According to the Verizon 2021 Data Breach Investigations Report, 91% of successful data breaches started with a spear phishing attack. At the same time 73% of organisations fell victim to successful phishing last year.
Phishing is an example of one of the most effective fraud activities on the internet. It may lead to severe financial losses, sensitive information disclosure or identity and credential theft, and as such requires focus and attention from all possible directions. One of the most efficient approaches in fighting against this threat is to consistently increase our awareness of it and educate ourselves about it.
There are currently more than a dozen different types of phishing attacks but to start with, it is worth focusing on the most common ones:
Phishing is a form of social-engineering attack that uses email to acquire sensitive information either through fraudulent solicitation, or a malicious link or attachment, where the criminal masquerades as a legitimate person.
Spear-Phishing, on the other hand, is a phishing activity that is very carefully designed and targets a selected lower profile recipient as opposed to typical phishing attempts where multiple recipients are involved and receive the same email.
What distinguishes Whaling/CEO Fraud from spear-phishing is that whaling targets exclusively high-ranking individuals within an organisation, typically senior leadership (C-Level), in order to conduct a fraudulent activity.
The insurance sector frequently faces phishing attacks from external actors. This type of attack seems to be the easiest way for attackers to achieve their aims. According to recent studies, financial motivation is responsible for driving over 90% of criminal fraud attempts, 3% are state-driven sophisticated espionage actions (APTs), and grudge, fun or ideology make up the remaining 5%.
Adversaries typically use multiple tools and techniques to achieve their criminal objectives. One of the major goals is to steal user credentials and use them in further hacking or malware attacks. For instance, a criminal may either establish new accounts or compromise existing ones, and send multiple urgent fraud messages or use these accounts to gain additional access to sensitive data.
The other scenario assumes dropping malware on the user’s computer (malicious software that is a harmful program or file). This malware may include various types of viruses, trojans, worms, spyware and especially ransomware. Depending on the type of ransomware it is designed to either lock up or encrypt files on your computer until a ransom is paid. More sophisticated versions (called double extortion) may encrypt files and export data from the victim’s computer.
It is important to know that ransomware has become a major challenge not only for individuals but also for companies, governments and organisations around the world, and that most often, ransomware attempts are enforced through phishing emails. According to Malwarebytes reporting, notable ransomwares like GandCrab, SamSam, NotPetya and WannaCry generated losses of around $3.9 billion.
In order to avoid potentially serious consequences connected with certain types of malware you need to follow some basic rules when dealing with a suspicious email:
As always, these very basic security countermeasures, if properly enforced, may reduce the attack surface for phishing-type attacks significantly. Raising awareness and adherence to basic security rules and precautions are considered to be two of the most effective ways of minimizing the attack success ratio and reducing the cybersecurity risk.
Text: Marek Kost, IT Security Manager, ERGO Technology & Services S.A.