Phishing Schemes Are Nastier Than Ever in 2017

Phishing schemes are a big fraud, and in 2017 the schemes are nastier than ever. It can encompass identity theft in a way, posing as someone or something the sender is not in order to try to trick the recipient into divulging credentials, click a link or open an attachment that infects with a trojan, often involving a zero-day vulnerability exploit of Microsoft Office data files. 

The costs can vary. Is it a ransomware attack? Advanced Persistent Threat? Credential theft? These can vary widely in terms of breach cost, but it boils down to this: U.S. companies have a 1 in 4 (24%) chance of incurring a mean breach cost of $2.21M in the next 24 months, and over 90% of these will start as a phishing attempt. Dividing the potential breach cost by the probability gives us a good start at establishing a budget for mitigating these risks. 

There is preventative technology that can help. Endpoint agents such as Carbon Black, CrowdStrike, and Cylance can stop the attack as it starts, and Ironscales has automated phishing response technology that can render the phishing attack’s payload ineffective. 

 

Grab a copy of our Phishing Whitepaper! Tips and best practices on mitigating phishing. 

 

User training is a very effective way to prevent breach costs from phishing.  There are many ways to spot a phishing attempt, including these:

  • Simple Name <local-part@domain-name> mismatch. If the from address looks fishy, it may be phishy.
  • The presence of MS Office attachments. Email is not an optimal way to share data in its native format.
  • Prompting to change credentials. Doing so is an insecure practice, and your IT Department or Bank is extremely unlikely to do so.
  • A threat is issued unless the requested action (i.e. click-through) is performed. Examples are “or risk your account being locked out” or “charges will be automatically billed”.
  • Hovering over a link that shows a different URL than the link text indicates is a red flag.
  • Grammatical errors can indicate that the phishing attempt originates from outside the U.S. 

Perhaps one of the best policies to follow is if you don't recognize the sender, haven't been in contact with the sender recently, or typically work with this organization outside of email - DON'T CLICK ANYTHING.

Here are some phishing examples that illustrate these nasty attempts:

phishing example 1 cipher.jpg

phshing example 2 cipher.png

phishing example 3 cipher.jpg

Phishing training is often a very cost effective anti-phishing measure to take for small and medium sized enterprises, especially where budgets may be a bit constrained.  It’s a gamification of sorts, where the corporate security administrator tries to see how many of his users are susceptible, allowing them to track results over time.  Learning to recognize the telltale signs of phishing attempts can make all the difference in protecting your corporate value!

 guide to modern phishing attempts

Did you enjoy this blog article? Share it with your peers or comment below.
 
.

About CIPHER

Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited Managed Security Services holding ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past five years. These services are supported by the best in class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and R&D laboratories, complemented by strategic partners around the globe. 

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions.

Recent Security Posts

Essential-Cyber-Security-Tips-Guide.jpg

Twitter Feed