Phishing campaigns continue to be one of the most popular data breach tactics. Don’t fall for these common tricks!

The human factor is a key concern for businesses defending against the vast and sophisticated threat landscape. Many cyberattacks are designed to take advantage of human error. According to the Kaspersky Lab’s State of industrial Cybersecurity 2018 survey, nearly half (49%) of organizations in every sector face critical security consequences due to employee errors. Many of these errors come from one very common type of cyberattack – the phishing campaign.

What is a phishing campaign?

A phishing campaign, as detailed in a CSO Online article, is a cyberattack method that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need – a request for bank account information, for instance, or a note from someone in the company – and to click a link or download an attachment. 

Threat actors pry on human fault by pretending to be a trusted party, whether that is through the form of an employee or company. This type of trickery is causing the untrained eye to continually fall for this type of attack, making it a common, widespread issue, and an inconvenience to IT administrators. 

Phishing campaigns are not a new type of attack method. Some of the original phishing campaigns date back to the 1990s. Ever since, they have become more popular and increasingly sophisticated. Targeted messages are crafted to engage users – sometimes with messages that scare them, cause concern, or even trust. Here are a few ways that threat actors manipulate users with targeted phishing campaigns.

Impersonation 

Business Email Compromise (BEC) is becoming one of the most profitable methods of attack. BEC occurs when a threat actor gains access to corporate email accounts and impersonates an employee’s identity to gain usable information. The majority of the time, threat actors will impersonate executives and the C-level because of their authority level with financial information. Some common BEC attacks transpire when a threat actor impersonates a CEO or CFO and asks an employee in the financial department to transfer money to a certain account. Another example of a BEC attack is when a threat actor impersonates a CEO or CFO and asks for an employee to go purchase large quantities of gift cards. While both of these types of attacks seem simple, they are very effective when it comes to stealing large sums of money. 

The FBI states that, since January 2015, there has been a 1,300 percent increase in identified exposed loses, totaling over $3 billion, in BEC scams.

Email Spoofing

Email spoofing is a tactic used in phishing campaigns to trick users of the legitimacy of an email. Threat actors will forge an email header so that the message appears to have originated from someone or somewhere other than the actual source. This type of campaign is used to get users to open and respond to an email. For example, it may disguise as a commonly used shopping website, asking for credentials or credit card number. A spoofed email could also include malicious links that when clicked on download malware on the recipient’s computer. 

How to protect yourself from phishing campaigns

Protecting your organization from the various types of phishing campaigns requires a multi-defense approach. First and foremost, it is important that your organization properly educates your employees on the latest attack methods. If users don’t know what to look for, how will they know what is real and what is fraudulent impersonation? The second layer of defense is implementing the right technology that can stop these emails from ever getting to an employees’ inbox. 

A managed services provider, like Magna5, is a great resource and partner when it comes to defending against today’s tricky cyberattacks. They have Security Services that utilize next-generation resources, technology and expertise that many organizations don’t have access to with the current IT professional shortage. Contact us to learn more about our Managed Security Services.