Trends come and go, and keeping up with them when it comes to pop culture or fashion might be challenging, but when it comes to cybercrime, you'll likely never be ahead of the hackers. Their ability to adapt their tactics and tailor them to be more effective is constantly changing and challenging to keep educated on.
Recently, Barracuda released a report that reviewed data spanning from May 2020 through June 2021, which analyzed over 12 million email attacks at approximately 17,000 organizations. They discovered that these phishing attacks are increasing in complexity, and the old tactic of fighting them off with rules, blocked lists, or outdated policies is no longer working. The spam tactic of one hacker hitting many users at once is being refined to sophisticated criminal organizations which target with sometimes a single email.
How are they doing it? While you may be familiar with all thirteen different types of attack strategies defined in the study, we will break down the details of the top hits in today's blog. The specifics can help you tailor your message to your team and build a multi-layered approach to building a proactive solution for your organization.
Brand identification is the goal of nearly every business. You see a logo and know what it is before you even read a word. An element of trust is built into these brands. Scammers know how to take that trust and manipulate it by impersonating these brands so that users act without hesitation because they trust them. Microsoft is one of the top three brands used in these phishing emails, along with WeTransfer and DHL. This trend has stayed consistent since 2019. Since nearly 80% of businesses use a Microsoft product, it doesn't seem likely that their brand will be safe from impersonators anytime soon. Currently, 43% of phishing impersonation attacks are impersonating Microsoft. Most of Microsoft's products are tied to logins; gaining access to a user's account is a doorway into other files and folders within a business. Once they are in, ransomware and other malicious activity are just a click away. WeTransfer allows users to share larger files, and DHL serves in the transportation industry, so combined, they hit across the board on various verticals.
Anyone in IT should be aware of phishing emails, but spear-phishing is a more targeted attack method. Research on the audience or intended victim(s), their workplace, and even their social sites creates a curated email inquiry or request that is harder to decipher from a more common spam message or attack. Ensure that you are creating awareness about this specific type of attack in addition to the general understanding of phishing. Combined, this builds up that multi-layered approach that we recommend.
Business Email Compromise
A business email compromise scam, or BEC scam, essentially combines the trust built from within a business or organization with a fraudulent request and puts it into an email to the targeted recipient. The email will usually include a request to send or transfer funds, purchase gift cards, or send donation money to a bogus charity. These are often sent as an impersonation of an executive or high-level individual at the company as they would be less likely to question the request. BEC's make up about 10% of the social engineering attacks found in the report, and of that 10%, one in five were targeted to people in sales roles.
Cyberattacks are a laughing matter, and it can seem like a full-time job to stay educated on the subject. But, training and strengthening the human workforce is the best way to mitigate the risk of cybercrime. For more information on the proper cybersecurity training, contact your Pendello Solutions team today.