Hackers do their homework, send more tailored phishing emails

Criminals gather intelligence, take advantage of human nature before unleashing targeted attacks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The cur­rent cyber­se­cu­ri­ty cli­mate makes it hard not to be cau­tious of phish­ing attacks. For­get reclaim­ing lost fam­i­ly for­tunes or assist­ing Niger­ian princes, today’s phish­ing scams are tar­get­ed, com­plex and incred­i­bly prevalent.

It feels like a new, high-pro­file phish­ing attack is get­ting report­ed every oth­er month. In May, Google Docs users were being tar­get­ed with mali­cious invi­ta­tions to edit fic­tion­al doc­u­ments. Before that, DocuSign users were sent bogus emails encour­ag­ing them to down­load a Microsoft Word doc­u­ment that installed mali­cious malware.

Relat­ed info­graph­ics: Phish­ers focus on small­er finan­cial institutions

Despite increased aware­ness for these attacks and “I’d nev­er fall for that” atti­tudes, Verizon’s 2017 Data Breach Inves­ti­ga­tions Report showed that 1 in 14 users fell for a phish­ing scam by click­ing on an uniden­ti­fied link or down­load­ing a sus­pi­cious attachment.

Edric Wyatt, Cyber­Scout secu­ri­ty analyst

I recent­ly sat down with Edric Wyatt, a secu­ri­ty ana­lyst with Cyber­Scout, to dis­cuss the evo­lu­tion of phish­ing attacks, what attack­ers are try­ing to achieve, and how orga­ni­za­tions can effec­tive­ly defend them­selves. (Full dis­clo­sure: Cyber­Scout under­writes Third­Cer­tain­ty.) Here are the key take­aways from our discussion:

Attacks have evolved. Attacks have become far more advanced in recent years. Rather than pos­ing as Niger­ian princes, attack­ers are cre­at­ing hyper-tar­get­ed, hyper-rel­e­vant emails that lever­age social engi­neer­ing to encour­age users to click. Attack­ers are spend­ing longer research­ing orga­ni­za­tions to try to get as much infor­ma­tion as pos­si­ble before send­ing out tar­get­ed emails. They know your name, your role and your title and tai­lor each attack to reflect this. So when you receive 1,000 emails a day, you won’t think twice about click­ing one that “seems” normal.

Attacks are just one of many. If you are tar­get­ed with a phish­ing email, you might not be the pri­ma­ry focus. Attack­ers are tar­get­ing mul­ti­ple indi­vid­u­als with­in an orga­ni­za­tion as part of a more advanced attack. The infor­ma­tion that you pro­vide by falling for the phish­ing email might not be the end goal. But any­thing you pro­vide is infor­ma­tion they can use in a future attack.

Con­stant train­ing is the key to suc­cess­ful defense. The more that train­ing and aware­ness are rein­forced in employ­ees, the more like­ly they are to rec­og­nize attacks for what they are. The more you hear it, the more you see it. As soon as new threats come out, train­ing should be sched­uled. Regard­less of the mea­sures IT depart­ments have in place to pro­tect an orga­ni­za­tion, it only takes one indi­vid­ual to click on one link to com­pro­mise the entire company.

More sto­ries relat­ed to phishing:
Hack­ers use per­son­al phish­ing emails to hook employee
Sophis­ti­cat­ed spear phish­ing attacks becom­ing more common
Look to human nature for con­tin­ued suc­cess of phish­ing attacks