3:00 min read
Phishing is the attempt to obtain sensitive information, primarily for malicious reasons, by disguising itself as a trustworthy entity in an electronic communication. If you think you aren’t susceptible, think again. Humans will always be the #1 security risk. According to the Microsoft Computing Safety Index, the annual worldwide impact of phishing could be pushing $5 Billion.
6 of the fastest and easiest ways scammers can breach a company:
- Spear Phishing
These attacks are directed at specific individuals or companies. Attackers may research and gain knowledge about their target to increase the probability of success. According to Debbie Stephenson in “Spear Phishing: Who’s Getting Caught?,” spear phishing makes up 91% of attacks on the internet today, making it the most successful attack approach. Infused Institute reports that in June 2015, Ubiquiti Networks, Inc. lost $46.7 million due to a spear phishing email. Employees were scammed into thinking the email came from executive leadership triggering them to transfer funds to overseas accounts held by third parties. Emails can so easily be made to look legitimate.
- Clone Phishing
This is a type of attack where a legitimate and previously delivered email including an attachment has its content and recipient taken to create a cloned email. The link or attachment is replaced with a malicious version and then sent from an email address that appears to be from the original sender.
These attacks are specifically targeted at senior executives and other high-profile targets within a company. These emails take a more serious tone such as a legal subpoena, customer complaint, or executive issue. They usually involve a fabricated company-wide concern. They have even gone as far as making the email look like it was sent from the FBI, requiring the recipient to click on a link to view a subpoena. According to a May 2016 article in SC Magazine, the CEO of an aircraft parts manufacturer in Austria was fired after he fell for a C-level fraud, or whaling attack, costing the company $40.9 million. It wasn’t the first time, as the same company’s CFO was fired just three months prior for the same incident.
These scammers hijack a website’s domain name and it redirects visitors to an imposter site. This method of attack uses DNS cache poisoning by targeting a server and changing the IP address associated with an alphabetical website name to a numerical address. In February 2017, 50 financial institutions’ online customers were targeted in the US, Asia-Pacific and Europe infecting approximately 1,000 PCs per day for a 3-day period. These sophisticated cyber pharming attackers constructed a look-alike website for each of the targeted bank websites.
- Dropbox Phishing
These fraudulent attackers send realistic looking emails that appear to come from Dropbox, a commonly used file sharing service, asking the recipient to click through to “secure” their account or download a shared file. In April 2016, the Better Business Bureau warned Dropbox users to inspect emails very carefully warning them of a phishing con posing as Dropbox luring victims into clicking on a malware-infected email.
- Google Docs Phishing
Another common file sharing service that companies use is Google Docs. Similar to the way the scammers hack Dropbox customers, they can create a web page that mimics the Google account login screen and steals user credentials. In May 2017, Wired.com reported that a phishing scam was sweeping the internet tricking Google Docs users into granting permissions to a third-party application. Unlike the norm, these hackers didn’t use malware or fake websites, making traditional cyber security measures ill-equipped to handle it.
Don’t let phishing attacks lure you, make yourself foolproof.