Phishing Attack Trends
With half a billion dollars lost to phishing every year, it is worthwhile to keep up with new methods that hackers use to trick employees into giving out their credentials and other sensitive information.
1. Phishing Attacks Targeting Your SaaS Credentials
Until this year, most attacks targeted financial accounts, looking for credit card numbers or banking information. In 2018, email and online services like Office 365 and G Suite overtook financial institutions as the top phishing target. They are targeting your business.
How they work: The look and feel of these attacks is not new. Instead of impersonating banks, however, they impersonate SaaS services like Dropbox, Slack or Office 365. The message might claim that there was a suspicious login to your account or that your password expired, providing a link to a spoofed page.
Why they are effective: A single compromised Office 365 account, for example, can grant access to the files of an entire organization and a wealth of email. Once a hacker has access to one account, they can easily embed themselves and use it to send malicious emails to others in the company, expanding their access. With the use of single sign-on, an employee’s G Suite account might be used to log into other SaaS services.
What you can do: You must turn on multifactor authentication across your organization, across all accounts. This is now considered the absolute minimum you can do to ensure security online. If you have not done this, stop reading and do it now (I'll wait).
2. Phishing Attacks Sent Through Messaging Apps
2019 will see an increase in attacks that do not use email at all. Slack, Teams, Facebook Messenger and other communication apps have become popular vectors for phishing.
How they work: These attacks use many of the same methods as classic email-based phishing (malicious links, impersonation etc.), but they are delivered through the new breed of collaboration apps. While users have been trained to be suspicious of email, they tend to be overly trusting when using these tools.
Why they are effective: Slack, Skype, Teams, Facebook Messenger and other non-email platforms do not have the same built-in security measures as email such as link scanning, malware detection or data leak protection. Ironically, users are more likely to click on a link or file in a chat than they would in an email.
What you can do: Include these tools in your employee awareness training. Employees should treat all communication channels as suspect. You should also investigate third-party tools that can add security to these unmonitored channels.
3. Interactive BEC Phishing Attacks
We’ve seen an increase in so-called business email compromise (BEC) attacks where there’s nothing clickable in the email. There are no links, attachments or malicious content -- just a convincing message from someone pretending to be your boss or co-worker. These differ from traditional attacks because they lead to real-time, interactive dialogs with the attacker.
How they work: These attacks are highly targeted and rely on specific information about the victim and the person they are pretending to be. The first message is often just a hook to start a dialog. For example, "Hey, are you in the office?" Only after three or four messages will the attacker make a request to send a document, edit a file or send a gift card.
Why they are effective: The recent spate of database breaches have provided the attackers with a wealth of information that can make it easy to create highly targeted, personalized messages. The innocuous first message reduces the risk of detection and self-selects for the distracted or gullible victim. They can come by email, phone or even text message.
What you can do: Many companies have instituted a policy of “channel switching” for certain types of transactions. If someone asks for something via email, the response is sent via Slack. If a request comes by phone, the conversation continues in an email. A simple “did you just ask for the HR file” text is enough to counter this type of attack.
4. Phishing Inside Of Shared Files
Because most email systems will scan email for a malicious link, attackers are now embedding them within shared files and posting them on trusted sites like Box, G Suite and Dropbox.
How it works: A hacker will send an email that does not seem suspicious. It will point to a file hosted on a legitimate sharing service, most commonly Microsoft’s OneDrive. This document will contain a link. While file-hosting services might scan for malware, they do not scan for malicious links. A common attack will tell the victim they must authenticate to view the document, leading them to a fake login page.
Why it is effective: Most email security scans look for malicious links, but the URL of a trusted file share provider receives no further scrutiny. Some hosting sites scan files for malware, but none look for malicious links. These attacks are able to fool even savvy users because the link points to a legitimate service that lowers their guard when leading them to a login page.
What you can do: Use a password manager. This is a perfect example of why password managers (even the free ones like LastPass) are so important. They will only enter your password into the legitimate login page. They can’t be fooled into sharing your password on a fake phishing site, and you will not be able to enter it. The safest password is the one you don’t remember.
It is an arms race. Every year, hackers get more advanced and introduce new phishing strategies to bypass defenses that were designed for last year’s threats. Remind your users to second guess requests for information, money or passwords. When budgeting for security, keep in mind that over 90% of breaches last year started with a click. Don’t let your users be the only line of defense.