If you’re like most people, you’ve probably gotten a few emails this week alone purporting to be from Amazon, PayPal, Netflix, and others, informing you that your credit card has expired, and you need to click this button to update the information. Hopefully, you thought twice before you clicked. If you didn’t, you’ve probably been phished.
The term ‘phishing’ was coined back in the 1990s combining “phone” and “fishing.” It is a malicious ploy to gain sensitive information such as passwords, credit card numbers, and user names—and it is the number one security problem today, according to James Stanger, chief technology evangelist at technology association CompTIA.
Phishing is the most common method of cyber attacks, according to Gartner, which also notes that phishing attacks are increasing in volume and sophistication. This is resulting in significant financial damage to organizations both in downtime (such as ransomware attacks) and financial fraud, for example, from wire transfers.
On average, roughly one out of every 4,500 emails is a phishing attack, the firm says. Email will remain the primary method of advanced targeted attacks through 2020, Gartner adds.
Besides the credit card scam, another increasingly common phishing technique is an email containing links to bogus tech support websites. Once a user clicks on a link, the phisher uses various scare tactics to trick people into calling hotlines and paying for unnecessary “technical support services” that supposedly fix contrived software problems on a computer or device.
What makes phishing so scary is that IT doesn’t have control or visibility into what end users are doing, notes Stanger. Phishing also doesn’t tend to get the same attention as ransomware attacks, when a computer system is locked and held hostage until a “ransom” fee is paid, he adds.
There are a few different types of phishing that individuals and organizations need to be aware of, says David Jevans, chairman of the Anti-Phishing Working Group (APWG) coalition, which works with industry, government, and law enforcement agencies in the U.S. and Europe.
Spear phishing targets an individual, business or organization, usually to steal account credentials or financial information. Often, a cybercriminal will try to install malware on that individual’s computer. This is “the most profitable and most difficult to defend against,” in terms of actual dollar losses and impact, says Jevans, who is also the founder of crypto security and blockchain security firm CipherTrace.
Whale phishing is typically aimed at well-known individuals, who tend to be wealthy and powerful, such as celebrities and politicians. These attacks tend to be smaller in nature and are not always financially motivated, he says. Sometimes they are done as a revenge tactic.
Watering hole phishing is when a cyber attacker targets a community on a website or in chat forum where a bunch of people are congregating. The attacker will either email people who are part of that forum directly to take over their account or attack the IP administrator of the forum to get the information needed to target the people hanging out at the waterhole, says Jevans. Often, cybercriminals will use data from tracking companies to learn the behavior of the organization or industry they are targeting. Once they install malware, the site becomes a distribution point and visitors aren’t aware it has been infected by malware via their flash player, for example, he says.
SMS phishing, or SMSphishing uses social engineering techniques, and it has been growing considerably over last year, according to Jevans. An individual will get an SMS/text message from an authentic-looking, trustworthy sender like your bank or ISP, asking you to verify a PIN, for example.
Vishing is a voice phishing social engineering scheme that tricks someone over the phone to gain access to their personal financial information.
In the past few years, cybercriminals have figured out that it’s more lucrative to target enterprise and government employees rather than consumers. Everyone is a target—even big-name companies like Google and Facebook have been duped.
Cyberattacks spend time researching a person on sites like LinkedIn and Crunchbase. They learn who has access to the accounts they can get into to install malware and will craft a message to that person that’s very effective.
In fact, 91 percent of breaches start with phishing emails, according to Dark Reading. And a 2018 phishing trends survey by Cofense (formerly PhishMe) finds 90 percent of respondents still worry about email-related threats. The survey also found nearly one-third of respondents receive over 500 suspicious emails weekly, and 26 percent have a dedicated inbox for suspicious emails.
Email phishing schemes are expected to grow even more sophisticated, with greater emphasis placed on relationship building because of the potential for criminals to make so much money, officials say.
Of course, humans are the key element in preventing phishing. But AI (and its machine learning subset) is emerging as a powerful tool in the arsenal. Google, for example, is using machine learning to block spam and for phishing detection, according to TechCrunch. These platforms are also learning and automatically detecting when a file is malicious before humans can, which can prevent zero-day attacks, notes CSO.
AI can analyze an organization’s unique communication pattern and flag inconsistencies, according to Security InfoWatch. For example, AI can automatically classify an email when it is in the first stage of the attack as spear phishing and detect anomalous activity if an account is compromised.
Machine learning algorithms are generally trained on large data sets to look for patterns such as those in previous phishing attacks, and how to react when something is found. But industry experts caution that AI alone is not the panacea to preventing phishing. These systems are designed to encourage a "human in the loop," so they are not sole, autonomous arbiters, observes Wired.
Jevans recommends using DMARC, an email authentication protocol that helps organizations sort out bogus emails from real emails coming into their network.
He also cautions that no one technology will be able to completely stop phishing.
The other critical element is continuous user training since hackers keep getting more creative when it comes to manipulating people, says CompTIA’s Stanger. There are a number of red flags employees should look for, including generic salutations, incorrect domain names, unfamiliar senders, messages with undue urgency, and attachments with executable extensions.
Vigilance is important, and small and mid-sized organizations shouldn’t assume cybercriminals are only going after large companies—no one is immune.