While your employees may already be on the lookout for the most obvious phishing attempts, such as harmful links, malicious attachments, and giving away unauthorised passwords, phishing experts are constantly developing more and more advanced tactics to trick employees and gain their confidence. Here’s some information on what to look out for.
How Phishing Works Today
Today, phishing attacks are a bigger problem than many companies realize. To show the scope of the problem, it is estimated that phishing attacks have more than tripled since 2020 (36% in the second half of 2021), and 99% have been through the use of emails. This means that what they’re after has also expanded, and may include sensitive corporate information, particularly login credentials, and information on financial accounts.
As a consequence, the amount of money that hackers demand is on the rise. Today, the average amount that is demanded for sensitive materials is more than $10 million!
These huge scores have encouraged hackers to become more sophisticated and cleverer. Hackers conduct more research into their victims to gather important personal and corporate information before launching an attack. They also combine varying methods as part of their plan to ensure their ultimate success.
Like with many cyber security threats, it is important to understand that they do change and evolve. Today, the most established methods are called spear phishing, whaling, bait attacks, and some combine several of these together.
Types of Expert Phishing Attacks
Spear Phishing
The tactics:
By far, the most common type is spear phishing, which accounts for 65% of attacks in 2020. Here, hackers impersonate a legitimate sender, often by including specific details that reassure employees under false pretenses and guide recipients to websites that extract personal and company information. They act with specific goals in mind, targeting a specific group of individuals. The messaging generally comes from what appears to be a member of the company.
How to spot it:
Closely inspect emails. Look for typos and grammatical mistakes that feel rushed. Often, a quick answer from the recipient is demanded and the tone is casual.
What does a spear-phishing email look like?
The email address replicates the company's name so the recipient may recognize it. The subject line sounds overly enticing and is complemented with a time sensitive offer that limits questioning. The body of the email includes details about the offer, a robust new package, but may contain grammatical errors. It features what appears to be a fraudulent personalized signature.
Whaling
The tactics:
In this case, higher ups within a company are targeted by sending out fake emails to acquire sensitive information, authorize money transfers to fake companies, or entice them with attractive business deals. These attacks target individuals rather than groups. This is why specificity is key to its success. It’s common for companies to be overconfident when it comes to high ranking employees. However, studies show that 59% of companies have had an executive who was targeted.
How to spot it:
Hackers use the same tactics that spear phishing attacks rely on. The emails include the executives' contact information and are highly personalized for disarming purposes. When addressing executives, there is an authoritative tone that disarms and invokes a feeling of being on the same page.
What does a whale phishing email look like?
The target is a specific executive that hackers address directly by impersonating somebody that he or she trusts. The sender uses friendly terms to offset doubts and justify a demand for immediate, specific action. The email has an incomplete address and the formatting looks clunky.
Bait Attack
The tactics
A survey by Barracuda Network shows that 35% out of 10,500 organizations surveyed experienced one bait attack in September 2021. Hackers utilizing this tactic send out a barrage of malicious emails in order to get a response and collect the information that they need to carry out the real attack later. Many of these attempts seek to simply verify that the email address is valid.
How to spot it:
Emails are brief or have no content at all, don't include links or attachments, and are sent from a free email account. The subject line is often cryptic or nonexistent.
What does a bait phishing email look like?
Its message is overly simplistic, polite, and somewhat passive in tone. It provides no context with regard to its messaging, and the only purpose appears to be the confirmation of the recipient’s email address. There is also a sense of anonymity as it was sent from a Gmail account with a generic, forgettable name. There is no subject line or signature at the end.
A Combination Of Methods
These attacks usually start with spear phishing attacks directed at employees to gather the information hackers need for a bigger attack, which requires a more sophisticated technical on-site operation.
A very well known example happened to Sony Pictures when film scripts, confidential documents, corporate emails, and tens of thousands of employees´ personal information were stolen by a North Korean group that infiltrated employee social media accounts and impersonated employees in order to extract sensitive data from their computers.
This attack could have been prevented by enforcing technical security protocols for employees, strengthening cybersecurity protections and encrypting data, promoting communication between departments, investing in security measures, and having a management plan for security breach contingencies.
Phishing attacks people, not technology
Phishing attacks are directed at people, rather than the technology that they use. Employees are at the frontline of defense against phishing attacks.
Protecting your company against phishing attacks requires a carefully considered and sensible approach that employees across the board can understand. Maintaining open communication about what works and why is your biggest ally.
Knowing is half the battle, and with IT force by your side, you can count on having the odds in your favor. Set up a consultation with us today to discuss a training program that meets the challenges of today's phishing activities.