As the business world continues to grapple with an expanding definition of new normal, the phishing attack remains a common tactic for attackers. Why are phishing attacks still happening? How can we prevent them? We spoke to a threat analyst who has the answers.

In May 2020, X-Force research uncovered a precision-targeting (or spear phishing) attack on a German multinational corporation connected with a German government-private sector task force in the race to procure personal protective equipment (PPE).

Those threat actors targeted more than one hundred high-ranking executives in management and procurement roles. They reached out within their target group as well as to its third-party partners. Overall, X-Force observed about 40 targets. It’s likely that other members of the task force could be targets of interest in this malicious campaign as well. This shows the way we need to be more vigilant about what angles attackers could use.

Phishing: Still Common After All These Years

The sophistication required for the PPE attack is certainly important. However, most spear phishing attacks can be carried out with only a few clicks. For cyber criminals, launching a phishing attack is easier than ever. Therefore, it is critical for the enterprise to gain the awareness needed to avoid becoming targets.

Prefabricated phishing kits on the dark web streamline the workflow for threat actors. For example, look at the recently discovered package called LogoKit. It automatically pulls the victim company’s logo from Google’s photo search to display on the fake phishing login page.

“Unfortunately, the entry barriers are lower than ever with easy-to-use kits being sold on cybercrime forums for as little as a couple of hundred bucks,” says Brett Callow, threat analyst for Emsisoft. “These kits, which are basically web-based apps, enable even low-level scammers to conduct effective template-based phishing campaigns.”

According to Callow, the phishing sites are automatically created and closely resemble the site they’ve been designed to mimic. Once they collect the victim’s credentials, the phony site will sometimes redirect them to the real site. The more real-looking the login page, the higher chance of tricking the victim.

Yes, sometimes it is that easy for cyber criminals. Even as we publish this in mid-2021, large companies are still falling for phishing attacks. Is it possible to turn the tide?

The Uphill Phishing Attack Battle Only Gets Steeper

First, the bad news. Many bad actors running phishing scams are not of the cliche lone-attacker-in-the-basement type. Cyber criminals might be nation-state actors or part of gangs. In many cases, they organize well and operate like a real company.

One example is Cosmic Lynx, a Russian group that behaves more brazenly than most attacking groups. This new gang appears to be undeterred by the threat of prosecution in western countries. In addition, it often works with larger dollar amounts. The average sum most attackers will steal from a target company is about $80,000 USD, but for Cosmic Lynx, it’s well above that figure — a whopping $1.27 million.

The most common form of target phishing groups like Cosmic Lynx use is the Business Email Compromise (BEC). This attack aims to disguise itself as a C-suite executive’s email account. The attacker tweaks the account name and address to look similar enough to fool users. Most target phishing scams begin with a request for a financial employee to direct a seemingly normal payment right into the attacking group’s bank account.

Some attackers took advantage of the pandemic to fuel BEC scams in 2020. One attacker group sent a financial institution an email request for a $1 million transfer to address COVID-19 precautions. Fraudsters changed only one letter of the company CEO’s email address in an attempt to fool the victim.

What Helps Protect From Spear Phishing?

As cybersecurity people, it feels like we’re repeating ourselves far too often about the importance of education, culture and awareness. With every passing year, more companies are falling for these same scams.

“Phishing has been around for years, and one of the reasons for that longevity is simply that it works,” Callow says. “The other reason is that phishing is profitable, and underpins much of the cyber criminal economy with stolen information being used for everything from BEC scams to ransomware attacks.”

To best defend against these attacks, the winning strategy combines tech, awareness and vigilance.

“Defending against phishing attacks is not easy, but by adhering to best practices organizations can significantly limit the chance of becoming a victim,” he says.

Spear Phishing Prevention

It’s key that all employees — even more so those in the C-suite — must always default to ‘skeptical’ when on the receiving end of a request for sensitive data or a financial transfer. No matter how honest the email may appear, always follow up with a phone call or, better yet, an in-person meeting to confirm. Instead of defaulting to trust, which is only human nature, it’s critical to question everything regarding these emails. Skepticism should be perceived as a positive employee trait, and more importantly, a mark of fiscal responsibility.

Remember, a simple email to confirm is not going to cut it. If you simply reply to it, and it’s a scam, the cyber criminal will obviously confirm that all systems are go.

Vigilance is key here. If you receive a link to a website and aren’t sure about it, do not click on it directly. Just type in the website by hand so you can be sure you aren’t being scammed.

Staying Aware

“Awareness training is critical,” says Callow. “It’s also extremely important to create a better-safe-than-sorry culture in which your team feel completely comfortable reporting suspicious or confirmed spear phishing emails. If they don’t have that level of comfort, they’re more likely to make the decision themselves. Additionally, senior management should attend awareness training sessions. While executives are sometimes inclined to opt-out, the reality is that they’re the mostly likely targets for personalized and hard-to-spot spear phishing campaigns.”

To augment awareness, technical solutions can be equally crucial. Callow advises businesses to implement spam controls, URL blocking and two-factor or multifactor authentication, as well as adding voice checks into processes.

In the end, it still boils down to promoting a security-minded culture, which takes time, and more importantly, practice.

More from Incident Response

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

How Morris Worm Command and Control Changed Cybersecurity

4 min read - A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure. The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year,…

4 min read