Spear phishing scams have been around for decades and despite all our best efforts in terms of user education, we continue to see a rise this kind of phishing in terms of volumes and sophistication – it is only the high-profile phishing make headlines.
Spear phishing has evolved and continues to evolve. Cybercriminals are using social media to gain insights and information about top level executives to assist their campaigns.
Criminals use new tools and tactics to create authentic-looking emails.
The most common type of attack today involves a criminal posing as a high-level executive in an email message to an employee with access to the desired system or information. We know through internal testing such phishing emails have a click through rate.[/gdlr_core_column]
Whether the criminal seeks a wire transfer, such as what occurred at Mattel and Ubiquity Networks, or employee tax details in the case of Snapchat and Seagate, the ruse is essentially the same: pose as an executive and leverage trust and human desire to please our superiors to achieve the nefarious goal.
The perpetrators of a phishing scam are generally after one thing: money. The CEO-to-CFO wire request takes a very direct approach, while other criminals are playing the long game. With the employee tax details in hand, the criminals can now use identity fraud to file phony tax returns, open new lines of credit, and even buy real estate using the stolen identities.
There have been some large scale APT attacks across Middle Eastern financials earlier this year – attacks where malware was “dropped” onto the internal network which had gone undetected for months. This is just another goal for the spear phishing criminal – not only motivated by a quick return but to use spear phishing as a blended threat to achieve their long term objectives.
iZOOlogic continues to build products that can prevent these types of attacks but education around email security must be a cornerstone for all enterprises. Human error – paired with corporate cultures that sometimes fail to prioritize cyber security education – are often the culprits when businesses fall victim to phishing attacks. All employees should understand what a phishing email looks like and how to avoid becoming a victim.
