Remember when email phishing attacks were all too easy to spot? The bad graphics, poor email page design and layout, paragraphs peppered with spelling errors — they were always dead giveaways.
Well, those days are gone and phishing attacks are more sophisticated than ever.
And while phishing attacks are primarily used to separate victims from their money, they are also used as part of the first wave of more sophisticated attacks.
According to PhishLabs 2016 Phishing Trends & Intelligence Report: Hacking the Human, released Thursday, spear-phishing remains the primary initial attack vector used by so-called advanced persistent threats, while 22% of spear-phishing attacks analyzed last year were motivated by financial fraud or related crimes.
Also, according to the report, the number of organizations targeted with Business Email Compromise (BEC) spear-phishing attacks grew tremendously in 2015, as threat actors refined BEC techniques and sought new victims.
“BEC attacks target smaller more nimble organizations, where exceptions to standard accounting processes are more likely to be made based on personal requests from members of the executive team. Analysis of attack indicators shows that, in most cases, targeting requires very little effort. BEC attackers appear to glean the information they need from readily-available public sources and business networking sites,” the report said.
Translated into English: Commonly available information (such as that found on a LinkedIn profile, for example) will be used by criminals to try to social engineer employees to break policy and protocol so that funds can be stolen.
The PhishLabs report also found a distinct year-over-year increase in phishing attacks targeting cloud storage and file hosting sites, webmail, online services and ecommerce sites. Gmail is used for more than half of all drop email accounts. That makes Gmail the most used webmail service in phishing attacks. And during holiday seasons, attacker attention shifts from other targets to online services and e-commerce companies.
Perhaps most alarming, the report notes that threat actors — even the not-so-sophisticated ones — are more frequently using techniques to evade automated detection and prevent analysis of attack components.
The report is alarming in more ways than one and definitely worth a read. The big takeaway? Enterprises need to do more to prepare employees to respond to this type of attack.
Does your business train employees in how to spot and respond to phishing attacks?