Phishing remains the number one cybersecurity threat for 2020, responsible for nearly one-third of all data breaches worldwide. But like everything else in the technology field, phishing scams are rapidly evolving both in terms of the tools being used and the cleverness with which they are being designed.
But there is hope. New technologies and simple common sense can help you, and your employees, from becoming victims. (Read Machine Learning Vs. Cybercrime: 4 Ways ML is Fighting Back.)
Phishing is a Growing Problem
According to Verizon’s 2019 Data Breach Investigations report, 32% of all data breaches begin with a phishing attack, with nearly three quarters of these involving the use of malicious code or backdoor access techniques to compromise sensitive information or disrupt data operations.
Perhaps even more concerning, more than 40% of attacks are being launched against small businesses, which cuts against the myth believed by many organizations that they are too small to warrant serious attention by hackers.
Email remains the primary attack vector for most phishing scams. According to Beyond Security, one out of every 99 emails is a phishing attempt. But while ransomware and distributed denial of service (DDoS) attacks targeting databases and websites will likely continue to be the top threats in the coming years, things like SQL injection and query string manipulation are gaining in popularity.
These can be used to modify a database or insert executable code into an application to either wreak havoc with their operation or gain access to data.
So far, however, phishing attacks have tended to be random in nature and somewhat formulaic. For example, they broadcast false notifications of Apple accounts or requests from senior executives to a broad swath of targets, even to people who don’t have such accounts or have little or no interaction with the top brass.
Spear Phishing Isn't Designed to Fool Everybody, Only a Handful
The newest phishing trend is called “spear fishing”, in which the hacker researches a target in to deliver a highly personalized, and often convincing, message.
A recent report by Barracuda Networks identifies spear phishing as the first step in an often complex plot to impersonate brands or people, and even ensnare executives in sextortion or other blackmail schemes.
“Spear phishing emails do not always include malicious links or attachments,” the report states. “Since most traditional email-security techniques rely on blacklists and reputation analysis, these attacks get through. Attacks typically use spoofing techniques and include ‘zero-day’ links, URLs hosted on domains that haven’t been used in previous attacks or that have been inserted into hijacked legitimate websites; they are unlikely to be blocked by URL-protection technologies. Cybercriminals also take advantage of social-engineering tactics in their attacks, including urgency, brevity and pressure, to increase the likelihood of success.”
Furthermore, these kinds of attacks are more likely to employ artificial intelligence and large amounts of compute power in order to create a believable fraud. For this reason, thwarting spear phishing will require purpose-built solutions capable of analyzing communications patterns to quickly identify anomalies.
At the same time, account-takeover tools will be necessary, considering more spear phishing attacks are generated from previously compromised accounts, while DMARC authentication and reporting is also a good defense to counter domain spoofing and brand hijacking.
Systems and Practices
On a broader level, of course, organizations should think about updating their security postures not just with the latest technologies but with new mindsets that recognize the futility of 100 percent protection. Going forward, a more flexible, dynamic response mechanism is warranted, one that can quickly step in to protect critical systems and data while at the same time keep operational disruption to a minimum.
But don’t overlook the many low-tech ways to protect yourself either, said SiteLock’s Neil Feather. Training employees to spot fake emails is perhaps the most effective anti-phishing measure available. Even the most sophisticated scams contain red flags that should give one pause.
These include odd-looking return email addresses or links that connect to unusual web sites, requests for personal data or other sensitive information (particularly when rules are in place prohibiting this kind of exchange) and email from people or companies that the employee rarely or never interacts with.
And in many cases, the scam email will contain typos, poor grammar or other warning signs — most commonly when the perpetrator is a non-native speaker, as is often the case.
Phishing is not likely to go away in 2020, or any time after. But while the headlines of recent cyberattacks have been ominous, the good news is that the world has finally awoken to the danger that phishing poses.
And with any change for the better, the first step is to acknowledge the problem.