While spam will always be an issue in general, phishing and spear phishing are dominant among social engineering attacks on email—and they continue to grow in sophistication. According to Phishlabs, phishing grew 40.9% in 2018iii. Phishing operates on a different model to spam. Rather than low work and high volume, with profit coming from convincing a small group of recipients to pay a certain amount of money, it’s more work and lower volume—with profit coming from convincing a significant proportion of recipients to pay a lot more money.
It’s the higher figures involved that make phishing and spear phishing more profitable for cybercriminals—especially with a lot of businesses using anti-spam solutions today. In a phishing campaign, cybercriminals try to obtain as many email addresses as possible and craft emails to look like official emails from companies. These campaigns normally prompt users to click on a link that takes them to a (fake) site where a request asks them to enter sensitive information—such as account or credit card details. Spear phishing campaigns, however, are carefully tailored to a very specific target (such as a company’s head of payroll or CFO) and often involve requests for very large money transfers to the cybercriminals’ accounts.
The top phishing subject lines seen recentlyiv:
- “Payment Notification Ref: LK34NKYF”
- “Account deactivation notice”
- “Mail failure Delivery Notice”
- “Pending Package Schedule for Delivery”
- “Verify Your Account”
- “Incoming Invoice”
- “Take action on your PayPal account”
As you can see, one of the most common traits among these is urgency. The subject is eye catching in that it creates a sense of panic for the recipient to act. It doesn’t always take a highly targeted phishing attack to be successful.
#2 Business email compromise
Business email compromise is the next trending attack. Over $1.2 billion of losses were reported in 2018 due to business email compromise scamsv. Spoofing, baiting, and display name spoofing are all key characteristics of business email compromise. These emails don’t have links but prompt the recipient to take a certain action. Many of these attacks aim to take over an email account, which cybercriminals then use to further propagate other attacks and steal money or sensitive information. There’s a great deal that must occur even after the breach takes place to make it worth the criminal’s while. For example, business email compromises normally involve the fraudulent transfer of funds into an attacker-owned bank account. If this is unsuccessful, it doesn’t mean the attacker will give up. They may then try to sell the information they stole. This is born out by the fact that Verizon found many business email compromise attacks have a value of zero losses in their most recent Data Breach Investigations reportvi.
Within the field of business email compromise, we’ve seen a spike in display name spoofing attacks. Attackers are finding it harder to spoof sending domains with a rise in technologies like SPF, DMARC, and DKIM. With display name spoofing, cybercriminals will change their sending display name to be that of an executive (c-level) in the targeted organization. For example, an attacker will register a free email account and use any email address. The address will mostly contain the name of the executive they’re trying to spoof. The attacker will then set their display name to match the CEO or executive. When they send their phishing messages to an organization, they’re betting the recipient won’t look at the sending address, and only look at the sending display name. Some recipients may even believe the sending email address is the personal email of the executive. It all seems very real.
How can you protect against these trending attacks?
True protection comes with a layered security program. Deploying a professional email security solution is a start in the right direction, but don’t exclude education. Educating users on the different types of attacks—and damaging consequences—should be an integral part of your security strategy and programs.
Interested to learn more about social engineering techniques on email and prevention tips? Click here to watch our webcast: Social Engineering: Prevention Tips & Best Practices.
Mia Thompson is product marketing manager, Mail Assure, at SolarWinds MSP.
i “Email, a Top Attack Vector, Users Can’t ID a Fake,” Infosecurity Magazine. https://www.infosecurity-magazine.com/news/email-a-top-attack-vector-users/ (Accessed November 2019).
ii “2018 Phishing Trends & Intelligence Report: Hacking the Human,”Phishlabs. https://info.phishlabs.com/hubfs/2018%20PTI%20Report/PhishLabs%20Trend%20Report_2018-digital.pdf (Accessed November 2019).
iii “2019 Phishing Trends and Intelligence Report: The Growing Social Engineering Threat,” Phishlabs. https://info.phishlabs.com/hubfs/2019%20PTI%20Report/2019%20Phishing%20Trends%20and%20Intelligence%20Report.pdf (Accessed November 2019).
iv SolarWinds Mail Assure Top Phishing Subjects Report (Published November 2019).
v “2018 Internet Crime Report,” Federal Bureau of Investigations. https://pdf.ic3.gov/2018_IC3Report.pdf (Accessed November 2019).
vi “2018 Data Breach Investigations Report,” Verizon. https://enterprise.verizon.com/resources/reports/dbir/ (Published April 2018).