In 2022, three cybercriminal groups claimed to gain access to the internal networks at T-Mobile as well as customer data from 37 million customers. The plans of these cybercriminals were to phish T-Mobile employees to gain access to internal tools, then use their access to perform a type of “SIM-swapping” which would give them control over the delivery of any T-Mobile customer’s text messages or phone calls.
Clearly, there is a lot at stake when an organization is a targeted victim of a phishing attack. And with the continued success cybercriminals are having with phishing, there’s no reason for them to slow their rate of attacks any time soon. In today’s modern threat landscape, no organization is immune to being targeted.
Among the reported complaints to the FBI’s Internet Crime Complaint Center in 2022, phishing is, by far, the most common crime type reported, with nearly 38% of complaints being phishing. According to the 2023 Verizon Data Breach Investigation Report, 44% of all social engineering attacks are phishing attacks.
The real danger of phishing is that cybercriminals don’t stop after a successful attack. Phishing represents just a single stage in a cybercriminal’s attack plan to further compromise credentials, move laterally, escalate privileges, and exfiltrate data and/or finances. To stop cybercriminals from achieving these objectives, we need to be sure to reduce their likelihood of succeeding in their phishing attempts, thwarting the cyber attack before it can start.
What Is Phishing?
Phishing involves fraudulent communication with the intent of stealing sensitive data (such as login credentials or credit card information), deploying malware into a computer system, committing financial fraud, or practically any other nefarious endeavor you might imagine.
From its origins at the start of the new millennium to today, however, phishing has basically turned our email inboxes into a danger zone. Simply opening an email and clicking on a link can have dire consequences.
Due to the prevalence of phishing, every business, regardless of its size or industry, is at risk. And since this type of attack relies on human error and has a high degree of success, phishing will always remain a favorite tool of threat actors.
A Brief History of Phishing
Phishing tactics have evolved over the years. One of the first mass-emailed phishing campaigns disseminated the infamous ILOVEYOU virus in 2000. Looking back, it was quite basic by today’s standards. All the incoming email message said was, “kindly check the attached LOVELETTER coming from me.” Of course, it wasn’t a love letter. The attachment was an executable — and maliciously coded — text file.
Despite its simplicity, the campaign was terrifyingly effective. It infected millions of computers and inflicted an estimated $10 billion in total damages — about $15.63 billion today. For comparison, in 2022 the FBI Internet Crime Complaint center (IC3) received 800,944 reported complaints, with losses in excess of $10.3 billion.
How Phishing Has Evolved
Contrasting past phishing schemes to those of today draws some sharp contrasts. Modern phishing attacks are much more sophisticated and can fool even smart users on the lookout. Tactics now used by cybercriminals include:
- Spoofing email addresses from known sources
- Sending well-crafted messages that appear completely legitimate
- Impersonating well-known brands that people trust
- Creating authentic-looking spoofed websites that don’t raise any flags
The common thread between modern phishing tactics and the more rudimentary early attempts is that they continue to rely on the fact that people make mistakes — especially when compelled by hard-coded emotions, such as curiosity and fear.
Taking advantage of such emotions is what cybercriminals do. Getting people to become more skeptical about unexpected emails that stoke these emotions isn’t easy. Despite the abundance of information about phishing and a growing awareness among organizations and users of the tactic, employees still fall victim to such attacks on a regular basis.
About 25% of workers say they’ve clicked on a phishing email link at some point in their career, according to researchers at Tessian. And in some industries, such as technology and financial services, almost half of employees have done so — proof that phishing campaigns don’t just trick the gullible or ill-informed. The truth is, we’re all potential victims.
Modern Phishing Attacks Are a Major Global Concern
Phishing is not only at the top of inboxes, but also at the top of minds of enterprise executives across the globe. According to a recent survey by Arctic Wolf, 89% of respondents have been targeted by malicious messages in the last twelve months — 59% of those were suspected phishing emails and 41% were impersonation emails or text messages. That’s a high number, and it grows when considering that the most common security incident of the last year for organizations was business email compromise (BEC), an attack that often begins with a phishing attack to gain credentials or access.
When questioning executives about attack concerns, ransomware (43%) and business email compromise (38%) were number two and three on the list. The common thread? Both of these attacks can begin with phishing. Those attacks can be costly, too. According to the IBM Cost of a Data Breach Report 2023, Phishing was the most common attack vector and the second most expensive at $4.76M.
While growing phishing attacks highlight the need for better employee training, only 21% of organizations stated they would blame employees for a breach. It’s possible organizations don’t understand that employees are both top targets and the first line of defense when it comes to phishing and other types of social engineering, meaning threat preparation is critical to maintaining a robust security posture.
How Do Phishing Attacks Work?
A phishing attack has multiple steps:
- The threat actor identifies a target. That target is often an internal user at an organization. However, individual consumers can also be targeted by attacks.
- The threat actor pretends to be a trusted source for that user – be it an IT person or a representative from a trusted organization — and contacts the target. The traditional route for phishing is email.
- The threat actor convinces the target to either give them access to secure systems, give them financial data (or other valuable data) or both.
Cybercriminals continue to come up with creative methods to use phishing to infiltrate an organization. While the majority of their efforts still focus on using email as their vehicle for attacks, they have branched out into other areas of your business that you need to be watchful for.
Most Common Types of Phishing Attacks
1. Email Phishing
Email phishing is a general term which describes any cyber attack that uses email as a method of contacting potential victims. These attacks are typically mass-emailed campaigns that cast a wide net with phishing “lures’ sent to a vast number of recipients. These emails include a malicious link or attachment and try to get the person receiving the message to click on the link or open the attachment by expressing a sense of urgency, inciting fear or curiosity, or using some other enticing message.
Attackers will craft their messages in a way to try to make you comfortable, so you’ll let down your guard. That’s why they often impersonate prominent, popular brands like Facebook and Microsoft, who make up 18% and 15% of all phishing URLs, respectively.
2. Spear Phishing
Spear phishing typically involves a greater degree of social engineering and more intensive research into the target. Such attacks focus on specific people, with attackers sending personalized emails that include valid information about the recipients to convince them of the sender’s legitimacy. Cybercriminals may root around on social media for information or just use an educated guess.
Although these attacks take more planning, they’re also typically more successful, making them well worth the attacker’s effort. Recent research has revealed that spear-phishing attacks make up just 0.1% of all email-based attacks but are responsible for as much as two-thirds of all breaches.
Baiting is a phishing technique that uses an enticing offer or reward, such as a free movie download or giveaway prize. It can also involve physical media, like a USB drive, and come via physical mail. The drive may contain a file titled something like “HR highly confidential,” counting on employees being curious enough that they can’t resist peeking at its contents. Once they click on the file, however, malware is deployed which compromises their system.
Whaling attacks target big wins scored through hooking executives and other high-value individuals. Attackers up the ante on their social engineering efforts and often research as much information as they can on the target and use that intelligence to gain trust. This may take place over a period of months and involve repeated two-way communication.
This attack type combines voice calls with phishing attacks, hence “vishing.” During vishing attacks, cybercriminals impersonate people of authority — like an IRS agent, a bank representative, or even a tech support person — to scare the target into taking action. The caller tries to confuse and fluster the potential victim, making it a lot easier for the would-be victim to comply with the request.
Smishing uses text messages (SMS) to send its malicious link. Anyone who owns a smart phone has likely received a text saying they won a prize or received a message with a similar lure. Attackers may also impersonate a legitimate company to entice the recipient to divulge sensitive information or download a malicious file.
7. Angler Phishing
Angler phishing moves the scam to social media. In one variation, the scammer sends a shocking message and link to a person’s contacts. When someone clicks on a link, it installs a browser extension that the scammer then uses to do things like change the privacy settings, steal data, and spread the infection through the victim’s social media contacts.
In another variation of this tactic, the scammer may hijack a direct message conversation between a brand and a customer and redirect the customer to a fake, malicious page, where the customer is tricked into compromising their information.
Why Does Phishing Work So Well?
Cybercriminals count on flaws in human nature for phishing attack success. They know that if they get lucky, their message will arrive at a time when you’re focused on other things, in a hurry, on the move, or otherwise not paying close enough attention.
To improve their already reasonable odds in getting recipients to do the wrong thing, threat actors use additional strategies that ratchet up the tension or provide credibility to the situation:
1. They create a sense of urgency
Let’s say they send you an email that looks like it’s from your CEO, requesting you to urgently buy some gift cards for customers. This immediately puts pressure on you — after all, it’s the highest-ranking official at your company and you better not disappoint the big boss.
The scammers use this tactic to get a knee-jerk reaction out of you. They know you’re very likely to rush a response before properly evaluating the absurdity that your CEO would be in an emergency situation needing iTunes or Google Play cards.
2. They have more than enough information to sound legitimate
Most people share enough information on social media to make it possible for a stranger to get a pretty good picture of their lives. Social media is a social engineer’s treasure trove.
Scammers can figure out where you’ve worked and for how long, who your manager is, and what your email and phone number is. And they don’t stop there. They can easily find sensitive and personal information floating around on the dark web and use it to craft a believable trap. They’ll configure a backstory or reason for why they need you to take some immediate action or share some information with them. And, without much scrutiny, it may sound highly plausible, convincing you to give them what they want.
3. They know that most employees haven’t been properly trained to suspect them
Bad actors know that lots of companies don’t provide any security awareness training and many of those that do are simply not providing it frequently enough for their workforce to retain what they learn.
According to the Ebbinghaus Forgetting Curve, people will forget 80% of what they’ve learned in less than a month. That’s why it should come as a big — and disappointing — surprise that only 6% of companies provide security awareness training monthly. This means 94% of companies have employees who are sitting ducks, having just flat-out forgotten everything they’ve been taught.
With the infrequency and ineffectiveness of most security training it’s no wonder why phishing still works. Businesses must do a better job at preparing and training their employees.
What Do Cybercriminals Do With Information Gained From Phishing?
Cybercriminals have an abundance of nefarious motives behind their actions. They employ phishing attacks to gain access to systems and data, and then use that access or information to:
- Sell your data: Attackers monetize stolen data by selling it on the dark web to other bad actors, who perpetrate new scams.
- Try your data on alternate sites: Knowing that many people recycle their passwords, scammers will try the credentials harvested in one attack to gain access to other online accounts.
- Leapfrog through all your contacts, and impersonate you: By accessing your email, they launch attacks on the people in your contact list, infecting their systems or attempting to scam them.
- Lie in wait to deploy ransomware or wreak havoc: Phishing is often just one step in a multiphase attack. Cyber attackers often wait patiently for the opportune moment to achieve their actual goal.
- Use your information as their front door to launch an inside attack: If they get in with compromised credentials, they’re more likely to fly under the radar because security solutions like firewalls don’t typically flag logins that are using legitimate usernames and passwords. This gives the attackers the opportunity to further penetrate systems undetected — and any systems to which you connect.
How To Prevent Phishing Attacks
Things would be so much simpler if you could just disconnect from the internet, not hire employees, or not allow anyone into your office. But that’s not the reality in which we live and work. Any business that relies on the internet and has employees will always be at risk.
And with systems now highly interconnected — and processes increasingly going digital, you need to take the time to evaluate the effectiveness of your approach when it comes to security awareness.
Are you preparing your employees to recognize and react appropriately and quickly when they face an attack? Are you educating your people based on current threat vectors, or are you still talking about the Target breach from 2013?
Threats change constantly so your training needs to keep up with those changes. And you need to continuously evaluate what is effective for your employees.
If your employees do not have security awareness training of any kind or you’re just providing it at onboarding, annually, or quarterly, you’re leaving your company extremely vulnerable to an attack.
The only answer to an ongoing problem is an ongoing solution. Just as you wouldn’t turn your network or device defenses on once a year or once a quarter for an hour at a time, the same is true for engaging your employees in a security awareness training program.
Cybercriminals don’t stop thinking of ways to attack your network, devices, or people, which is why your technical defenses should always be up and your security awareness program should always be running, frequently engaging your employees to keep security top of mind.
It’s also important to embrace encouragement when looking to create a positive culture of security. Instead of seeing employees as a risk or “the weakest link,” it is important to believe in your people as an essential and capable part of your security solution.
- Everything in your security awareness program needs to be designed in a tone that teaches and encourages employees rather than shames or tricks them.
- Every piece of content should deliver a positive learning experience that builds trust between your security teams and your employees.
- Your phishing simulations should take a positive approach to teaching employees specifically about the red flags they missed and what to watch out for every time to determine if an email can be trusted.
How Arctic Wolf Can Help
As part of our security operations solutions to end cyber risk, Arctic Wolf conducts training sessions that teach people all about security in the most effective ways possible. We offer ongoing microlearning, immediate follow-up lessons for phishing simulations, and security experts who guide you through the security awareness training process, so your employees can make continuous improvements in the program.
Our Concierge Security® Team also offer coaching and strategic advice on how to improve your company’s overall security culture to raise your security posture.
Learn how Arctic Wolf Managed Security Awareness® keeps security top of mind for your employees, so they’ll remember more, retain information longer, and react more quickly and carefully when encountering phishing threats.