“Stranger Danger,” the subject of many ABC Afterschool Specials and a lesson still imparted to children today, teaches that anyone unknown is a potential threat. We warn kids about the weird guy at the playground holding the amount of candy that would make Halloween blush, or the crazy lady in the van always searching for her missing puppy. As adults, we know better than to accept the candy or to get into the van -- But when we’re online, sadly it’s a different story. Far too often, we easily engage with strangers approaching us through the Internet because they seem to be someone we trust, or someone we should trust.
For today’s businesses, an employee’s nonchalant acceptance of strangers can cause a real problem. Most cybersecurity breaches are a result of phishing email scams, in which hackers seek to obtain information or trigger activity through fraudulent emails.
Today, 76% of businesses report being a phishing victim, and six billion attacks are expected to occur throughout 2022.
So how exactly does phishing work, and what can be done to stop it?
“Stranger Danger” of the Past: Links and Malware
Hackers used to have it so easy. You’d be at your desk and hard at work (or just watching skateboarding dog videos), and then DING!, a new email would hit your inbox. It’d be from the IRS, telling you that you owed money and must pay up or else. Or maybe it’d be a Sarah you don’t know, but she’d have an amazing opportunity for you. Or perhaps it’d be your friend Bob, and he’d have a funny video you just had to see. Of course, it wasn’t the IRS, Sarah is a hacker, and your friend Bob is actually the victim of a hacker using his identity.
Yet all three had one thing in common: they wanted you to click their link!
These phishing emails, used by hackers to attempt to gain access to private information, have become less effective over time as people and organizations have wisened up—recognizing, reporting, and deleting suspicious emails and links. While this should be a good thing, smartened-up users have caused hackers to devise new and even more insidiuous attack methods.
“Stranger Danger” of Today: Impersonation
With phishing targets learning to spot scams and email service providers beginning to flag suspicious emails based on attachment, text, and source domain, hackers are now looking at new and more insidious attack vectors to obtain data or trigger inappropriate financial transactions.
How are they doing it?
By impersonating a legitimate person with whom the victim has a pre-existing relationship. A common example is creating a personal email (for example on Gmail or Yahoo) that looks like a co-worker or manager's personal email, and then using that to get the victim to reveal data or send money. The attack script commonly goes something like this:
"Hi Frank, as you probably know I'm about to get on a flight to Asia and will be inaccessible for the rest of the day. I've just been informed that our access to crucial data feeds will get cut off because we had an invoice fall through the cracks and haven't paid a vendor. I'll deal with finance on this personally when I get back, but in order to prevent service outages for our clients, can you please immediately wire ... "
A more sophisticated variant of this attack doesn't pretend to be a known colleague, but rather a trusted intermediary. They also use social engineering (by monitoring social media, for example) to get access to contextual data such as when a particular employee may be going on vacation, and then the attack would go something like this:
"Hi Frank - We haven't met yet, but this is Joe Kinghorn from Staples. I'm your account rep and I normally work with Charlie from your accounts payable team. I know he's out on vacation but we're quite behind in receiving payment from you. I can't release the next shipment of supplies to your Philly and New York locations until we at least receive a partial payment. Can you please make at least a $10K payment to the following account so we can continue to supply you on a timely basis. We'll resolve the long-term matter after Charlie's back from Disney."
The contextual detail adds just enough credibility to make these types of attacks more likely to succeed.
These “phishermen” will continue to find new ways to attack. Most attacks, however, will target vulnerable users through malicious applications that disguise themselves as popular apps or even friends. Of course, as techniques for phishing evolve, so will the means of detecting them—so it’s important to stay current and remain vigilant.
Prevention Moving Forward
In order to protect yourself and your organization from these types of attacks, you need to quickly flag those inbound messages that are truly coming from "strangers". The most effective solutions will know which external accounts (even personal accounts on Gmail and other providers) are trusted and trustworthy, and red-flag those specific emails that are suspicious or clearly malicious. This is the approach that Clearedin is taking to prevent these types of attacks.
Want to learn more about anti-phishing? Contact Clearedin today!
Protect Your Organization From BEC Phishing Attacks
Download our guide to learn everything you need to know about BEC attacks.