Phishing remains one of the most pervasive cyber threats.
Phishing attacks are ever-increasing, and the technology and tactics behind them are continually evolving, keeping security professionals and computer users on their toes.
Phishing is the fraudulent act of using electronic communication, such as email and messaging, to attempt to obtain sensitive data. Account credentials and financial details are among the coveted bits of information.
While the phishing campaigns of yore mostly consisted of poorly constructed emails blasted out to as many people as possible, current trends point to more thought-out and scientific attacks.
In this new epoch, targeted groups are carefully selected and studied through the intricate web of online accounts, websites, and social media.
Based on the information gleaned from these, the phishing campaigns are carefully tailored to appeal to specific subsets of people, or even individuals.
It’s a case of quality versus quantity.
And it’s working.
In a public service announcement from earlier this year, the FBI shared an astonishing statistic: Between October 2013 and December 2016, phishing attacks cost American businesses almost $500 million each year.
A game of deception
A major component of phishing attacks is deception.
Phishing emails oftentimes purport to be from well-known companies such as Microsoft, Apple, Google, Wells Fargo, and DropBox. Upon cursory inspection, the emails may look official, with logos, colors, and branding matching those of the duped entity.
Phishing websites can also appear remarkably genuine, with interfaces and graphics closely resembling the real thing.
Many phishing scams will attempt to stir up panic and fear. Exercise caution when email subjects warn of pending account deactivation, popups declare your systems are infected, or messages state you need to ACT NOW OR ELSE…
When you combine the advanced replicas along with the induced sense of urgency, you have a recipe for trouble.
Advanced phishing attacks and evasive maneuvers
Today’s phishing attacks may not only just look to steal person information, they may also contain a scary payload. Malware can be deposited, and communication to a command and control server can be established.
Cybercriminals are also getting harder to track. Short-lived phishing sites (with an average lifespan of 4 to 8 hours) and seemingly benign domain names make it hard to maintain a static list of bad sites.
Also consider it’s estimated there are over a million phishing sites created every single month.
A layered approach to security against phishing and other threats
“There’s no single method or product to completely block phishing threats,” said Brian Walker, CEO of InCare. “However, there are steps you can take to make it harder to fall victim to these attacks.
“Company-wide education is important. Have your IT department or managed security provider hold periodic training sessions concerning the latest threats and phishing tactics.”
“A layered defense is the best policy,” added Aaron Allen, Director of Technical Services at InCare. “By having an array of overlapping defenses, you put yourself in a great defensive stance against the multitude of threats out there.
“Regularly patched antivirus, firewalls, and other traditional components are a good base. Proactive IT monitoring is very important.
“If you need any advice, or if you require cybercrime awareness training, fill out the form below and we’ll schedule a free consultation.”