Phishing Attacks Growing in Scale and Sophistication

03/30/2020

From Genesis Global Technologies

Phishing attacks are dramatically on the upswing.  They are getting smarter, more sophisticated and more deceptive.  Instead of just sending crudely constructed emails to large numbers of people in the hopes anyone will click through, they are becoming highly targeted, difficult to detect, and just as difficult to evade. Even more important, they’re inescapable.

According to the latest Webroot data, an average of 1.385 million unique phishing sites are created each month, with an astonishing high of 2.3 million in May of 2017. Most phishing sites use domains that are considered benign, tricking users into thinking they are clicking through to legitimate sites and increasing the click through rates.  Phishing attacks are now the #1 cause of breaches.

Phishing emails use social media to tailor their attacks to the individual target—sometimes even senior executives—with messages that are likely to resonate with the individual. They employ very realistic web pages that are difficult, if not impossible, to find using web crawlers. They trick victims into providing credentials that can compromise their accounts, then access other accounts where credentials have been re-used.
 

Trends

Highly Targeted Emails – using social media, attackers target small groups of specific “whaling” targets such as CEO’s, CFO’s, and other decision makers with messages that come from a trusted sender.

Advanced Payloads – sophisticated attaches are intended to implant malware and setup command-and-control communications with servers to send malicious commands to quickly compromise large numbers of computers very quickly.

Sense of Urgency – new attacks in 2017 show phishing emails frequently play on fear and emotion, through the subject line or in the fake URL, to get victims to act before thinking.  Examples:  unusual activity on an account, recent purchase that must be verified, an account in danger of being closed or urgent invoices or tax bills waiting.  They use terms such as “error”, “warning”, “account closed”, “Microsoft-toll-free”, and “official alert” in the subject line.

These scare-tactic emails include links that take users to cleverly-designed web pages to heighten fear, implying that the user will suffer dire consequences unless action is taken immediately. Whether the goal is to coerce the user to disclose credentials or other confidential information, or to implant malware on the endpoint, the urgent nature of the email and phishing site work together to play on the natural human tendency to take immediate action.  

What should you do?

  • If you get an urgent email, don’t react!
  • Hover over the address of the sender to see if the URL is unfamiliar.
  • Hover over the click-through URL to see if that address matches the supposed company.
  • Don’t provide your information to anyone, under any circumstances, until you verify their identity several ways.
  • Call Genesis Global Technologies if you have any questions.