Criminals use new tools and tactics to create authentic-looking emails.
The most common type of attack today involves a criminal posing as a high-level executive in an email message to an employee with access to the desired system or information. We know through internal testing such phishing emails have a click through rate.[/gdlr_core_column]
Whether the criminal seeks a wire transfer, such as what occurred at Mattel and Ubiquity Networks, or employee tax details in the case of Snapchat and Seagate, the ruse is essentially the same: pose as an executive and leverage trust and human desire to please our superiors to achieve the nefarious goal.
The perpetrators of a phishing scam are generally after one thing: money. The CEO-to-CFO wire request takes a very direct approach, while other criminals are playing the long game. With the employee tax details in hand, the criminals can now use identity fraud to file phony tax returns, open new lines of credit, and even buy real estate using the stolen identities.
There have been some large scale APT attacks across Middle Eastern financials earlier this year – attacks where malware was “dropped” onto the internal network which had gone undetected for months. This is just another goal for the spear phishing criminal – not only motivated by a quick return but to use spear phishing as a blended threat to achieve their long term objectives.
iZOOlogic continues to build products that can prevent these types of attacks but education around email security must be a cornerstone for all enterprises. Human error – paired with corporate cultures that sometimes fail to prioritize cyber security education – are often the culprits when businesses fall victim to phishing attacks. All employees should understand what a phishing email looks like and how to avoid becoming a victim.