Who would you expect to be the last organization taken in by a phishing attack? How about the “largest source for information security training and security certification in the world?” That’s right. The SANS Institute, around since 1989, training more than 165,000 security professionals around the world, was just breached as the result of a phishing attack.
Given how widespread phishing attacks are, you might think that not only are there a lot of phishing attacks, but that each one lasts a long time. While it’s true that there are a lot of phishing attacks, most phishing attacks do their damage in a really short time.
Research conducted by USENIX recently examined 4.8 million victims who visited phishing pages in a one-year period. And what was the average time of an attack measured by the researchers? “[F]rom the time they first come online, to email distribution, to visitor traffic, to ecosystem detection, and finally to account compromise, we find the average campaign from start to the last victim takes just 21 hours.” Twenty-one hours! It’s over in less than a day.
If you haven’t already heard, Twitter was hacked recently and some pretty high-profile people like Barack Obama and Elon Musk had their accounts compromised. When such a powerful tech company as Twitter gets taken like that, the first impulse is to assume it’s some band of sophisticated hackers or a rogue nation employing some leading-edge network penetration technology that does the damage. But in the case of Twitter, as with most high-profile attacks, nothing could be further from the truth.
At this point, it’s probably impossible to find a company that doesn’t rely on some cloud-based trusted services. Trusted services are services offered by companies so well recognized and respected, that we never give it another thought whether to trust them or not. Companies like Google, Microsoft and Dropbox. We all use them and we all trust them. And that’s exactly what hackers are counting on.
Email impersonation is one of the most prevalent and effective types of phishing attacks. Why is that? Because this type of phishing email supposedly comes from someone or some company you know, so you let your guard down. “As the professional community continues to work in a remote environment, email impersonations present the perfect way for opportunistic fraudsters to take advantage of human vulnerabilities.”
On the 15th of July, 2020, the adversaries could successfully barge into some of the most popular accounts of the San Francisco-based social networking platform Twitter. The attackers infiltrated despite Twitter’s phishing attack prevention measures and used this access to Twitter’s database to hack celebrity Twitter Accounts. This attack has taken the internet by storm as many renowned faces have become its victims. Although Twitter is adopting the phishing prevention best practices, it is unsure whether they will be able to combat the long term effects of this historic breach- A high time organizations must adopt innovative anti-phishing solutions.
As far as phishing emails go, business email compromise (BEC) are amongst the most sophisticated. In BEC, “typically an attack targets specific employee roles within an organization by sending a spoof email which fraudulently represents a senior colleague (CEO or similar) or a trusted customer.”
BEC attacks take time and planning and patience. After all, the attackers are attempting to impersonate a real person, so they have to be very convincing. Now word comes from ZDNet of a sophisticated new group of Russian hackers targeting big companies around the world with BEC phishing emails. Their clever new twist? They’re attempting to impersonate two people.
Probably not. Office 365 has two things going against it when it comes to safe email. First, it’s the most targeted platform, so it’s always getting the hackers’ best shot. Second, it doesn’t have a particularly good traffic record of producing effective email defense.
An example of the first issue is the recent phishing attack on Office 365 remote workers as reported by Malwaretips. According to the article, “Microsoft Office 365 customers are targeted by a phishing campaign using bait messages camouflaged as notifications sent by their organization to update the VPN configuration they use to access company assets while working from home. These phishing messages are a lot more dangerous because of the huge influx of employees working remotely and using VPNs to connect to company resources from home for sharing documents with their colleagues and accessing their orgs’ servers.”
Before COVID-19, pretty much everyone worked in an office so that’s where hackers aimed their phishing attacks. They used spear phishing and business email compromise (BEC) techniques to steal credentials and to steal money. And then something strange happened: everyone started working from home.
Once everyone started working remotely due to the coronavirus, that’s where the hackers went after them because remote workers are even more vulnerable working from home (WFH). COVID-19 themed emails targeting WFH employees with promises of face masks or investments in fake companies claiming to be developing vaccines were very common. And then something strange happened: employees started returning to the office.
Just detecting a phishing attack on a bank isn’t an extraordinary event. There are dozens of phishing attacks per week targeted at the major international banks. As phishing targets go, banks are just too enticing for hackers to ignore. And banks, for the most part, understand the threat and are prepared to deal with most attacks. Most!
If it’s in the news, it’s a phishing attack waiting to happen. First, it was the popularity of the show Game of Thrones. Then it was the new Star Wars sequel. More recently it was the fear of COVID-19. And now, in response to all the recent protests over police brutality, it’s the Black Lives Matter movement. Apparently, hackers get their ideas for phishing attacks from the news.
In the 21st century, enterprises are facing a severe threat from people they have not met, and may never meet. Digitalization means the bad guys no longer have to be present at the site of their crimes. As a result, tight security at the office premises and money kept in the safe are not enough insurance against cyber thieves.
Hackers are always trying different ways to get you to let your guard down. In that endeavor, they try to leverage the current state of affairs to craft their phishing attack. For instance, today many people are working from home who normally wouldn’t be. Hackers use that information to launch their phishing attack, like the one supposedly delivering a new VPN configuration.
Workers suddenly finding themselves working remotely are extremely vulnerable to phishing attacks. This is due to a unique combination of two factors that amplify the problem: bigger target and poorer security behavior.
The first factor making remote workers move vulnerable is that hackers are going after them more vigorously now that they’re working remotely. This is especially true of hackers leveraging the Google brand. According to an article on National Cybersecurity News, “Remote workers are being ‘bombarded’ with Google-branded spear phishing attacks. This is according to a new report from Barracuda Networks, which claims that in the first four months of the year, almost two thirds of spear phishing attacks that impersonated big name brands were Google-themed.”
With the growing dependence on technology in today’s digital world, phishing attacks are also evolving by each passing the day. For those who refuse to accept this claim, we have broken down the 2019 version of the Phishing and Fraud statistics, to prove that, so far, phishing has been the most extensive cyber threat to every large or small enterprise.
COVID-19 has been a goldrush for hackers looking to exploit the epidemic. Almost every aspect of what’s unfolded has presented hackers with new and creative ways to phish you.
People are fearful, they’re working from home and under a lot of stress. That makes for a perfect target for hackers. Here are the top ten ways hackers are using the pandemic to phish you. It would be nice if these were the only ten. They’re not – there’s more.
Everybody knows about the stimulus checks offered by the U.S. government to most workers, which means hackers know about it too. And they’ve been using it to phish you.
From the WKRG web site, “The FBI is also warning about another kind of scam–email phishing scams over coronavirus and economic stimulus checks. The agency says to look out for phishing emails asking you to verify your personal information in order to receive an economic stimulus check from the government.” The email is not from the government, it’s from a hacker.
For many people working from home, they’re using web conferencing software for the very first time. So, they’re not experienced with the procedures and protocols for using it and hackers know that to launch their phishing attacks. A phishing attack aimed at getting your credentials.
Zoom web conferencing has been the most targeted application. Thousands of potential phishing sites have been created to target Zoom users as its usage has soared. But it hasn’t just been Zoom. Other applications targeted by hackers includer WebEx (Cisco), Skype (Microsoft), GoToMeeting, Microsoft Teams and Google Hangouts. Be wary of any unsolicited email from a web conferencing company.
At this time, people are looking to trusted authorities for any medical information they can about COVID-19. Trusted authorities like the CDC, the WHO and NIH. Hackers know and use those symbols of trust to phish you when you’re looking for medical information.
From an article on Help Net Security, attackers have “been tricking users with fake email notifications and fake alerts impersonating local authorities, the US Centers for Disease Control and Prevention (CDC), and the World Health Organization (WHO) to deliver malware or to steal email credentials.” If you want the latest medical information from a trusted source, get it from their website.
COVID-19 has people scared. So, scared that they’re taking matters into their own hands when it comes to prevention and cures. Hackers know that and use that to phish you.
From Tech Republic, “Many of the scams Barracuda Sentinel detected were looking to sell coronavirus cures or face masks or asking for investments in fake companies that claimed to be developing vaccines.” If you purchase a face mask, only do it from a reputable retailer.
People who are faring better than most during the pandemic want to help and that help usually involves donating money to a charity. And hackers know it, so they use it to phish you.
“Scams in the form of donation requests for fake charities are another popular phishing method. For example, one scam caught by the Barracuda systems claims to be from the World Health Community (which doesn’t exist but may be trying to take advantage of similarity to the World Health Organization) and asks for donations to a Bitcoin wallet provided in the email.” Don’t give to charities using Bitcoin.
Many people planned a trip before the coronavirus outbreak and now can’t go because of travel restrictions. So, people want to get their money refunded and hackers know that and use that to phish you.
From the Identity Theft Resource Center, “As a result of the COVID-19 pandemic, the Tokyo 2020 Olympics have been postponed until next summer 2021. However, scammers will not postpone their attempts to target consumers through a series of tactics, including ticket refund scams. People should be on the lookout for these schemes under the guise of helping people to switch their plans to suit the new 2021 date.” If you want a refund, deal directly with the service provider.
People are stuck at home. They need entertainment, like the kind available from companies like Netflix. And hackers know it so they use it to phish you.
An example of this is the Netflix Covid-19 phishing scam. In this scam, victims receive an email telling them that because of the COVID-19 pandemic, Netflix “will give out 3 months of Netflix Premium to help you spend more time at home.” And of course, the email comes with a link to click on for more information. It’s a scam. Be fearful of anything “free” during the pandemic.
More and more people are buying online and depending on delivery service to obtain their goods. Hackers know that and use that to phish you.
According to TechRepublic, “Cybercriminals are leveraging overwhelmed delivery services to further phishing schemes.” Consumers are used to receiving emails from ecommerce companies, including shipping status emails. So, it’s not a big leap for hackers to use those emails to launch a phishing attack. Be hypervigilant when receiving package tracking emails.
#9 Unemployment Fraud
People who have never been unemployed are finding themselves unemployed for the first time. And they aren’t always sure what to do or where to begin. So, naturally hackers pretend to fill in the blanks for these newbies and answer their questions, when in reality they’re just setting them up to be scammed.
According to CNBC, when referring to the scammers, they report that “In some cases, they will pose as individuals helping file for unemployment benefits and then steal personal information. More than 31 million Americans are currently collecting unemployment benefits, according to the Labor Department.” That’s a big pond for hackers to go phishing in.
Whenever there’s something harmful, people are going to want to insure themselves against it and Covid is no different. And hackers know it. If you want to protect yourself and your family with Covid insurance, you can be sure hackers will be there waiting to scam you.
AAA has been out on the frontline warning people about these fake insurance scams. The company stated “Be especially wary of COVID-19 insurance scams. Robocalls, plus text and email phishing attacks can pitch false insurance deals to consumers of all ages. These pitches may ask consumers to pay insurance premiums, without delivering coverage.”
These are the top ten ways hackers are using coronavirus to phish you today. There will almost certainly be new ones in the future. To good news? You can protect yourself from all of these, and any new ones in the future, simply with an email security software called Phish Protection.
Phish Protection doesn’t require you to purchase anything. It sets up in 10 minutes, works with all major email providers and best of all, it only costs pennies per user per month. The coronavirus-based phishing attacks are not going to stop. But you can keep them from harming you with Phish Protection.
As we’ve written about many times before, Microsoft Office 365’s native security does not do a very good job of protecting you from phishing attacks which makes Office 365 extremely vulnerable to them. Now comes news of a targeted email phishing attack specifically designed to bypass the already vulnerable Office 365 security.
“The attack is a variant of ‘PerSwaysion’, a recent spate of credential phishing attacks that utilize compromised accounts and leverage Microsoft file-sharing services to lull victims into a false sense of security.”
One of the challenges to stopping phishing attacks is that hackers used to be really nimble. They would use a new domain for each phishing attack, often keeping it active for only a few hours before retiring it forever. This fleet footedness enabled the hackers to do their dirty work before word got out about the malicious website. That situation seems to be changing.
You’ve seen reCAPTCHA. It’s the image verification software that asks you to click on the cars or the crosswalks to verify you’re a human being and not a bot. It’s a service now owned by Google.
Seeing reCAPTCHA software on a website probably gives most people a sense of security. Afterall, the website is protecting itself from malicious activity with the software. And that’s exactly why hackers have started using reCAPTCHA to launch phishing attacks. Because it gets you to let your guard down.
If you’ve been paying attention, you know that the Zoom video conferencing service has been in the news a lot recently as a prime target for phishing attacks. This is the result of more people working from home due to COVID-19. Thousands of potential phishing sites have been created to target Zoom users as its usage has soared.
With all the headlines, you might get the idea that Zoom is the only video conferencing service being targeted by hackers. Unfortunately, hackers are more ambitious than that. Other popular services, including WebEx and Skype, are also under attack.
According to an article on Help Net Security, “Not only are attackers using video conferencing brands as a lure for malware, but they’re using it for credential phishing, in particular to steal Zoom and WebEx credentials.”
In the case of WebEx (a Cisco company), “The fake emails purportedly coming from Cisco are a mishmash of unconnected visual elements and subject lines that command attention (e.g., “Critical Update!” or “Alert!”).”
Skype is in the same boat as WebEx. According to Threat Post, “Remote workers are being warned of a new phishing campaign targeting their Skype passwords. The phishing emails look ‘eerily similar’ to a legitimate Skype notification alert, according to a report released by Cofense on Thursday. Emails indicate users have 13 pending Skype notifications that can be checked by clicking a Review button.”
While not in the headlines yet, it’s only a matter of time before other video conferencing services like GoToMeeting, Microsoft Teams and Google Hangouts are the target of phishing attacks. The bottom line is, employees working from home are outside the protective boundary of the company’s network and are therefore more vulnerable to these types of phishing attacks.
What’s needed now, more than ever, is the ability to protect employees from phishing attacks who are working from home. To do that requires cloud-based email security so that emails destined for employees at their home office can be screened before they ever hit the inbox. What’s needed is email security like that available from Phish Protection.
Phish Protection is cloud-based email security with real-time link click protection, which protects against the most sophisticated type of attack: time-delayed phishing attack. Phish Protection sets up in 10 minutes by making a simple change to a DNS entry. That means you can protect a thousand employees working in a thousand different homes in about 10 minutes. And Phish Protection only costs pennies per employee per month with no hardware or software to buy.
COVID-19 will eventually go away but hackers won’t. Protect your employees today. Try Phish Protection free for 60 days.