How Hackers are Phishing for Your Credentials
Apr Wed, 2019
You are probably no stranger to social engineering and phishing attacks. This common cyber attack has been in the news frequently over the last five years, targeting businesses of all sizes. Hackers have increasingly been testing out different phishing techniques that target a group of users to capture credentials, personally identifiable information (PII), and financial information. Each technique is conducted differently based on the group of users the phisher is targeting and the end goal of the phisher.
Evolution of Phishing
Back in the day, you would commonly see phishing attempts occur through AOL – the top internet service provider back in the 90s – through fake AOL accounts and impersonation of AOL employees to message users into verifying their accounts, to steal credentials and billing information. But now, and ever since the 2000s, when email became the preferred method of communication in organizations, email phishing has become the selected approach for spamming and targeting individual users. Between 2004 and 2005, over 1.2 million users in the United States (U.S.) were victims of phishing with a total estimated cost of $929 million – with businesses losing about $2 billion a year to phishing attacks.
Brian Krebs, a popular security researcher, stated that 2018 would be the year that targeted phishing went mainstream, and he was right. Last year, software-as-a-service such as Office 365, Drop Box, and G Suite were the top phishing target of hackers, targeting employees of organizations. Its reported that half a billion dollars is lost every year to phishing in the U.S. – and from 2016 to 2017 – there was an increase of 237% of SaaS-targeted attacks.
Ways Hackers Phish for Your Information
Phishing techniques are always evolving, using psychology to manipulate the user into clicking on a link and releasing valuable information, but the following are common types of phishing attacks you should prepare your employees for.
- A phishing email sent to a user with a link to a malicious website that is meant to look like a trustworthy site such as your bank or Drop Box, where they ask you for sensitive information.
- Business email compromise attacks, where an email sent from a spoofed email address such as your “boss” or a coworker, is asking you to buy gift cards or verify sensitive information.
- Phishing through the phone – where hackers pose as vendors or an IT department to retrieve sensitive information from you.
- Man-in-the-middle phishing attacks where the hacker intercepts sensitive information from you and a third-party.
- Phishing emails with attachments containing malicious code, that when opened by the user provides the hacker access to your organization’s database.
- Messaging apps such as Slack, Skype, and Facebook messenger used by phishers to send malicious links.
Best Practices for Phishing Prevention
Employee education will always be the most effective way to prevent human error from occurring and leaving your organization vulnerable to a social engineering and phishing attacks. Communicating the following best practices will help prepare them for the next phishing attempt:
- Review information – check the details in an email such as misspelling in the email content or email address, poor grammar, unfamiliar URLs, or abnormal requests.
- Verify the security of a website – secure websites contain an “https” and a green lock in the web address bar, as well as a security certificate. This isn’t to say a secured site is more credible, indicating that the browser is connecting to a server that’s presented a certificate for the domain name you’re trying to reach. And, the certificate was issued by a certificate authority the browser trusts whereby an encrypted connection has been made.
- Report abnormal requests for sensitive information to your IT department in order to communicate across the entire organization.
- Never open attachments or download files without verifying the sender and checking in with your IT department if you weren’t expecting the email.
- Ensure email accounts utilize multi-factor authentication (MFA) for added protection
- Where able, have your System Administrators block email login attempts from foreign countries
Ensuring you are proactive in instilling policies and procedures around email best practices will be key in minimizing email compromise. Other cybersecurity practices include updating firewalls, browsers, and antivirus software on a frequent basis, as well as implementing anti-phishing tools for an added layer of security. Secuvant can provide your organization Managed Detection and Response (MDR) services that enhances your cybersecurity and monitors for cyber threats, helping to prevent, detect, and respond to them before it affects your business.
For more information on our MDR services or how we can help your organization implement a cybersecurity program, reach out to us at firstname.lastname@example.org or 855-732-8826.