In this inaugural iCyber Solutions blog post, Robert Kirtley of iDS gives a quick overview of phishing attacks and the damage they can cause, frequency of attacks, and some common types of phishing attacks. In the second installment, he’ll concentrate primarily on how to prevent and recover from a phishing attack.

What Is Phishing?

Phishing is a technique employed by cybercriminals to compromise devices and networks by tricking email recipients into clicking on a link or opening a document that contains malware. While Hollywood often depicts hackers as rogue heroes seeking to bring down evil corporations or sinister government agencies, the reality is much more complex.

There are good, ethical hackers, often called white hat hackers, which can help organizations identify weaknesses in their networks, systems, or applications. There are black hat hackers that use their abilities for malicious activity, such as stealing your credit card information or corporate secrets.

In the movies, the evil hackers are typically actively engaged in their hacks – that is, they are going against their foes in real time before our eyes, bypassing security devices, extracting passwords, and finally getting access to their target’s crown jewels all while our heroes attempt to defeat them.

The reality is usually very different and much more mundane. The most common vector for data breach in 2018 was a phishing email, according to IDG in its 2018 U.S. State of Cybercrime, which is conducted in conjunction with CSO magazine, CERT, the Secret Service, and KnowBe4.

The study also found that no organization is immune. Government agencies and large corporations endured an average of 196 security events per year, while the typical small/medium business faced an average of 24 events per year.

The result of a successful attack depends upon the goal of the attacker. One common attack is to embed malware in an email that allows the attacker to breach the security perimeter, access additional systems, and steal either customer data or login credentials. In this case, you may not even know you’ve been breached until you are contacted by the FBI or the press for a comment.

Other attacks are more obvious – everyone comes in to work only to discover that the data on all of your computers is now encrypted with ransomware. And your real-time disaster recovery backup is also encrypted. You can get the data back for a mere $50,000 worth of Bitcoin, a small price to pay, they tell you.

A data breach can be much worse. Estimates vary, but multiple studies involving a customer data breach have costs for a medium-sized business experiencing a breach of a few thousand customer or employee records pegged at $1.5 million to $5.5 million. The costs can be much higher, and that doesn’t include the reputational damage you may incur as a result of the breach.

What Are Examples Of Phishing Attacks?

Phishing can take many forms. The most famous (infamous?) scam is an unsophisticated phishing email where the sender pretends to be a Nigerian prince (or former government finance official) and simply needs a U.S. bank account to deposit their money in.

This scam, in some form, has been around for more than a century, but has become far more common with the transition from a paper-based to an email based-attack. While most people see the emails for the laughably bad scam they are, you might wonder why we still see them.

Well, it’s because, unfortunately, it still works. Millions of dollars flow to criminals from unsophisticated emails that are so common they have their own moniker: a “419” fraud, named after the section of the Nigerian criminal code’s fraud category.

Another common type of phishing attack is called spear phishing. Spear phishing is a targeted attack where the bad actor targets a specific individual and gathers information on their target in order to craft a much more believable email.

Social media is a prime source of data used in spear phishing attacks. For example, if you post about staying at a specific hotel, the bad actor can craft an email from the hotel following up to ask you to complete a satisfaction survey. Or they may use your LinkedIn profile to identify that you are an alumnus of a specific school, then generate an email with a document describing an alumni event or a fundraising initiative.

An even more specialized type of spear phishing attack is called whaling. Whaling involves targeting the most senior executives of an organization to facilitate stealing the organization’s most valuable information or authorize fraudulent funds transfers. Whaling is often a long-term effort with a focus on reconnaissance to enhance the effectiveness of the attack.

Another variation that is increasing in frequency is called voice phishing, or vishing. There are a lot of variations of vishing, from very simple to extraordinarily complex. At one end of the spectrum would be a simple phone call to try and persuade someone to give personal details or account information, such as calling the help desk and telling them you were a user who lost their password.

A more complex attack might combine changing the caller ID information, making a call, and following that up with an email. For example, an attacker might make their phone number appear to be a senior company executive’s phone number, making a phone call to the accounts payable specialist to tell them that the firm’s biggest supplier hasn’t been paid and that a wire transfer is needed ASAP.

On the phone, the attacker says they will get the information for the payment and send an email with the details. The attacker follows up with a spoofed email to the target that appears to be from that same executive containing the routing and account numbers for a wire transfer.

The attack is completed with another phone call that appears to be from the executive confirming that the AP specialist got the email and the information. And the executive will wait on the line while the transfer is executed.

Whatever the attack, in an increasingly digitized world, we are all at risk. Stay tuned for the next installment, which will focus on how to help your users avoid and your systems prevent, detect, and recover from these attacks.

 

This article was originally published on the iDS Blog.