organization should be so effective at security operations that both the likelihood and impact of a cyber attack is minimized to the point where risk is essentially zero.