In the first part of this blog series, we discussed ransomware, a type of malware that encrypts files and then extorts victims for the key. Encryption malware is easily one of the nastiest, most effective cyberattacks in circulation.
And yet, ransomware’s rise to infamy would have been all but impossible without the help of a very different kind of cyberthreat. The second of the top three cybersecurity challenges facing organizations is phishing.
The costliest cyberthreat ever?
Social engineering is any tactic, in the physical or virtual world, that strives to manipulate individuals into divulging authentication credentials, sensitive information, funds or something else. Phishing is social engineering that occurs online, typically via email, and usually with the intent of stealing login credentials or getting a user to download malware or share sensitive information. It’s unique in the sense that unlike other cyberthreats such as ransomware, the end goal of the scam doesn’t have to be extortion. It could be anything, really.
For example, earlier this year, a hacker convinced an employee at popular messaging app Snapchat to share personally identifiable information belonging to 700 workers. The cybercriminal achieved this by posing as the company’s founder and CEO of Snapchat in an email, and subsequently requesting that data be sent over. In some cases, hackers simply ask for money. According to the FBI, scams in which hackers posed as executives requesting wire transfers cost U.S. companies $1.2 billion between October 2013 and August 2015.
“Phishing isn’t just the most prolific type of targeted attack …”
Bear in mind, these losses don’t factor in cases in which surveillance malware was installed via an email phishing scam, which may have later been used to orchestrate data breaches. It doesn’t account for the ransomware (which raked in $209 million in only the first three months of 2016) that is disguised as URLs or downloadable materials in emails. It would be safe to say that phishing isn’t only the most prolific type of targeted attack, it’s also the most expensive.
All you can do is try to even the odds
Phishing schemes have advanced to an extraordinary level of sophistication that blindside even the most vigilant, tech-savvy individuals. The corporations getting sucked into these schemes aren’t run by a bunch of out-of-touch Luddites. The victims here are intelligent, often high-level employees who are just trying to do their jobs. Consider how the following scams function:
- PETYA ransomware: Disguises itself in an email to HR posing as a job application.
- Data breach victim scam: Hackers contact people with fabricated emails or letters in the wake of a high-profile breach, claiming that the recipients data has been compromised. They then request personal information or company data. A recent example of this occurred during the fallout of the Office of Personnel Management breach in 2015.
- Macro malware: Hides within macros inside of Word Docs or Excel spreadsheets that are sent via email. Upon enabling the macro to run, the user is infected with any variety of malware strains. This scam is especially problematic for financial institutions.
The above are only a few of the clever schemes being used by hackers to wreak havoc on businesses and individual users alike. Getting ensnared by one of them isn’t necessarily the result of carelessness or unsavory internet behavior.
As such, the best that a modern organization can hope for is to even the odds by having a methodology in place to detect phishing scams early. According to Sam McLane, Arctic Wolf Networks’ Head of Security Engineering, a good place to start is by teaching users what to look for. This might not preclude the more conniving phishing attacks, but it will nip a fair amount of them in the bud.
For those phishing schemes that will make it past employees, McLane noted that it’s essential to have a framework in place to catch them early. For example, is an unusual program trying to execute on a network computer? Can an email message that is supposedly sent from a higher up be traceable to a suspect IP address or one that’s in a foreign country? Has one of your users been logging in from strange locations and on multiple machines at once?
Being able to spot these and other signals of phishing requires strong threat detection in your company’s network. It might not keep you from falling prey to phishing scams altogether, but it will substantially curtail the potential for loss.
This is part two of a three-part blog series about the top three cyberthreats facing modern organizations.