As the business world continues to grapple with an expanding definition of new normal, the phishing attack remains a common tactic for attackers. Why are phishing attacks still happening? How can we prevent them? We spoke to a threat analyst who has the answers.

In May 2020, X-Force research uncovered a precision-targeting (or spear phishing) attack on a German multinational corporation connected with a German government-private sector task force in the race to procure personal protective equipment (PPE).

Those threat actors targeted more than one hundred high-ranking executives in management and procurement roles. They reached out within their target group as well as to its third-party partners. Overall, X-Force observed about 40 targets. It’s likely that other members of the task force could be targets of interest in this malicious campaign as well. This shows the way we need to be more vigilant about what angles attackers could use.

Phishing: Still Common After All These Years

The sophistication required for the PPE attack is certainly important. However, most spear phishing attacks can be carried out with only a few clicks. For cyber criminals, launching a phishing attack is easier than ever. Therefore, it is critical for the enterprise to gain the awareness needed to avoid becoming targets.

Prefabricated phishing kits on the dark web streamline the workflow for threat actors. For example, look at the recently discovered package called LogoKit. It automatically pulls the victim company’s logo from Google’s photo search to display on the fake phishing login page.

“Unfortunately, the entry barriers are lower than ever with easy-to-use kits being sold on cybercrime forums for as little as a couple of hundred bucks,” says Brett Callow, threat analyst for Emsisoft. “These kits, which are basically web-based apps, enable even low-level scammers to conduct effective template-based phishing campaigns.”

According to Callow, the phishing sites are automatically created and closely resemble the site they’ve been designed to mimic. Once they collect the victim’s credentials, the phony site will sometimes redirect them to the real site. The more real-looking the login page, the higher chance of tricking the victim.

Yes, sometimes it is that easy for cyber criminals. Even as we publish this in mid-2021, large companies are still falling for phishing attacks. Is it possible to turn the tide?

The Uphill Phishing Attack Battle Only Gets Steeper

First, the bad news. Many bad actors running phishing scams are not of the cliche lone-attacker-in-the-basement type. Cyber criminals might be nation-state actors or part of gangs. In many cases, they organize well and operate like a real company.

One example is Cosmic Lynx, a Russian group that behaves more brazenly than most attacking groups. This new gang appears to be undeterred by the threat of prosecution in western countries. In addition, it often works with larger dollar amounts. The average sum most attackers will steal from a target company is about $80,000 USD, but for Cosmic Lynx, it’s well above that figure — a whopping $1.27 million.

The most common form of target phishing groups like Cosmic Lynx use is the Business Email Compromise (BEC). This attack aims to disguise itself as a C-suite executive’s email account. The attacker tweaks the account name and address to look similar enough to fool users. Most target phishing scams begin with a request for a financial employee to direct a seemingly normal payment right into the attacking group’s bank account.

Some attackers took advantage of the pandemic to fuel BEC scams in 2020. One attacker group sent a financial institution an email request for a $1 million transfer to address COVID-19 precautions. Fraudsters changed only one letter of the company CEO’s email address in an attempt to fool the victim.

What Helps Protect From Spear Phishing?

As cybersecurity people, it feels like we’re repeating ourselves far too often about the importance of education, culture and awareness. With every passing year, more companies are falling for these same scams.

“Phishing has been around for years, and one of the reasons for that longevity is simply that it works,” Callow says. “The other reason is that phishing is profitable, and underpins much of the cyber criminal economy with stolen information being used for everything from BEC scams to ransomware attacks.”

To best defend against these attacks, the winning strategy combines tech, awareness and vigilance.

“Defending against phishing attacks is not easy, but by adhering to best practices organizations can significantly limit the chance of becoming a victim,” he says.

Spear Phishing Prevention

It’s key that all employees — even more so those in the C-suite — must always default to ‘skeptical’ when on the receiving end of a request for sensitive data or a financial transfer. No matter how honest the email may appear, always follow up with a phone call or, better yet, an in-person meeting to confirm. Instead of defaulting to trust, which is only human nature, it’s critical to question everything regarding these emails. Skepticism should be perceived as a positive employee trait, and more importantly, a mark of fiscal responsibility.

Remember, a simple email to confirm is not going to cut it. If you simply reply to it, and it’s a scam, the cyber criminal will obviously confirm that all systems are go.

Vigilance is key here. If you receive a link to a website and aren’t sure about it, do not click on it directly. Just type in the website by hand so you can be sure you aren’t being scammed.

Staying Aware

“Awareness training is critical,” says Callow. “It’s also extremely important to create a better-safe-than-sorry culture in which your team feel completely comfortable reporting suspicious or confirmed spear phishing emails. If they don’t have that level of comfort, they’re more likely to make the decision themselves. Additionally, senior management should attend awareness training sessions. While executives are sometimes inclined to opt-out, the reality is that they’re the mostly likely targets for personalized and hard-to-spot spear phishing campaigns.”

To augment awareness, technical solutions can be equally crucial. Callow advises businesses to implement spam controls, URL blocking and two-factor or multifactor authentication, as well as adding voice checks into processes.

In the end, it still boils down to promoting a security-minded culture, which takes time, and more importantly, practice.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today