CSAM WEEK 2:
Understanding Phishing: A Persistent Cyber Threat
Let’s get real: phishing has been a ‘thing’ long enough that it feels ‘normal’…. we don’t even get triggered by it anymore (unless it happens to you). Despite that, phishing remains one of the most widespread and dangerous forms of cybercrime. Even with increased awareness and advancements in cybersecurity, phishing attacks continue to evolve and are getting more sophisticated and harder to detect.
Why is that? The bad guys keep pouring money into getting better at phishing because it makes them money… a LOT of money. According to Cybercrime Magazine[1], research expects “global cybercrime costs to grow by 15 percent per year over the next five years, reaching $10.5 trillion USD annually by 2025.” That’s 9 zeros… a lot of money. In fact, that would make cybercrime bigger by Gross Domestic Product (GDP) than 31 countries[2]. COUNTRIES… wow.
What’s scary is the human factor (us!) in phishing. According to the 2024 Verizon Data Breach Investigation Report[3] (DBIR), “the median time to click on a malicious link after [a phishing] email is opened is 21 seconds and then only another 28 seconds for the person caught in the phishing scheme to enter their data. This leads to an alarming finding: The median time for users to fall for phishing emails is less than 60 seconds.” It just doesn’t take long for things to go wrong once we’ve fallen for a phishing email.
To make it worse, the number of phishing attacks our users are facing is growing at an alarming rate. According to Bolster.ai’s report[4], phishing attacks have increased 94% since 2020. Here’s some other important trends in phishing:
- About 3.4 billion phishing attempts are emailed every day[5].
- Almost all business globally have reported phishing attempts that target their employees[5].
- Phishing attacks happen constantly and can even include multiple emails. The costliest phishing attack contained thousands of emails and caused over a billion dollars in financial losses[4].
It’s important to understand these statistics in context: bad guys don’t waste money on duds, so if the number of attacks are increasing it’s because it’s still working. The message is clear: phishing is a clear and present threat to ourselves, our families, the organizations where we work, and the people we serve. Given that information, let’s take a closer look at what phishing is, different types, how its evolved, and what we can do about it.
What is Phishing?
Just in case you’re not up on this, phishing is a cyber-attack that typically involves sending fraudulent emails that appear to come from reputable sources. These emails often contain links to fake websites designed to steal personal information. The term “phishing” is derived from “fishing,” as attackers cast a wide net, hoping to “catch” unsuspecting victims[6].
However, phishing isn’t all just a simple random attack in the dark. Let’s look at some of the different types of phishing attacks that are common today:
Email Phishing:
The most common form, where attackers send emails that appear to be from legitimate companies. These emails often contain urgent messages to trick recipients into clicking on malicious links or downloading attachments.
Spear Phishing:
A more targeted approach, where attackers customize their messages to a specific individual or organization, making the scam harder to detect.
Vishing (Voice Phishing):
Involves phone calls where attackers pose as legitimate entities to extract personal information.
Smishing (SMS Phishing):
Uses text messages to lure victims into clicking on malicious links or providing personal information.
The reality is that phishing tactics have become increasingly sophisticated as threat actors change and adjust to get around us and our defenses. Attackers now use advanced techniques such as:
Clone Phishing:
Creating a nearly identical copy of a legitimate email, but with malicious links or attachments[6].
Website Spoofing:
Designing fake websites that closely resemble legitimate ones to steal login credentials[7] .
Social Engineering:
Exploiting human psychology to trick individuals into divulging confidential information[8] .
One notable real-world example involved a phishing email that appeared to come from a manager, requesting urgent purchase of gift vouchers. The victim, believing the email to be genuine, complied and later discovered the scam when contacting the manager through another channel[6]. This highlights the importance of verifying requests through multiple communication methods.
How to Protect Yourself
While we all want to think that our computers and their security software are perfect (normally because it takes the pressure off of us), they’re not. The reality is that we are ultimately the final line of defense to keep ourselves and our data safe. Here’s some things we should always be doing to protect ourselves from phishing scams:
Be Skeptical:
Always be cautious of unsolicited emails, especially those that request personal information or urgent action.
Verify the Source:
Contact the sender through a different method to confirm the legitimacy of the request.
Look for Red Flags:
Check for poor grammar, misspellings, and suspicious URLs.
Favicons:
Short for “favorites icon,” is a small graphical icon associated with a website or webpage[9] . When visiting a website, quickly scan for the favicon to ensure it matches your expectations. If the favicon is different or missing, you should be suspicious.
Use Security Software:
Keep your antivirus and anti-malware software up to date to detect and block phishing attempts.
Educate Yourself and Others:
Stay informed about the latest phishing tactics and share this knowledge with friends and family.
Use Multi-factor authentication (MFA):
MFA[10] is a REALLY critical way to protect yourself and your data. You should implement MFA (and preferably not using SMS texting) on EVERY personal account.
How to Protect Your Organization
There’s also things we can be doing to protect from phishing if you’re on the clock for your company. These include:
- Use multifactor authentication5 (see a common theme here?).
- Use anti-spoofing controls like DMARC, DKIM, and SPF[11].
- Improve awareness with mandatory security awareness training[5].
- Always use supported devices with supported company security software[5].
- Keep devices and associated software up to date[5].
- Make sure your incident response plan includes a phishing incident response[5].
Reporting Phishing
If you get a phished (and particularly if you fear you fell for one!), let somebody know. If you suspect a phishing attempt at work, report it to your company’s information security, compliance and/or IT team. For attacks on your personal account, you might want to let your email provider (most have a “spam” button) or the relevant authorities know. Many organizations have dedicated teams to handle these reports and can take action to prevent further attacks and thus protect others.
Conclusion
Did you ever get scared to swim after watching Jaws? Phishing is sort of the same thing for email. Just like when you were a kid doggie paddling in the pool with one eye out for that approaching fin, phishing is a persistent threat that requires constant vigilance. By understanding the tactics used by phishers and taking proactive steps to protect yourself, you can reduce the risk of falling victim to these scams. Remember, cybercriminals are always looking for new ways to exploit vulnerabilities, so staying informed and cautious is your best defense. Keep your radar up and on and keep everybody safe!
Sources
[1] https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
[2] https://www.worldometers.info/gdp/gdp-by-country/
[3] https://www.verizon.com/business/resources/reports/dbir/
[4] https://bolster.ai/wp-content/uploads/2024/03/phishing_report_2024.pdf
[5] https://www.splunk.com/en_us/blog/learn/phishing-scams-attacks.html
[6] https://theconversation.com/phishing-scams-7-safety-tips-from-a-cybersecurity-expert-216198
[7] https://en.wikipedia.org/wiki/Website_spoofing
[8] https://www.cisa.gov/secure-our-world/recognize-and-report-phishing
[10] https://www.ibm.com/topics/multi-factor-authentication
[11] https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/
About the Author
With over 30 years in the Information Systems field, Luke Franzelas specializes in network engineering and security. Currently a Senior Cyber Security & Network Engineer at Caseworthy, he excels in managing cloud environments, SIEM operations, and compliance with industry standards. His previous roles at Microsoft and Caradigm involved designing and supporting complex IT infrastructures and networks with the purpose of maintaining confidentiality, integrity, and availability of health related information systems. Luke has extensive experience in network architecture, security design, and operational support, complemented by a background in U.S. military satellite communications.