There is an axiom that says, “Give a man a fish he eats for a day; teach a man to fish and he can feed himself forever.” Cybercriminals have co-opted that to say “Give a man a fish and he eats for a day, teach a man to phish and he’ll live like a king.” Phishing is the bane of CISOs everywhere.
There is nary an organization these days that has not been on the receiving end of a phishing or more targeted “spear-phishing” email. The goal is collecting sensitive information, personal credentials or passwords with the intent of getting into networks to steal information, or lock it up and ransom the data and systems back to the enterprise itself.
This type of attack plays to the oft-referenced idea that the human employee typically is still the weakest link in the data security chain. And, despite the broad-based attention paid to these types of attacks, bad actors have gotten very good at social engineering targets and exploiting their weaknesses. Phishers expertly determine which buttons they need to push in these carefully crafted emails to make them seem legitimate, urgent and requiring immediate response or action from their targets. Regardless of increased awareness training, Verizon’s 2017 Data Breach Investigations Report found that roughly one in 14 people will automatically click on any attachment or link they receive — and more than 25 percent of them were tricked into clicking more than once. The same report found that last year two-thirds of all malware made its way onto systems via email attachments, more than six out of 10 of which were packed in popular JavaScript attachments.
Indeed, attackers have become very sophisticated in their abilities to exploit vulnerabilities in applications such as email or messenger programs. They can bypass network security by impersonating corporate executives and by employing established social engineering techniques—often times, using legitimate code, or information about their targets, the people they are impersonating or the organization itself, gleaned from research the attackers conducted beforehand. By using these approaches, they make their phishing emails and messages or texts seem all the more real and legitimate, and they get users to divulge either credentials or data, or to take an action that permits the attacker to gather additional intelligence.
Former Rep. Mike Rogers, R-Mich., who served as chairman of the U.S. House Intelligence Committee from 2011 to 2015, speaking at the U.S. Chamber of Commerce’s cybersecurity summit in late 2015, says sophisticated phishing emails are behind more than 90 percent of successful cyberattacks. And some experts peg the percentage even higher.
The Ironscales 2017 Email Security Report, based on a survey of 500 cybersecurity professionals, found that as many as 95 percent of all successful worldwide cyberattacks started with a phishing email. In fact, more than half of all emails are spam, and the percentage of these spam emails that carry malicious attachments is growing in leaps and bounds, according to IBM’s X-Force research team.
As cyber-crooks make these phishing emails increasingly believable and wellresearched, an Intel Security survey in 2015 found that 97 percent of people could not tell the difference between an authentic email and a well-crafted fake one. And it’s not difficult to see why this cheap and effective method of cracking open an enterprise system is still so popular with newbie hackers and experienced ones.
“Phishing is a numbers game and remains effective because it’s a relatively easy attack to attempt repeatedly,” says Chad Greene, director of security at Facebook. “It often only requires a single person to fall for the phishing attempt for it to be successful. With persistence, an attacker will likely eventually find someone to enter his or her login credentials.”
And mobile devices are becoming an increasingly popular attack vector for these attacks as well. Newsweek recently reported that since the beginning of this year, mobile ransomware attacks—which tend to be initiated through SMS text phishing or “smishing”—are up more than 250 percent over last year.
Indeed, phishing has played a major role in nearly every global, high-profile cyber-attack in the first six months of this year. These include multiple attacks on businesses and individuals throughout Qatar (more than 93,000 attacks in the space of three months) in the Middle East and Nigeria in Africa, a phishing campaign aimed at the postal service of the Czech Republic, and multipronged attacks hitting U.S. and international businesses including Chipotle, Amazon, Google, Deloitte and Facebook, plus government agencies like the National Institutes of Health and the U.S. Postal Service.
Even the dreaded 2017 WannaCry ransomware onslaught, which is believed to have affected nearly a quarter of a million people in more than 150 countries, likely started with phishing, security researchers believe. And savvy phishers are going yet another step further, using other recent, high-profile cyber breaches and offline-related tragedies as a means to trick otherwise wary employees and individuals with their pleas. In late September, the Federal Trade Commission alerted the public that scammers were pretending to be agents of Equifax to collect sensitive personal information from people already worried about their leaked data. Other recent scams have preyed on the charity of businesses and consumers who want to help or donate to people affected by the recent spate of 2017 hurricanes, including Harvey and Irma.
Limor Kessem, global executive security advisor and a cyber security researcher for IBM Security, agrees that this form of social engineering continues to remain popular because “it preys on human emotion and impulse to act” by crafting emails that might “scare the reader into opening an urgent message from their bank, threaten that an account has been disabled, or reward readers with fake tax refunds, supposed rewards from popular retailers, or reduced prices for something they need.” And, for employees in particular receiving a supposedly “urgent” invoice, notice from a tax authorities, salary file, money transfer request purportedly from a C-level executive, or a notice to pick up a parcel that could not be delivered would likely trigger an immediate action or response, she adds.