Email scammers lure victims to click malicious links and open attachments that spread malware, steal credentials and enable financial crimes.
Modern security tools create a formidable defense against cyberattacks. However, many hackers ignore all that and target the weakest link in the security chain — people. Social engineering continues to be a remarkably effective means of gaining access to systems and distributing malware.
Hackers conduct social engineering attacks through phone calls, text messages and social media. However, email remains the most prevalent attack vector, particularly when targeting business users. A recent Egress study found that 94 percent of organizations were hit by phishing attacks in 2023.
Phishers mimic the logos and websites of legitimate organizations and pose as colleagues, business partners, clients, bank officials or IT staff. They fool their targets into clicking malicious links or opening attachments that automatically download and activate malware. Many phishing attacks send victims to websites designed to collect their user credentials and other sensitive information.
In the past, phishing emails were fairly easy to spot because they were riddled with grammatical and spelling errors. That’s because the emails originated in countries where English is not the native language, particularly Eastern Europe and China. The cybercriminals would run their messages through online translation engines with strange results.
In recent years, however, phishers have gotten drastically better at crafting emails that get past spam filters and convince users to do what the cybercriminal wants. Artificial intelligence (AI) tools have upped the ante by automatically generating text for phishing emails.
How Big Is the Problem?
The Anti-Phishing Working Group (APWG) is a nonprofit association that tracks the number of unique phishing campaigns and websites and compiles a quarterly report of phishing activity. For the first quarter of 2024, the group’s contributing members detected about 320,000 unique phishing attacks per month on average.
The group also tracks so-called “business email compromise” (BEC) attacks. In these attacks, the cybercriminal impersonates a company executive, employee or vendor and tries to trick an employee into sending money via wire transfer or other means. According to the FBI, BEC attacks were responsible for $2.9 billion in losses in the U.S. in 2023.
It would be a mistake to assume that all phishing attacks are clumsy and easy to spot. Phishing attacks have become so sophisticated that they fool everyone from non-tech-savvy users to IT professionals.
Many phishing attacks target consumers to obtain usernames and passwords, financial account information, and social security numbers. While these attacks tend to cast a wide net, more sophisticated cybercriminals target specific business users to gain access to corporate resources and sensitive information.
These are called “spear phishing” attacks. Hackers will review social media and other sources to learn about the target’s interests and activities, and carefully craft a phishing email that appears to be from a friend or colleague. Usually there’s an urgent request for sensitive information such as passwords, PINs and access codes. They prey on a person’s natural inclination to be nice and helpful.
Bigger Fish
A related form of spear phishing is called “whaling” because the attacker targets company executives, senior management, and key personnel in finance, HR and legal departments. These “whales” have high levels of authority within the organization and access to the most sensitive information.
Whaling attacks attempt to convince the victim that they must take immediate action to prevent some legal or financial harm to the organization. An attacker who obtains an executive’s user credentials or company financial information can wreak havoc and get away with large sums of money.
In order to protect against phishing, spear phishing and whaling attacks, organizations should implement a robust spam filter that prevents these spurious emails from reaching end-users. Antimalware and content filtering systems should also be kept up-to-date and set to scan for threats automatically.
However, none of these tools will ever be 100 percent effective. The best defense against social engineering is user education. Staff at all levels of the organization should be trained to spot phishing attempts, and regularly reminded to stay vigilant. Organizational policies should include procedures for verifying requests for sensitive information or financial transactions, particularly when they come through email.
It’s been said before, but it bears repeating — cybersecurity is everyone’s responsibility. It takes user vigilance and properly managed security systems to protect your organization against phishing attacks.
