It sits there in your inbox daring you to click on it. It appears to be an important message from the folks at Microsoft’s Office 365 email security team. Either your mailbox storage is full, there is an important security notice you need to read, or your mailbox is about to be deleted and you need to act to prevent it from happening. It looks legitimate, but it is just a phishing attempt to try to get your login credentials or launch some malware.
Microsoft, makers of Office 365, reports they see more than 5 billion threats detected on devices every month. That represents more than 100 million unique phishing emails targeting Office 365 users annually. There is no reason to believe that will end anytime soon.
Email phishing is the top security threat to your organization. As the entry point for most security breaches, cyber-criminals are launching malware and ransomware, committing wire fraud, and identity theft. According to the FBI, phishing-based email accounted for more than $12 billion in fraud in just the last five years.
“I took a screenshot through the camera of your device, synchronizing with what you are watching... I think that you do not want all your contacts to get these files, right? If you are of the same opinion, then I think that $811 is quite a fair price to destroy the dirt I created.”
We obviously know that phishing is a threat, but even we were surprised to read that over 50% of respondents to a Lloyds Bank survey said they received phishing emails from scammers posing as their boss. This particular kind of phishing attack, known as “CEO Fraud”, can pay off when scammers convince junior employees to pay a fake invoice, or forward other valuable information to whom they believe is a top executive.
CEO fraud is sophisticated from both technological and social angles. Receiving an email from a trusted, high-ranking contact doesn’t raise concerns, as these kinds of messages “feel normal.” Attackers rely on this misplaced trust and a worker’s desire to please the boss. Criminals can use social media or even out-of-office messages to understand the business structure of an organization. They can then craft fake emails and attempt to reach several people within an organization, hoping at least one of them falls for it.
Scammers are sending phishing, spear phishing, and whaling emails in record numbers. A recent Internet Threat Security Report shows that 1 out of every 131 emails contained some form of malware. The hackers are nothing if not proficient. 76% of businesses report being a victim of phishing attacks and the business costs are staggering.
What is Phishing?
The most common types of cyber crimes defy the stereotype of a hacker writing code and breaching firewalls with sophisticated methods. In reality, their methods are fairly simple. They "phish" for a way into your system or to gain access to your personal information.
The recent indictment by the U.S. Department of Justice spelled out exactly how targeted phishing attacks, also known as spear phishing, worked to expose confidential information from the Hillary Clinton Campaign in 2016. Here is an excerpt of page 7:
What is Phishing
In fishing, you cast your bait into the water to see what you can hook and reel in. Phishing works the same way. It is a cyber-attack that uses email as a weapon to try to get personal information, financial information, money, or launch malware. Using social engineering techniques to gather information, the attacks have become increasingly customized and dangerous.