Every year, hackers get smarter and introduce new phishing strategies to skirt defenses that were designed to protect against last year’s threats. It’s reported half a billion dollars are lost to phishing in the United States every year and over 90% of breaches last year started with a click! The latest tactics are so sneaky and convincing, even the savviest employees can fall prey. If you can’t remember the last time you sharpened phony email identification skills, it is worthwhile to investigate the latest methods hackers use to trick employees into giving out their credentials and other sensitive information. Read through the following 4 new trends to spot in 2019, then take the quiz to see if how good you are at recognizing the fakes.
Trend #1 – Phishing Attacks Targeting SaaS Credentials
Until now, hackers impersonated banks and financial institutions, looking for credit card numbers or banking information to gain access to financial accounts. In 2019, hackers are aiming higher! In 2018, email and online services like Office 365 and G Suite overtook financial institutions as the top phishing target. Why? With the use of a single sign-on, an employee’s account can be used to log into other SaaS services. Once the hacker has access to the initial account, they can easily embed themselves and send more malicious emails throughout the company directory. They expand their footprint and gain access to an entire organization’s confidential files and email resources.
In this case, hackers tend to use a classic email phishing style, however now, instead of mimicking financial institutions, they impersonate SaaS services like Dropbox, Slack or Office 365. The email might claim that there was a suspicious login to your account or that your password has expired, then directs the victim to a link on a phony page.
Don’t fall for it: Ensure basic security measures by implementing multifactor authentication across your organization including all accounts.
Trend #2 – Phishing Attacks Sent Through Messaging Apps
This year we will see an increase in attacks that do not use email at all. Social Media is everywhere and it is not outside of the attacker’s realm. While users are trained to be suspicious of email, they tend to be overly trusting and let their guard down when using messaging apps. Apps like Slack, Teams, Facebook Messenger (and other non-email communication services) will continue to become popular pathways for phishing. These messages do not have the same built-in security measures as email (link scanning, malware detection or data leak protection). Also, the “chat style” communication is by nature less formal and a bit more personalized, so users are more likely to click on a link or file in a chat, than they would in an email.
As expected, the classic phishing methods (impersonation and malicious links) are in play, however they are simply delivered outside the user’s expectation – hiding within the new breed of collaboration apps.
Don’t fall for it: Employees should treat all communication channels as suspect. Discuss communication tool security in your employee awareness training. Also, consider implementing third-party application protection to add security to these unmonitored channels.
Trend #3 – Interactive BEC Phishing Attacks
Everyone is on high alert with links, however there is a different kind of phishing attack that uses NO LINKS. The recent wave of database breaches have provided the attackers with a wealth of information, making it easy to create highly targeted, “personalized” messages. This type of attack is called business email compromise (BEC). Cleverly crafted, there is nothing strikingly alerting – nothing clickable, no links, attachments or malicious content. Even more concerning, this kind of attack leads to real-time, interactive dialogs with the attacker.
A BEC phishing attack is calculated, as the attacker relies on specific information about both the victim AND the person they are impersonating. Think “long con”. It is essentially group of convincing messages that appear to be from someone familiar (a boss or co-worker). The first innocuous message (or hook) is used to reduce the risk of detection for the distracted/trusting victim. The opening dialog is often conversational (like, “Hey, are you in the office today?”), and can come from email, phone or even text message. The attacker uses a handful of other messages to fortify their position as the impersonator before asking for a document, gift card or an edit to a file.
Don’t fall for it: Implementing procedures and employee training is the best way to derail this type of attack. Policies, like “channel switching” can be effective for certain types of transactions. For example, if someone asks for privileged information via email, a general verification response can be sent through another communication channel (text, phone call, etc.). This can be as simple as asking “Did you ask for those account credentials?”
Trend #4 – Phishing Inside of Shared Files
Most exchange systems will scan emails for a malicious links, however the URL of a legitimate and trusted file sharing service (Microsoft’s One Drive, Dropbox or G Suite) does not undergo the same inspection. Some hosting sites scan files for malware, but none look for malicious links within the files. Enter clever tactic #4, where attackers are fooling the savviest users into entering their confidential information onto a bogus login page. To most folks, there are no noticeable red flags within the email and their guard is definitely down when the email references the legitimate file share platform.
The email directs the victim to a link embedded within a document, often stating that the user must authenticate to view the document. If the user follows the instructions, they will click the link and enter confidential login criteria on the fake login page.
Don’t fall for it: Create complex passwords (the most secure passwords are the ones you have trouble remembering). Second, use a password manager. It will ONLY enter your password into a legitimate login page and cannot be fooled into doing so on a phony phishing site. Users can not override and enter the password on the fake site either.
Test Your Skills
Do you feel confident in determining if an email is sketchy or legitimate? Alphabet subsidiary Jigsaw and Google use this quiz to teach people how to better spot malicious emails. How many can your correctly ID?