According to Microsoft’s Security Intelligence Report – Volume 24, malicious phishing attacks are on the rise, and not by a small margin – by a massive 250%! Worse, techniques used by scammers are becoming more proficient and harder to detect.
In addition to understanding the types of phishing attacks, it’s also critical to understand how cyber criminals plan and execute their attacks.
While the content of phishing and spear-phishing emails can vary, cyber criminals often employ similar strategies and tactics. Using these methods, phishers have proven repeatedly that they can affect users regardless of their position in companies, presumed level of technical expertise or employment field.
What’s more, targets are not always key employees in a business – anybody can be a victim. To avoid becoming prey to a phishing scam, it’s important to understand how cyber criminals think when creating and sending phishing emails. When carrying out a phishing attack, hackers will generally follow four basic steps:
- Target identification – When identifying targets, phishers may create master email lists. These lists will either consist of random email addresses for larger phishing schemes or more focused targets for spear-phishing attacks. If the phisher is after a particular business, they might concentrate on executives or high-level employees who may respond to pressure from someone impersonating their boss. In most cases, the targets of more tailored spear-phishing attacks are those that have valuable information or the authority to transfer funds.
- Intelligence gathering – With a target in mind, in the case of spear-phishing attacks, the phisher’s next job is to search social media, company websites and the dark web for enough information to build a believable email. These emails may include personal details, professional affiliations, or the names of acquaintances and family members. Phishers have also been known to collaborate with other cyber criminals, trading victim emails and vital information to enhance the effectiveness of an attack.
- Message crafting – Using all the information fathered, the phisher will craft the most convincing email possible. Scammers may insert logos of popular websites (e.g. PayPal or Amazon) and official-sounding verbiage in their own malicious email template. Typically, phishers will ask for your username and password in the body copy of the email. The email will be worded with a sense of urgency so the end user feels like they will lose the account or money if they don’t comply immediately. The goal of hyper-targeted spear-phishing emails is the same as any other phishing attempt – get the user to take an action that will benefit the scammer.
- Email deployment – While spam filters and other solutions can prevent phishing emails from affecting employers and individuals, no tool is 100% effective. In fact, all a phisher needs to do to ensure an email is delivered is to trick email filters into thinking a message was sent from a legitimate source. One way they do this is through display name spoofing, a method where an email’s ‘From:’ field is made to look like a safe source. Frequently, attackers will register a free email account and, in the case of the spear-phishing attacks, will use specific names or companies the victim will recognize.
The effectiveness of a phishing attack is limited only by the sender’s imagination. Again, the content of these attacks may differ depending on the scope of the scam, but most use a combination of the following strategies.
A common tactic for spear phishers is to impersonate someone the victim knows, like a co-worker, friend or family member. Attackers may pretend to be a high-level executive asking an employee for sensitive information and credentials. Attackers may also impersonate loved ones and ask an individual to wire money following an alleged emergency.
When it comes to spear-phishing emails, you can’t assume that personalized messages indicate a legitimate email. In fact, in finely crafted spear-phishing scams, the attacker will have done their research and may include specific names, dates and details the user is familiar with and likely to respond to.
Impersonation is part of a larger strategy cyber criminals use called social engineering. Social engineering is the art of accessing information, physical places, systems, data, property or money by using psychological methods, rather than technical methods or brute force. These attacks can occur in a number of different forms, including a well-crafted spear-phishing campaign, a plausible-sounding phone call from a criminal posing as a vendor or even an on-site visit from a “fire inspector” who demands access to a company’s server room.
Phishers aren’t afraid to use psychology to their advantage. These criminals know that impersonating an individual or organization and urging immediate action can be incredibly persuasive. Often, these types of attacks threaten loss, punishment or added risk.
People are more likely to respond to phishing attempts if emails appear to be pressing or if the victim believes they are in some sort of trouble. Common examples of this type of fakery include, but are not limited to, messages from angry bosses, late credit notices, cancelled memberships, compromised accounts, missed package deliveries and missing rent checks.
Emails like these may also appear as unsolicited requests to confirm account information or unexpected password reset requests, sometimes using your name in the body copy for added validity. The verbiage of these messages is often stern and will attempt to persuade victims to open attachments or reveal sensitive information.
When you get emails like these, it’s a good idea to follow up with the sender using a method other than email. For emails from companies, you should call the customer service number listed on an organization’s official website. During your conversation, ask if you were meant to receive the initial email.
Unexpected Refunds, Payments and Contests
The allure of free money and gifts is difficult to resist, and phishers know this. It's not uncommon for phishing emails to bait victims with the promise of refunds, bank account adjustments or tax refunds. In broader phishing attacks, spammers may even claim you have won or are eligible for a contest or prize. Unsolicited emails of this kind are usually a dead giveaway for phishing schemes.
A good rule of thumb to keep in mind to avoid becoming the victim of these kinds of scams is to think before you respond. Chances are if you receive a message relating to a contest you didn’t sign up for or money transfers that seem out of place, the messages are fake.
Vishing is a form of phishing that uses phone systems and similar technologies. Users may receive an email, phone message or text (usually called smishing) that encourages them to call a phone number to correct some discrepancy.
Typically, attackers use a technique called caller ID spoofing to make the calls appear like they're coming from a legitimate phone number. If a victim calls a number in a vishing scam, an automated recording prompts them to provide detailed information, including credit card numbers, birth dates and addresses.
A pair of Romanian hackers were recently charged with scamming victims out of $18 million in an elaborate vishing and smishing scam. To carry out the scam, the hackers installed interactive voice response (IVR) software on remote computers. These computers then initiated thousands of automated telephone calls and text messages.
The calls and messages appeared to come from a reputable financial institution, instructing victims to call a telephone number due to an account problem. When the victim called the number, they were prompted by the IVR software to enter their bank account numbers, PINs and other personal information.
To avoid falling for a vishing scam, never click links in a text message or respond to automated phone calls. Unless you were the one who initiated the call with a trusted source (e.g., calling a known customer service number or reaching out to a bank using the number listed on their website), you should never share personal information over the phone. If you ever feel uncomfortable with the questions someone is asking you over the phone, tell them. If it’s a genuine company, they should be able to provide different methods for contacting them, including setting up an in-person meeting at a legitimate place of business.
High-profile attack example: The $200 million Facebook and Google attack – a hacker used a phishing email to trick Facebook and Google employees into wiring money to overseas bank accounts. Through this method, the hacker was able to net about $100 million from both companies.
It should be noted that this is not a complete list of phishing tactics. In fact, the methods of cyber criminals continue to evolve, opening the door for larger and more effective attacks. Phishing isn’t going away anytime soon and, because it is so difficult to counteract, it’s critical that you know a number of methods for spotting and preventing common scams.
Spotting an Attack
When it comes to identifying phishing scams, it’s better to be overly cautious. While recognizing fraudulent emails and websites can be difficult, depending on the type of attack and the creativity of the phisher, the following are some questions to ask yourself whenever you receive a suspicious email:
- What time was the message sent? You can tell a lot about the authenticity of an email based on when it was sent. For instance, an email sent at 3 a.m. would raise more flags than one sent during normal business hours.
- Do I know the sender? It’s a good idea to look closely at who sent a particular email. Ensure that the “From:” field matches the sender’s name. If an individual claims to know you and you don’t recognize them, chances are the email is spam.
- Do the URLs match up? Advanced phishers create fake domains to mimic larger, more established companies. For instance, a cyber criminal may send you an email hoping to redirect you to a phishing website. This website will have a convincing URL that’s only slightly different from the original website, like www.bestbuy1.com or www.1target.com.
- Does the content match the subject? Read the email carefully. If the subject line is vague or doesn't seem to relate to the body copy of the email, it could be a fake. Subject lines may appear aggressive or urgent. Many times, these subject lines are written with strange capitalization and punctuation. Globally, the following were the subject lines of the most clicked phishing emails in recent years:
- Security Alert
- Revised Vacation & Sick Time Policy
- UPS Label Delivery 1ZBE312TNY00015011
- BREAKING: United Airlines Passenger Dies from Brain Hemorrhage – VIDEO
- A Delivery Attempt was made
- All Employees: Update your Healthcare Info
- Change of Password Required Immediately
- Password Check Required Immediately
- Unusual sign-in activity
- Urgent Action Required
- How is the grammar and spelling? Large companies dedicate time and money to their communications. Because of this, spelling and grammar mistakes in legitimate emails from global brands are rare. Be sure to read emails carefully and be wary if there are consistent, glaring errors.
Avoid Becoming a Victim
As a basic rule of thumb, if something seems off about an email, do not click any of the links within the body copy or download attachments.
The following are some other tips to avoid becoming the victim of a phishing scheme:
- Be overly cautious of suspicious emails, deleting them immediately. Be particularly wary of emails that:
- Come from unrecognized senders
- Ask you to confirm personal or financial information
- Aren’t personalized
- Are vague
- Include threatening, frightening and persuasive language
- Never enter personal information or click links in a pop-up screen.
- Avoid emailing personal or financial information, even if you think you know the sender.
- Hover over and triple-check the address of any links before you click them.
- Avoid replying to the sender if you suspect an email is malicious. If you recognize the individual or company sending the suspicious email, follow up with them offline to ensure they meant to contact you.
- Report the attack to your employer and the FBI’s Internet Crime Complaint Center.
- Verify a website’s security. Legitimate websites will have a URL that begins with https, and you should see a closed lock icon somewhere near the address bar.
- Review your online accounts regularly and use different passwords for each one. Most importantly, review your bank and credit card statements to ensure that all transactions are authorized.
- Keep your browser up to date and use firewalls.
- Run anti-virus and anti-malware software on a regular basis. Reputable venders include McAfee, Symantec, Malwarebytes and Avast.
Additional Considerations for Employers
While the above prevention tips are important, there are additional concerns for employers. A company could have the most top-of-the-line cyber security measures and still fall victim to phishers. Just one employee opening a malicious email can compromise an entire network. To protect themselves, businesses need to do the following:
- Implement a data protection program. Train employees on common phishing scams and other cyber security concerns. Provide real-world examples during training to help them better understand what to look for.
- Segment networks if possible, keeping sensitive information separate. This can help prevent the loss of an entire network should one employee fall victim to a phishing attack.
- Filter emails and websites.
- Have employees use unique usernames and passwords. In instances where employees share credentials, hackers can cause major damage to your business simply by compromising one employee.
Get Informed, Stay Protected
Knowing how to spot a cyber phishing attack can be tricky, but these schemes are not going away. It’s no longer enough to simply install anti-virus and anti-malware software. To truly protect yourself, it’s crucial to stay informed on the most recent cyber attacks and up-to-date protection strategies.
And we can help. An independent insurance agent is a very valuable resource, as we can help you accurately assess your cyber risks, advise you on setting up cyber security standards, evaluate what a cyber breach may cost your business and match your cyber exposure with the proper cyber coverage.