It never ceases to amaze how clever hackers are or how far they’ll go to phish someone. Whenever they find a flaw in their attack methodology, eventually, they figure out a way to overcome it.
Normally, a phishing attack will try and lure victims to a website to steal their credentials. The phishing website is typically a single, static webpage. In other words, everyone who ends up on that page sees the same page. The problem for hackers is that once this one webpage is identified as a phishing page, word gets out and that site gets blocked by anti-phishing technology pretty quickly.
The rate of cybercrimes has risen drastically across the globe in recent times. The advanced technology, the sophistication of attack methods used, and seemingly legitimate appearance of today’s phishing emails are a testimony of the strides of advancement that the phishers and cybercriminals have made in the past decade.
However, the advice for securing ourselves from phishing emails seems to have remained stagnant since the 2000s. One would always hear the same old song playing on when the topic at hand is that of phishing protection or ensuring cybersecurity in general. We need to defend ourselves from cyber threats by gathering information and resources that match the level of advancement of our adversaries. Merely following some age-old tips without cross-checking their effectiveness in the present scenario makes us more vulnerable than stronger to face the multitude of phishing attacks that hackers launch each day.
It seems like every week we hear about another major security breach. There was the Equifax breach in 2017 that compromised the data of 143 million people and the JP Morgan Chase breach in 2014 that affected 83 million households. Then there was Anthem and Target and Uber and Home Depot. I think you get the point.
It was not long ago the white house was in the news when US intelligence agencies concluded Russia tried to sway the US presidential election in favor of Donald Trump alleging that the Russian hackers stole the information of rival Hillary Clinton’s campaign. The White House is said to be one of the most secured and safe-guarded buildings in the world. But when it comes to cybersecurity, no one is spared. Yes, even top-ranked White House officials including the Homeland security Advisor and other White House officials were spoofed by cyber-criminals.
How many employees have to get phished before they take action? How much ransomware has to be paid before they take action? How many personal records have to be stolen before they take action? What will it take for email security service providers to install phishing protection technology and protect their customers? Apparently they haven’t hit the limit yet because the one thing we know for sure is that they aren’t doing a very good job of it.
If you’ve ever taken phishing awareness training, you’ve most likely been taught to identify domain name spoofing. Domain name spoofing is a phishing tactic where an attacker sends you an email from one domain, the attacker’s domain, that looks almost identical to another domain, a domain you trust.
The idea is that if the recipient of the email looks at the email address quickly, they may not notice the slight difference. Here’s an example of an email from a lady named Beth at Google: beth@gooogle.com. Or is it? No, it’s a domain name spoof spelling Google with three Os.
A recent article on the Help Net Security website discussed the results of research into the effectiveness of phishing filters. Phishing filters are used in email security to scan emails for malicious links or attachments.
Phishing filter technology is becoming widely adopted and it’s generally thought to be pretty effective at preventing phishing attacks. That’s not what the research found.
Spear Phishing is a type of phishing attack which generally targets “Whales” or “high-level organizational actors” such as C-suite executives (e.g., CEO, CFO, CIO, etc.) or upper management to steal financial and sensitive or confidential information from unsuspecting top-level management. Spear phishing data breaches account for more than half of the phishing scams worldwide, which occur every year. Verizon reports elucidate that a high proportion of these data breaches begin with a directed phishing campaign targeted against an enterprise. Although corporations deploy sophisticated phishing prevention software to safeguard their data, they remain vulnerable because of human error, which allows adversaries to bypass such security measures, including anti-phishing solutions.
Osterman Research came out with theirOffice 365 Email Security 2019 Benchmarking Survey and the results are scary for organizations using Office 365 for email. The results are based on 318 in-depth surveys with IT and security managers of enterprises using Office 365 in the United States and the United Kingdom. According to Osterman, the purpose of the survey was to gain a better understanding of the security management issues faced by organizations using Office 365.
What’s the greatest threat to democracy today? How about election results that can’t be trusted because the election was manipulated by hackers. Hackers who began their attack with a spear phishing campaign. It’s happened before. It will almost certainly happen again.
Manipulating campaigns is now part of the election process. And the number of ways it can be manipulated is scary to think about. It could be as simple as hijacking a social media account to post fake election results. Or, it could be a sinister as hijacking a county website and posting fake voting instructions about where, when and how to vote. And no matter what form it takes, it will almost certainly start with a spear phishing attack.
Fishing can be a very profitable enterprise. Many commercial fishing fleets head out to sea each day hoping to land a big catch. Now these same boat owners have to be careful the big catch doesn’t land them.
According to an article on the Hot for Security website, “An alert released on Monday cautions that hackers have actively been targeting the networks of commercial vessels with phishing attacks. A similar alert had been issued in May when cybercriminals resorted to phishing to steal sensitive information about the ships and their itineraries.”
There’s much debate going on today about what to do if your organization gets hit by ransomware. There’s really only two choices: pay it or don’t. And which side you come down on says a lot about your big picture perspective.
Recently, U.S. Mayors, at their yearly conference, which represents over 1,400 mayors from U.S. cities with over 30,000 people, adopted a resolution not to give in to ransomware demands. Of course the mayors “admitted that ransomware attacks can result in the loss of millions of dollars and months of work to repair damage, but highlighted that paying the attackers only ‘encourages continued attacks on other government systems, as perpetrators financially benefit.'”
Phishing has been on the rise in form or the other, ever since users have started to use emails, messages, phones, etc. Every other month, around 1.5 million new phishing sites are created by cyber-criminals and add to the growing cybercrime world. Several of these sites employ ransomware as a tactic in order to extort money from unsuspecting users who accidentally click on a fraudulent link in an email or text message sent to them.
They say nothing is certain in life except for death and taxes. You can add one more to that list: phishing attacks. Hackers continue to do their homework and innovate as the number one cybersecurity threat refuses to be contained.
According to an article on the Dark Reading website, “Email continues to be an extremely effective vector for delivering malicious content because of how adept attackers have become at tricking users over the years.”
From itswebsite, the Department of Homeland Security’s (DHS) mission is “to secure the nation from the many threats we face.” In essence, the DHS’s job is to create trust, for Americans, in their own security. So, it shouldn’t come as any surprise that hackers would try to exploit that trust by launching an email phishing scam that impersonates email alerts from the DHS.
You wouldn’t put up a neon sign outside your home that says “rob this house” before you left for a week’s vacation. The last thing you want to do is give a crook a heads up. But that’s exactly what people unwittingly do when they post complaints about companies they do business within their social media accounts.
By now, most people know that 91% of cyberattacks start with a phishing email. In recognition of this, companies are now beginning to offer security awareness training. According to an article on the website Dark Reading, “45% of organizations provide employees mandatory, formal cybersecurity training; another 10% give optional training.”
The objective is simple: teach employees not to click on the links in suspicious emails. Given the sophisticated nature of some phishing exploits today, that’s easier said than done. With that in mind, we present five phishing tactics being used today that are sure to trick you into clicking, no matter how much awareness training you’ve received.
If you’re doing business, then you’re sending, receiving and reading PDFs.
PDFs have become ubiquitous in business as a way of sending documents over the web. And why not? There are a lot of advantages to using PDFs. For starters, it’s ubiquitous—everyone has a PDF reader. The files can include embedded links and images. The files tend to be small compared to other formats. They can be password protected. They can work on any operating system. And they’re not likely to go away any time soon.
If you haven’t been paying attention, a lot of organizations have been hit by ransomware lately, almost all of which are triggered by a phishing email. Hackers use all types of exploits to extract money from their victims too. Their favorite, by far, is to encrypt the victim’s hard drive with a promise to decrypt it if the ransom is paid, usually in something untraceable like Bitcoin.
In cybersecurity, there’s a best practice called Defense in Depth. The idea behind Defense in Depth is very simple. Put up a bunch of different types of barriers instead of just relying on one. This way, no matter what attack vector the enemy chooses, you’re covered.
Defense in depth is a pretty sound cybersecurity strategy, one which many companies employ, except for when it comes to phishing protection.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
