By Mike Petsalis
Email gets a bad rap. It’s treated as a cumbersome messaging system that was invented to work on the system that came before the internet, and has been rumored to be “dead” or dying for years now. Yet, it is still used extensively wherever communication is necessary for normal business operations. Its openness is what makes it useful, but also insecure.
Fortunately, email security and the measures organizations can take to stop email threats have advanced sufficiently to still make email indispensable in its openness. However, one method of attack still makes some emails frightening to entrepreneurs, managers, and employees everywhere: targeted phishing. Targeted attacks are driven by manipulation and deception, leading to compromised accounts and the theft of money and data.
Phishing has rapidly become a lucrative business for fraudsters, and has made the need for awareness and protection more important than ever.
Targeted phishing: today’s top email threat
Targeted phishing is not just about password reset messages and fake support emails. It often involves complex social engineering ploys to get information or money out of someone. It’s a modern con that knows no borders, has a low barrier to entry, and offers an open door to millions of potential marks populating the ranks of businesses worldwide.
In 2017, according to the FBI’s Internet Crime Report, business email compromise (BEC), a form of targeted phishing intended to defraud business, cost the average target over $43,000. In May of 2018, the FBI updated its numbers, stating that reports indicated the threat had cost businesses more than $12 billion over the last five years. What’s more, because these frauds are so embarrassing when they do occur, and because there is very little recourse made available by law enforcement, these figures are most likely underreporting the issue, making the threat even more concerning.
As Equifax and other headline-dominating large scale breaches loom, individuals and businesses should also be concerned that more targets are created every time a major data breach occurs. Beyond the clear risks posed by compromised Social Security and credit card numbers, the data could be used to glean even more information and generate easy access to potential targets with seeming social proof. These knock-on effects of data breaches make rapid response and staff awareness even more important.
Direct impact of targeted phishing
Beside the risks to businesses and consumers alike, there are two primary means by which targeted phishing causes the most damage: the installation of malware onto a victim’s computer and the social engineering of a fraud.
On the malware front, ransomware makes a lot of headlines, but it’s direct expenses often pale in comparison to its secondary consequences; the average complaint to the FBI was for $600. Though when the National Health Service (NHS) in England was hit with the WannaCry ransomware, the overall cost in productivity and efficiency it created far outweighed the direct cost of ransoms paid.
The FBI recommends NOT paying ransoms when ransomware does strike, as there is really no guarantee your content hasn’t been deleted or that it would be unlocked upon payment. Other malware includes exploits, such as keyloggers, which run without a user’s knowledge, and steal passwords and account information in the background. Trojans can also steal and download data for years while remaining invisible, as was the case in the notorious U.S. Office of Personnel Management data breach.
Socially engineered targeted phishing is frightening because of the very high cost to victims. BEC attacks have fleeced the likes of Google and Facebook for millions, and have also worked on people buying real estate, small record label owners, and many more.
How a successful targeted phishing attack works
Though the mantra goes “The best defense is a good offense,” understanding what your attackers are trying to do is the best way to protect yourself from targeted phishing. Here are the basic components that make up a successful phishing attack and how people are phished:
Email—91% of targeted attacks start with a phishing email, primarily because of its openness and how easily it can be used to mislead users. Phishing email attacks can vary in techniques, including fake password reset instructions, a hidden URL, a spoofed domain in the header of the email, social engineering text, and more.
In the past, poor grammar and design would act as a red flag, but now that frauds have become so lucrative, a poorly laid out email cannot be relied upon as a good indicator of risk. By scraping readily available public records and already-compromised information about you (thanks, Equifax, Yahoo!, Home Depot, Target, etc.), attackers can include rich information, pretending to be someone you know, make comments about a recent experience, and copy formatting or presentation styles that are already familiar to you (like an actual password reset email).
It may seem laborious, but by targeting you or the business you work for, they stand to make a lot of money.
Attachments—Malicious attachments are increasingly becoming tools attackers are using to install macros, execute invoice fraud, and worse. Attackers also use .zip, .rar, or .exe to achieve their criminal ends.
Clicks or URLs—If you proceed with a click, the attacker has sold you or gotten you curious. You will likely end up on a malicious website, whether to install an exploit, ransomware, or to give away your credentials.
Downloads—If the attacker can get the user to download anything, whether an attachment through a clicked link or via an external website, it is likely too late, and you need to hope there are system backups.
Other Articles From AllBusiness.com:
- The Complete 35-Step Guide for Entrepreneurs Starting a Business
- 25 Frequently Asked Questions on Starting a Business
- 50 Questions Angel Investors Will Ask Entrepreneurs
- 17 Key Lessons for Entrepreneurs Starting a Business
The downstream impact of phishing
The $40,000 loss in a BEC attack is a fraction of the real costs of a breach. The downstream impact of a phishing attack is much more than any ransom, fake invoice, or single transaction. There are indirect yet tangible costs, such as falling stock prices, penalties, paying for legal expertise, hiring IT consultants, losses due to downtime, and more.
There are also intangibles, like the costs of firing your CIO, the loss of brand equity and consumer confidence, bad press, and of course loss of sleep. You might even find yourself the victim of state-sponsored attacks.
This threat isn’t going anywhere
Socially engineered email threats present a threat to businesses beyond anything we’ve seen yet—and these aren’t $300 ransomware attacks or viruses. These are sophisticated attacks, and criminal organizations are running them with professional designers, advanced analytics skills, and the ability to do things like follow up an imposter email with a phone call, completely hacking an individual’s inclination to double-check by phone about whether a major transfer of dollars or information should be authorized. These are happening every day without companies knowing, and are affecting everything from elections to quarterly earnings.
Advanced threat protection solutions for email exist to put an end to these risks for your organization, as well as security awareness and training tools that send your users fake phishing messages and evaluate their responses. However, basic education can help your organization become even safer. If you encounter a suspicious email, consider the following tips:
- Is the email you’re receiving suspiciously hurried, or lacking in context? If your CEO or CFO is supposedly emailing you from the tarmac of an airport, asking you to urgently transfer $10,000 to a party outside of the organization without a second thought, yes, that’s probably a targeted attack.
- Do you recognize the “from” name, but not the domain? This is a common tactic because it’s easy enough to put a false name in an email header. You should recognize both someone’s email name and the email address before you respond to a major, budget-changing request.
- Are you being asked to reset a password, but all the logos look fuzzy and confusing? Often, password resets will be targeted to individual or high-value users and pretend to be from services like Office 365. These will encompass all of the normal logos and phrases that are included in auto-generated support emails, but usually they will not be as sleek as the real thing, while the email address itself will also seem odd or phony (e.g., [email protected]).
- Were you having a normal email conversation, and then all of a sudden, the topic gets switched to a major fund transfer? This is a sign that the person you’re talking to may have an email account that’s been compromised, and their attacker is attempting to convince you to send money or something else on the basis of trust in an existing conversation.
Given the rate of targeted attacks and the impact they can have on businesses and employees, it’s time for a change in how we talk about cybersecurity. For a modern business with a forward-thinking IT department and concerned management, a plan that doesn’t highlight the need for a cyber and email security aware workforce is not a secure plan. Today’s and tomorrow’s attacks are counting on uninformed users—don’t let those uninformed users be the ones on your team.
About the Author
Post by: Mike Petsalis
Mike Petsalis is the CEO of Vircom. With a background in speech recognition and machine learning, he has extensive experience in both operations and product development within the cybersecurity industry.
The post Targeting Phishing Attacks: Security Best Practices to Protect Your Business appeared first on AllBusiness.com
The post Targeting Phishing Attacks: Security Best Practices to Protect Your Business appeared first on AllBusiness.com. Click for more information about Guest Post.