Phishing threats have escalated over the past few years as methods employed by hackers become stealthier and more sophisticated. Phishing is one step above spam and is a technique used to try to acquire sensitive information (think usernames, passwords, and credit card details) by masquerading as a trustworthy source. You might get "phished" with an e-mail claiming to be from a website you frequent, a bank, or even an IT administrator. Phishing attacks are usually sent out in bulk, hoping to lure an unsuspecting person into responding. It used to be that they were full or errors, but these days they are very good, perhaps one letter or word off. If you're in a hurry, it can be easy to miss such minor flaws.
More dangerous and at a higher threat level are focused, targeted attacks via e-mail on a single person or small group with a specific goal to capture information or money, called spear-phishing. Both phishing and spear-phishing are forms of social engineering, an attempt to manipulate someone into performing actions they would not ordinarily do, or to divulge confidential information against their own interest.
Why It's Important
Let's take an example of a recently married young couple. The husband had just received a short-term loan from his family to buy a property from a friend of his who was giving him a great deal. The friend's e-mail had been hacked through a successful phishing attempt, and the hacker sent the young husband instructions via e-mail where to wire the money. Turns out, the "instructions" were from the hacker, and by the time the husband and his friend realized the message was fake, the hacker was long gone with the funds in hand. The bank was not accountable because wiring of the money was considered "voluntary."
On the corporate level, a current crime wave targets CEOs and CFOs. Numerous cases of CEO fraud, or what the FBI refers to in Alert I-082715a-PSA as "Business E-mail Compromise (BEC)," has resulted in the loss of over $1.2 billion through the end of August 2015. These cases are not limited to small companies. Tech firm Ubiquiti Networks disclosed in a quarterly financial report filed with the SEC that it suffered a whopping $46.7 million hit because of a BEC scam.
There is a clear pattern to watch out for. It often begins with the scammers spear-phishing an executive, inserting keylogger malware into that person's system, and gaining 24/7 access to that individual's inbox. The scammers research the organization and monitor the e-mail account for months until the right circumstances arrive. Then they pounce. They spoof the CEO's address and send messages to employees in accounting from a look-alike domain name that is one or two letters off from the target company's true domain name.
This scam is worse than ransomware. The ransom of files held hostage averages $500, whereas the FBI numbers indicate the average loss for a BEC is $100,000. A business falling for a social engineering scam such as an e-mail compromise can have devastating effects. You don't want to be the next Ubiquiti losing tens of millions of dollars.
Many phishing and spear-phishing attacks happen due to easy-to-access e-mail addresses and information. The more of your organization's e-mail addresses are exposed, the bigger your e-mail attack footprint and the higher the risk. It's often a surprise how many addresses are actually out there, who they belong to, and where they are found. With these addresses bad guys can launch spear-phishing attacks on your organization or your personal accounts. This type of attack is hard to defend against, unless you or your users are well trained and know what to look for.
What to Do
You can take basic steps to protect yourself and your organization from these social engineering attempts. The more you can implement the items in the following list, the better your security preparation to thwart phishing and spear-phishing attacks.
- Don't click on anything suspicious. "When it doubt, throw it out."
- Keep yourself and your organization well versed in current threats and stay up-to-date. Doing this will help you recognize threats.
- Keep your computers and devices patched with the latest updates, which patch security holes that could allow hackers unauthorized access.
- Have a dual process in place for any bank wires or financial activity and always verify wire instructions by phone with people you trust. ALWAYS initiate this contact so that you know the action requested is correct before transferring any money.
- If you work in IT, or are looking for a career in IT, it is vital to promote a security-minded culture. Get yourself and your institution's staff trained on security best practices, and do routine tests using anti-phishing tools coupled with new-school security awareness training.
Protect yourself, your family, and your institution. Don’t become a victim of phishing. You can take steps to prevent being targeted or compromised by hackers or would-be phishers by getting yourself trained.
Resources
- National Cyber Security Alliance (NCSA): staying safe online, spam and phishing
- Federal Trade Commission (FTC): identity theft and data security, phishing scams
- Anti-Phishing Working Group: anti-phishing resources
- OnGuardOnline.gov: phishing
- NACHA: Electronic Payments Association, consumer safety and security
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC. An IT Security expert with 30+ years in the industry, Sjouwerman (pronounced shower-man) was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software developer that was acquired in 2010 by GFI Software, a portfolio company of Insight Partners. Realizing that the end-user is the weak link in IT security and seriously neglected, he decided to partner with famous former hacker Kevin Mitnick and help IT pros tackle cybercrime tactics utilizing New School Security Awareness Training combined with regular simulated phishing attacks. Sjouwerman is the author of four IT books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.
© 2015 Stu Sjouwerman. This EDUCAUSE Review blog is licensed under the Creative Commons BY-NC-SA 4.0 International license.