Social engineering attacks, tricking people into revealing information or granting access, have been around for a long time. We have all heard stories about, or actually received, e-mails from some Nigerian prince who desperately needs your help to get money out of his country. Those primitive attempts seem so quaint now. Today’s phishing attacks are much craftier, use graphics and links from real companies in their e-mails, and are more targeted towards getting business data than getting your personal bank information. Because they are more targeted they are known as Spear Phishing attacks.
PhishLabs, providers of employee training and fraud prevention services, comes out with an annual report that details the state of phishing. Just phishing. The subject is now big enough to warrant its’ own report. Several annual security reports name employee error as one of the largest sources of data loss and phishing attacks are the largest contributor to those losses. Here are the highlights of what this years’ PhishLabs report shows.
- Spear phishing remains the primary initial attack vector used by Advanced Persistent Threat (APT) actors
- The number of organizations targeted with Business Email Compromise (BEC) spear phishing attacks grew tremendously in 2015 as threat actors refined BEC techniques and sought new victims
- 90% of consumer-focused phishing attacks targeted financial institutions, cloud storage/file hosting sites, webmail and online services, ecommerce sites, and payment services
- financial institutions and payment services continue to be the most highly targeted organizations
- Gmail is used for more than half of all drop email accounts, making it the top webmail service used by attackers to receive credentials stolen via phishing
- Social media is a primary promotion and distribution channel for consumer-focused phishing kits and related goods or services
While the percentages show most of the phishing targeted at a few business sectors, what gets glossed over is that phishing overall is growing fast for all areas. Social media phishing attacks are up 150%. And why? Well, because, as we have seen from previous Tidbits, people tend to use the same passwords for home and work. Crack a Facebook password, know where that person works and, viola!, you are in. I plan to focus more on phishing and social engineering attacks in the near future. It is a subject all to its own.