9 out of 10 successful cyber-attacks start with some kind of email phishing attack. It’s big business for criminals and it’s expected to be an even bigger threat to the enterprise in 2019. Cyber criminals are increasingly sophisticated in their attacks methods and traditional software solutions are not adequate protection. In a recently released report from the FBI, they note an increase of 136% in less than 18 months and attacks in all 50 US states and 150 countries around the world.
It is said that that the only things in life that are guaranteed are death and taxes, and with the end of year hurtling towards us, tax season is underway. I can barely remember when my birthday is, but April 15th is a date that never slips any of our minds. The phishing attack we’re sharing today is a clever attempt at domain spoofing, and plays off the victim’s anxieties by amping up the fear that their TurboTax account has been compromised.
I’ve been around technology in the professional sense for about 20 years. As a wee nipper I wrote my first program on my tape drive Amstrad CPC464 in 1987. I made a stick figure run across the screen, he would only ever get halfway though, a bit like me on a jog, but I digress.
Email is nearly ubiquitous in the workplace. It is one of the most durable and effective forms of communication. It is also exceptionally vulnerable to attacks. While it may be easy to spot the fake emails from the British lawyer or Nigerian prince wanting to give you millions, today’s hackers are sophisticated and targeted.
We obviously know that phishing is a threat, but even we were surprised to read that over 50% of respondents to a Lloyds Bank survey said they received phishing emails from scammers posing as their boss. This particular kind of phishing attack, known as “CEO Fraud”, can pay off when scammers convince junior employees to pay a fake invoice, or forward other valuable information to whom they believe is a top executive.
CEO fraud is sophisticated from both technological and social angles. Receiving an email from a trusted, high-ranking contact doesn’t raise concerns, as these kinds of messages “feel normal.” Attackers rely on this misplaced trust and a worker’s desire to please the boss. Criminals can use social media or even out-of-office messages to understand the business structure of an organization. They can then craft fake emails and attempt to reach several people within an organization, hoping at least one of them falls for it.
Scammers are sending phishing, spear phishing, and whaling emails in record numbers. A recent Internet Threat Security Report shows that 1 out of every 131 emails contained some form of malware. The hackers are nothing if not proficient. 76% of businesses report being a victim of phishing attacks and the business costs are staggering.
The recent indictment by the U.S. Department of Justice spelled out exactly how targeted phishing attacks, also known as spear phishing, worked to expose confidential information from the Hillary Clinton Campaign in 2016. Here is an excerpt of page 7:
In phishing attacks, scammers send out emails to attempt to trick users into taking a specific action. The action might be clicking on a link that launches a malware attack, requesting a wire transfer to a vendor, or revealing personal or financial information.