Phishing is an old scam, but its ruthlessness is frightening and expensive. Attackers are outsmarting security experts and making threats more personal. Employees are more desperate and companies more vulnerable.
According to Egress's 2019 data breach survey, 79% of IT leaders say employees have unintentionally invited security risk, and that 60% of data breaches were a result of employees rushing or making mistakes.
"Phishing is getting incrementally more sophisticated," Cath Goulding, head of cybersecurity for Nominet, told CIO Dive in an interview. "It's important not to punish staff because it's so sophisticated some of them are bound to get through. It's really hard."
The company has a phishing education quiz, which shows 10 screenshots of emails. Some are legit and some are phishing scams. She gave the test to a penetration tester, who is trained to spot threats.
"It's his job to do this kind of thing and even he only got none out of 10" right, she said.
How spammers are phishing today
Among current rising cyberthreats, which include emails (a criminal makes a user think they have video of the person looking at adult websites) and using IoT botnets to deliver spam (connected devices create a conductive pathway), Trustwave found three phishing-related attacks.
The first is file extensions being used to get around anti-malware protections, especially as users have become trained to look for things like misspellings and grammatical errors to identify spam.
That's why more well-crafted emails can usually still slip by, and instead of using .exe, they'll opt for extensions of programs most workers use, like .xls, .doc. and visual-related extensions like .gif and .js.
"You still see this quite a bit to enhance a social engineering attack," Karl Sigler, threat intelligence manager at TrustWave SpiderLabs, told CIO Dive in an interview. It gives the "actual recipient the idea that the attachment is safe to open."
Trustwave has also seen an increase in Emotet, which is a banking Trojan that obtains financial information by injecting computer code into the network of an infected computer, and then searches for sensitive information.
"Their end goal is to put some sort of malware on your system," Sigler said. "The purpose is to sit on your computer and wait for you to hit a banking website and gather your credentials or make a transaction after you've authentically logged in."
If a company's security blocks phishing campaigns, invaders get through by targeting partners tied to the company, which is why Trustwave said it's seen increased attack on supply chains.
"When you're trying to target a very large organization, something really juicy with a lot of resources and money, sometimes the security for those large organizations are really tight," Sigler said. "By targeting a business partner like a third-party small vendor that does business with the large vendor, sometimes that's your easiest way in."
Fostering an open climate of security
How to handle phishing should be a companywide concern, said Goulding, from training staff to recognize phishing and what to do if they fall victim to it.
Training staff comes from hiring penetrating testers to run industry-specific tests, like sending emails about pharmaceutical legislation to workers at a pharmaceutical company.
"Generally you're likely to see more people click on it when it's targeted vs. not targeted," she said. This kind of testing and education about phishing is about making employees "a little bit more paranoid and just wanting to question every email. Is this right and should I check first before I do anything?"
That's especially because she says most employees will fall for a phishing scam because they feel they're trying to "do the right thing," as is the case with so-called business email compromise (BEC) scams, where a criminal will pose as the company's CEO or an executive asking for a wire transfer.
The severity of these attacks is exactly why employees should feel OK coming to security if they slip up.
"A staff member shouldn't feel like ‘I'm going to get the sack or what have I done here I need to hide it,'" Goulding said.
If employees know they can tell security right away, a connected device can be disconnected from the network so that malware doesn't spread. IT can also identify when a threat didn't get far enough to make any real impact and educate employees that they could be targets too.
"Staff are often portrayed as being the weakest link, but in my view they're your strongest asset," she said. "They can be the canary [in the coal mine] and warn you about these things."