Phishing surpassed ransomware attacks for the first time last year, and now shares the throne as a top cyber security threat to businesses to watch out for in 2019. While it’s an organization-wide concern, evidence shows that there are certain individuals and departments that have bigger bullseyes painted on them. And as you might suspect, Phishers are going after them in droves in order to access sensitive data and/or inject malware. Today, we are identifying these top targets so that you can recognize human resource vulnerabilities and take preventative action.
Recent studies show that successful phishing attacks depend on a quick response from users. One key report found a 30 percent likelihood of the first-user click on malicious emails occurring within 60 seconds, while the median time-to-first-click on a phishing email was just over 2 minutes. This suits cyber criminals just fine, as they know that typical security protections are too slow to be effective against zero-hour threats, versus zero-day threats. Cyber criminals tend to make themselves more elusive by changing their phishing URLs within a few short hours after the malicious campaign was executed.
Now who in an organization tends to check and respond to emails most quickly? Customer service personnel. It’s their job to stay on top of current and prospective customer/client inquiries, and respond in a prompt manner as a means to foster relationships. They don’t have the time to investigate links and attachments, especially if an email is highly targeted and seems to require quick action to put out a proverbial fire (i.e. a product recall, etc.).
Those that “cut the cheques” are hot targets. Look no further than the recent attack on the City of Ottawa, an event that we referenced in our top 3 cyber attacks on Canadian soil article. Spear phishing was applied in this case, as the cyber criminal did some basic homework to find a name and email address of a key colleague that they could impersonate. They then generated a counterfeit email, which legitimately looked like it was coming from the colleague, to communicate with the target (the Treasurer). A request for a fund transfer was made, and after some basic back and forth communication the request was fulfilled, costing local tax payers about $130,000 CAD in the process.
Phishers will identify those who have authority to pay company invoices and transfer funds. Then, they will gather information on both internal staff and third parties (suppliers, vendors, etc.) so that they can set up URLs and emails to mimic the identity of said individuals, and send requests for payments and transfers.
PhishLabs reports that last year corporate SaaS credentials surpassed credit card numbers, bank account information, and other forms of financial data as the target for phishing campaigns. Cyber criminals became more interested in email and online services such as MS Office 365 and G Suite. Why? Without adequate protection in place, access to one single compromised email or productivity account can grant a cyber criminal access to the files of an entire organization (multiple emails and contacts), and quite possibly access to other SaaS credentials. This collectively opens the floodgates to everything and anything, which is far more valuable than getting access to one corporate credit card number.
Phishers will pose as a support person from an SaaS vendor (MicroSoft, G-Suite, Slack, etc.) and make a false claim that there was a suspicious login to a company account, that a password expired, or that the subscription itself is set to expire, and will provide a link to a spoofed page, a link that contains a malicious payload. Who typically receives solicitations from vendors about SaaS subscriptions? IT staff, who are more conscious of this threat? Sure. But also admin personnel, who are not. Someone on your admin staff may be the first point of contact on the phishing email, and after receiving notice to take immediate action to avoid service disruption, may click a malicious link or attachment when all they intended to do was help out the company.
Phishing campaigns are moving to social media at a rapid pace. It may be difficult to secure URLs/emails that will trick staff into thinking that they are being solicited by a colleague, however, it is much easier to gather names of known company executives and create social media profiles to pass as them, complete with personal and family photos (all of which are available to grab online). With the false profiles in place, phishers will target company employees that are active on social media (easy for criminals to verify), especially if you have social media staff along with internal brand advocates. A social connection is made via Friend/Follow request, which is more likely to be accepted, especially if the request appears to come from a “superior”. Once that connection is in place, a request for sensitive information may be made, or a malicious link or attachment may be shared.
That’s right. As a top executive and decision maker cyber criminals are looking at you, the whale, so to speak. Whale phishing is a highly targeted form of spear phishing, where criminals do some intensive homework to learn as much as they can about you and other top executives in the company, since together you hold the key to sensitive data and accounts. Armed with this knowledge, phishers may also impersonate you and/or members of the executive group and leverage authority to trick employees in other departments to release sensitive information or transfer funds. Cyber criminals may also use a spoofed email address along with your company logo to reach out to third party vendors/suppliers and media as a means to disrupt operations and slander the business.
Yikes! There are a lot of human resource vulnerabilities to consider here. However, there are steps you can take to mitigate highly targeted phishing attacks on your organization.
For one, top-to-bottom training for all staff and stakeholders is key, so be sure to share this article with them all, and conduct on-going training sessions to ensure everyone keeps abreast with the phishing threats that lurk on the other side of their inbox. In addition, consider asking that executives limit their social media exposure so that cyber criminals cannot access explicit information about them. This can be accomplished by adjusting privacy settings. Manual efforts aside, it is time for your company to tighten email security, which includes choosing a more secure email provider and the adoption of multi-factor authentication (MFA). Also tighten up your SaaS subscriptions. For instance, if using Office 365, strengthen your Office 365 security with MS Secure Score. In addition, learn how your company can leverage artificial intelligence (AI) to combat phishing and other cyber attacks, and even consider cloud to cloud back up to ensure that your data and productivity is uber protected should a phishing attack prove successful and a subsequent ransomware event ensue.
Take note that the preventative measures addressed above can be accomplished with investment in Managed IT support that offers access to a zero-hour response team and affordable SaaS subscriptions that will further limit your exposure to advanced phishing techniques. Contact SIRKit today to learn more.