Catch me if you can
“There is no technology today that cannot be defeated by social engineering.” —Frank Abagnale
At the 2018 Gartner summit, I had a chance to sit in the front row for the keynote speech given by Frank Abagnale. Catch Me If You Can, the critically acclaimed film starring Leonardo de Caprio and Tom Hanks (2002), is based on Abagnale's exploits as a con artist that led to his widespread notoriety.
After serving time in prison for impersonating a doctor and a lawyer in addition to his escapades as a pilot, Abagnale went on to work for the U.S. Federal Bureau of Investigation (FBI), where he started out investigating people who forged checks, counterfeited documents, and embezzled money. While he spent a total of 43 years with the FBI, he dealt with nothing but cybercrime for the last 20 years of his career. Abagnale worked on every data breach, including TJX (the parent company of TJ Maxx, Marshalls, and Home Goods, among others) in 2007, and, more recently, Marriott and Facebook.
During his keynote address at the Gartner conference, Abagnale recalled how, at the age of 16, he used social engineering to impersonate a pilot and called Pan Am's corporate headquarters to obtain a uniform through the purchasing department.
According to Pan Am’s estimates, between the ages of 16 and 18 Abagnale flew as a “deadhead” passenger (meaning he didn’t take the controls of the airplane) on more than 250 flights and traveled more than one million miles to 26 countries, all on their dime.
From physical to digital, from landline to email
Fifty years ago, the landline phone was the only tool Abagnale had to scam a company by talking his way in. Today, the “attack surface area” has changed drastically because of the internet, text messages, emails, social media, and more.
Cyber threats keep evolving and getting smarter, which makes it more important than ever to keep an eye out for them.
A recent report from IBM states that in 2020, the average cost of a cyberattack on a business was $3.86 million, and it took more than 200 days to find a breach.
Any business, big or small, in any industry can be a victim of cybercrime. One thing they all have in common, though, is that they are likely to happen because of human error.
“The one thing that I’ve learnt is that every breach occurs because somebody in that company did something that they weren’t supposed to do, or somebody in that company failed to do something they were supposed to do,” Abagnale said.
Social engineering attacks are one of the most pervasive and dangerous forms of cybercrime that companies face today, and phishing is the most prevalent form of social engineering.
What is phishing?
Social engineering is an umbrella term for attempts to mislead or deceive internet users. Phishing is the most popular form of social engineering.
Phishing is the practice of sending misleading messages, typically by email, that appear to come from a trustworthy source. In fact, Global Phish Report states that 1 in every 99 mails is a phishing attack. Phishing emails deceive users into installing a malicious program, clicking on a malicious link, or divulging personal information, such as credit card details and login credentials.
Social engineering attacks, such as phishing, are frequently accompanied by other threats, such as malware, code injection, and network attacks.
According to 2021 Data Breach Investigations Reports, around 25% of all data breaches include phishing, and 85% involve human error.
Types of phishing attacks
Scams are typically distributed by unsolicited email. They are intended to deceive victims into divulging information that will result in identity theft or fraud.
Cybercriminals use scams to cheat people out of money or steal their identities by getting them to give up personal information. Scams include fake job ads, investment opportunities, notices of inheritance, lottery prizes, and transfers of funds.
Scammers often try to make money off tragedies like hurricanes, the COVID-19 crisis, and other tragedies. Scam artists take advantage of people's kindness, fear, or sympathy. During the peak of the Covid-19 outbreak, phishing incidents increased by 220% compared to the yearly average.
Spear phishing is a highly tailored scam. Cybercriminals conduct extensive research on their targets—which can be individuals, organizations, or businesses—and produce carefully crafted mail, frequently impersonating a trusted colleague, website, or business. Typically, spear-phishing emails attempt to obtain sensitive data, such as login passwords or financial information, which is subsequently used to perpetrate fraud, identity theft, and other crimes.
Although spear phishing is often intended to steal credentials and take over accounts, the cybercriminals may also infect victims’ computers and networks with malware, leading to financial loss and damage to their reputation.
Whaling is a form of spear phishing that targets public personalities, executives, and other large targets, hence the moniker.
Extortion scams: This form of spear-phishing is becoming more sophisticated because it bypasses email gateways.
Cyber criminals exploit stolen usernames and passwords to extort money from victims by pretending to have an incriminating video on the victim's computer and threatening to share it unless they pay.
Extortion scams are under-reported because they are embarrassing and sensitive.
Business email compromise (BEC)
BEC scams are another form of spear phishing. Malicious users compromise business email accounts to commit fraud and other crimes. They achieve this through social engineering, hacking, and spoofing.
Three variants of BEC frauds are:
The fraudulent invoice scam involves impersonating a well-known organization. The target receives a payment request from this organization.
CEO fraud involves hijacking an executive's email address and sending fraudulent emails to employees handling financial requests.
Messages from compromised accounts are sent to organizations or contacts the user knows. These contain other organizations' bills and payment requests.
Payroll scams, tax threats, travel-based scams, and fake charities are some of examples of BEC scams.
Email spoofing/ impersonation
An impersonation attack occurs when fraudsters appear as a trusted contact that coerces employees into sending funds or disclosing critical information.
URL phishing or domain impersonation is a type of attack where cyber criminals use emails to trick people into entering personal information on a fake website that looks real.
Following are the different ways cybercriminals exploit URLs:
Clone phishing employs a previously delivered or valid email with attachments or links. The clone is a nearly identical copy of the original, with the attachments and links replaced by malware or a virus.
Conversation hijackings are highly personalized domain-impersonation attacks in which cybercriminals insert themselves into existing business discussions or create new ones to steal money or personal information.
The purpose of brand impersonation is to deceive people into divulging personal or otherwise sensitive information by impersonating a firm or a brand.
Service impersonation is a sort of phishing attack that impersonates a well-known corporation or popular business application. It’s a common phishing assault on a point of entry to harvest credentials and conduct account takeover. Additionally, service impersonation attacks are used to collect personally identifiable information (PII), such as credit card and Social Security numbers.
Microsoft is most often impersonated. Credentials for Microsoft and Office 365 are very valuable because they let hackers get into organizations and launch more attacks.
The most common Office 365 phishing attacks are email non-delivery, reactivation requests, and storage limitation alerts.
Brand hijacking occurs when an attacker appears to use the domain of a firm to impersonate the company or one of its workers. This is typically accomplished by sending emails with fake, or spoofed, domain names that look to be valid. Abysmal DMARC adoption is making it easier for scammers to spoof brands. (77% of Fortune 500 companies do not have DMARC policies set up.)
A lateral phishing assault sends emails from a legitimate but hacked account to unwary recipients, such as company contacts and external partners.
Attackers can target a wide range of people and organizations after acquiring access to a company's email account.
In a recent spear-phishing report that analyzed lateral phishing attacks conducted against nearly 100 organizations, 63% of attacks employed "shared document" and "account problem" messages (e.g., "You have a new shared document"). Another 30% of events used refined communications, targeting enterprise companies (e.g., "Updated work schedule," “Please distribute to your teams”) In the most sophisticated attacks, 7% used organization-specific content.
Organizational practices such as remote and hybrid work cultures, BYOD (bring your own device) and even bring your own SaaS have blurred the barriers between the private and professional environment. Both employers and employees must secure their devices and digital space at both home and at the workplace.
Phishing red flags
There are several red flags that employees must be aware of to identify potential phishing scams before they can harm an individual or a business.
Inconsistent web addresses
Look for email addresses, links, and domain names that don’t match. It’s a good idea, for example, to examine a previous correspondence that matches the sender's email address.
Before clicking on a link in an email, recipients should always hover over it to view its destination. If the email appears to be from Acme, but the domain of the email address does not contain "Acme.com," it is likely phishing.
Malware is frequently disseminated via phishing emails with odd attachments. If you receive an "invoice" in the form of a .zip file, an executable, or anything else out of the ordinary, it is likely malware.
According to a recent Threat Report from ESET, these are the most common types of harmful files attached to phishing emails:
Inconsistent links and URLs
Double verify URLs. If the link in the text and the URL displayed when the cursor lingers over the link aren’t similar, you’ll be directed to an undesirable website.
If the URL of a hyperlink doesn’t appear to be correct or doesn’t match the context of the email, you shouldn’t trust it. Take the added security measure by hovering your mouse over embedded links (without clicking!) and ensuring that the link begins with https://.
Don’t open the link if the email is unexpected. As a precaution, visit the website you believe to be the origin of the email directly.
If a corporation with which you do business wanted account information, the email would call you by name and likely direct you to call them.
Phishing emails frequently contain generic greetings such as "Dear valued member," "Dear account holder," and "Dear client."
Tone and grammar errors
The tone and grammar of an email from a legitimate company should be impeccable.
A phishing email will frequently contain misspellings and grammar errors. If an email seems out of character for its sender, it’s likely malicious.
There’s a purpose behind improper syntax. Hackers focus on the less tech-savvy because they believe they’re less vigilant and, therefore, easier targets.
If an email asks you to do something out of the ordinary, it could be a sign that it’s malicious. For example, if an email says it's from a certain IT team and asks you to install software, but these tasks are usually handled by the IT department as a whole, the email is probably malicious.
According to research by KnowBe4, these were the most common subject lines for real-life phishing emails in 2021:
Fake LinkedIn messages are used in 47% of social media phishing attempts. People often get contextual emails asking them to reset their passwords or giving them "information" about possible new connections ("You showed up in new searches this week!" "People are looking at your LinkedIn profile!").
Indicators of phishing
The role of enterprises in email security
All email providers have built-in virus and phishing prevention. Signature-based antivirus controls stop known malware threats. They also block unsolicited bulk mail and guard against regular phishing emails.
Cybercriminals' attacks are getting increasingly sophisticated. With phishing and cloud email migration, companies need advanced threat protection to defend sensitive data from attackers and also ensure the workforce is provided with regular security awareness training.
Check out the blog post titled "What's your email security awareness score?" to see how IT departments and email administrators may leverage Zoho Mail's security settings and capabilities to prevent various email security threats.
Zoho participates in Cybersecurity Awareness Month
“Hackers don’t cause breaches, people do.” —Frank Abagnale
Every October is Cybersecurity Awareness Month. The purpose of this annual global campaign is to educate and empower the public to protect their data and privacy online by increasing their knowledge of the best practices for staying secure.
This year, Zoho Corporation is pleased to announce its participation in this year’s campaign. Read our blog on how both of the company’s divisions, Zoho (software for businesses) and ManageEngine (software for IT management and security), along with our employees, customers, and partners, are contributing globally to significantly enhance cybersecurity online both at work, and at home.
Phishing and similar scams will not disappear soon. The greatest way to protect yourself and your business is to implement security measures that delay someone's ability to target key personnel.
Whether you choose digital signatures, code phrases, encrypted communications, or an in-house solution, make sure your users know the risks. They must know why this is important and what to do to protect themselves, their workplaces, and their personal information.