For most of us, receiving an error-riddled email request from a mysterious source in Russia is the digital equivalent of a big red flag. But when cybercriminals employ trusted credentials and use highly convincing email addresses – hallmarks of a new wave of phishing campaign directed at a range of unsuspecting targets – the ability to identify a scam becomes infinitely trickier.
Although phishing has existed since the dawn of the Internet, strides in technology have buoyed a new brand of criminal with a talent for crafting increasingly sophisticated attacks. In 2014, the breach that saw JP Morgan compromise personal information relating to 83 million customers as a result of a spate of phishing emails that incorporated a secure message from the company and a campaign that harvested user’s passwords by prompting them to sign into a bogus Google page are a powerful case in point.
In September 2014, PwC’s 2015 Global State of Information Survey found that cybercriminals aren’t just taking a personalised approach – they’re also faster to strike. The report, which was conducted in conjunction with CIO and CSO magazine, found that the average financial loss from cyber security incidents jumped 34% to $2.7 million in 2014, that large organisations clocked a 44% rise in incidents this year and that the number of “detected” security incidents jumped 48% to 42.8 million in 2014, a figure that translates to 117,339 attacks a day.
But coming to terms with the scale and frequency of phishing campaigns is only one part of the problem. Schooling yourself in the tactics and techniques beloved by fraudsters is key to understanding when to take an email seriously and when to promptly hit “delete.”
Messages sent from increasingly convincing domain names
From gaining access to your credit details to stealing personal data as a prelude to identity theft, the objectives behind phishing campaigns have remained intact. But where cybertheives would once pepper emails with red herrings such as a series of exclamation marks and strange expressions, they’ve now taken every conceivable measure to seem authentic. These days, fraudsters have made it their mission to register domain names that match those used by major organisations, containing discrepancies that are barely legible to the average user. Checking suspicious domain names for slight misspellings or numbers that shouldn’t be there can be an effective form of cyber vigilance.
Requests that appear from a trusted source
One of the most dangerous kinds of phishing campaign is the type that originates from a trusted source. In the last year, we’ve seen a swift rise in fraudulent emails sent by scammers masquerading as CEOs or CFOs requesting that the recipient conduct a money transfer and the perceived authenticity of these messages leave organisations vulnerable to risk. This kind of phishing campaign can often rely on offshore banks that make it challenging to reverse the transaction or retrieve stolen cash. This potential to do serious financial damage can make successful phishing attacks highly debilitating to victims.
Spear-phishing, where perpetrators draw on trusted credentials to send malicious attachments that enable hackers to bypass security systems, can put companies and individuals at serious risk. Unlike phishing efforts that blast customers of a financial institution with a generic message, spear-phishing campaigns often use information gleaned from a recipient’s online history to construct a call to action that feels highly plausible – and it’s this sense of authenticity that makes it difficult to detect.
As the complexity of online scams evolves to match users’ levels of cyber-intelligence, phishing campaigns are set to become increasingly sophisticated over time. But investing in training programs that raise employee awareness about cyber security and rolling out robust technology controls that make it costlier for criminals to launch attacks can bolster your ability to ward off threat. What strategies do you employ to safeguard against phishing?