Criminal hackers are starting to rely more heavily on nuanced social engineering attacks such as spear phishing, a new study has found.
The 2018 Trustwave Global Security Report shows that phishing was the leading cause of attack (55%) in corporate network environments, followed by malicious insiders (13%) and remote access (9%). Among the most dangerous phishing scams is CEO fraud, in which scammers impersonate an organization’s boss and contact employees asking for sensitive information.
Trustwave also found that phishers have frequently impersonated:
- Banks: Fake landing pages harvest online banking credentials
- Amazon: Fake receipts lead to a variety of landing pages, including those that unleash malware
- Couriers: Fake invoices for deliveries, with links to ransomware, banking Trojans, or malware
- Apple: Emails that request password resets harvest users’ login credentials
- Utility companies: Emails with bogus bills include links to ransomware or banking Trojans
- Finance software such as QuickBooks, Xero, MYOB, or Intuit: Emails contain links to malware (particularly Dridex)
- Email providers: Emails that claim that the user’s inbox is full or that they need to reset their password include landing pages that harvest the user’s login credentials
Trustwave also notes the perennial threat of phishing scams related to tax returns and the lesser-known threat of telephone-based phishing (‘vishing’). One such scam involves the crook calling an organization to complain that they are unable to make a reservation on the victim’s website, asking instead to email their details to the employee. The attacker then sends a message containing a malicious file, waits until the victim confirms that they have opened the attachment, and hangs up.
How to tackle phishing
In the scenario above, the employee should’ve been suspicious of the crook’s intentions and responded accordingly. Emailing someone your details is less convenient than dictating it over the phone, and even if it was more practical (a customer wouldn’t want to announce their payment card details over the phone if they could be overheard, for instance), the employee should’ve taken care to check that the links were legitimate.
Education is therefore the key to preventing phishing attacks from being successful. Our Phishing Staff Awareness Course teaches your staff everything they need to know, and it can be completed at a time convenient for them. All you need to do is provide them with a link to the course, tell them to complete it within a set time frame, and check that they passed.
Larger organizations might want to go the extra mile, which is why we offer our Security Awareness Program. This includes a comprehensive review of your cybersecurity practices and advice on how to improve them.
The course improves employees’ engagement with cybersecurity, changes staff behavior, and achieves lasting security awareness. It does this by incorporating a variety of learning tools, which are aligned with your unique requirements and organizational culture.