As the business world continues to grapple with an expanding definition of new normal, the phishing attack remains a common tactic for attackers. Why are phishing attacks still happening? How can we prevent them? We spoke to a threat analyst who has the answers.

In May 2020, X-Force research uncovered a precision-targeting (or spear phishing) attack on a German multinational corporation connected with a German government-private sector task force in the race to procure personal protective equipment (PPE).

Those threat actors targeted more than one hundred high-ranking executives in management and procurement roles. They reached out within their target group as well as to its third-party partners. Overall, X-Force observed about 40 targets. It’s likely that other members of the task force could be targets of interest in this malicious campaign as well. This shows the way we need to be more vigilant about what angles attackers could use.

Phishing: Still Common After All These Years

The sophistication required for the PPE attack is certainly important. However, most spear phishing attacks can be carried out with only a few clicks. For cyber criminals, launching a phishing attack is easier than ever. Therefore, it is critical for the enterprise to gain the awareness needed to avoid becoming targets.

Prefabricated phishing kits on the dark web streamline the workflow for threat actors. For example, look at the recently discovered package called LogoKit. It automatically pulls the victim company’s logo from Google’s photo search to display on the fake phishing login page.

“Unfortunately, the entry barriers are lower than ever with easy-to-use kits being sold on cybercrime forums for as little as a couple of hundred bucks,” says Brett Callow, threat analyst for Emsisoft. “These kits, which are basically web-based apps, enable even low-level scammers to conduct effective template-based phishing campaigns.”

According to Callow, the phishing sites are automatically created and closely resemble the site they’ve been designed to mimic. Once they collect the victim’s credentials, the phony site will sometimes redirect them to the real site. The more real-looking the login page, the higher chance of tricking the victim.

Yes, sometimes it is that easy for cyber criminals. Even as we publish this in mid-2021, large companies are still falling for phishing attacks. Is it possible to turn the tide?

The Uphill Phishing Attack Battle Only Gets Steeper

First, the bad news. Many bad actors running phishing scams are not of the cliche lone-attacker-in-the-basement type. Cyber criminals might be nation-state actors or part of gangs. In many cases, they organize well and operate like a real company.

One example is Cosmic Lynx, a Russian group that behaves more brazenly than most attacking groups. This new gang appears to be undeterred by the threat of prosecution in western countries. In addition, it often works with larger dollar amounts. The average sum most attackers will steal from a target company is about $80,000 USD, but for Cosmic Lynx, it’s well above that figure — a whopping $1.27 million.

The most common form of target phishing groups like Cosmic Lynx use is the Business Email Compromise (BEC). This attack aims to disguise itself as a C-suite executive’s email account. The attacker tweaks the account name and address to look similar enough to fool users. Most target phishing scams begin with a request for a financial employee to direct a seemingly normal payment right into the attacking group’s bank account.

Some attackers took advantage of the pandemic to fuel BEC scams in 2020. One attacker group sent a financial institution an email request for a $1 million transfer to address COVID-19 precautions. Fraudsters changed only one letter of the company CEO’s email address in an attempt to fool the victim.

What Helps Protect From Spear Phishing?

As cybersecurity people, it feels like we’re repeating ourselves far too often about the importance of education, culture and awareness. With every passing year, more companies are falling for these same scams.

“Phishing has been around for years, and one of the reasons for that longevity is simply that it works,” Callow says. “The other reason is that phishing is profitable, and underpins much of the cyber criminal economy with stolen information being used for everything from BEC scams to ransomware attacks.”

To best defend against these attacks, the winning strategy combines tech, awareness and vigilance.

“Defending against phishing attacks is not easy, but by adhering to best practices organizations can significantly limit the chance of becoming a victim,” he says.

Spear Phishing Prevention

It’s key that all employees — even more so those in the C-suite — must always default to ‘skeptical’ when on the receiving end of a request for sensitive data or a financial transfer. No matter how honest the email may appear, always follow up with a phone call or, better yet, an in-person meeting to confirm. Instead of defaulting to trust, which is only human nature, it’s critical to question everything regarding these emails. Skepticism should be perceived as a positive employee trait, and more importantly, a mark of fiscal responsibility.

Remember, a simple email to confirm is not going to cut it. If you simply reply to it, and it’s a scam, the cyber criminal will obviously confirm that all systems are go.

Vigilance is key here. If you receive a link to a website and aren’t sure about it, do not click on it directly. Just type in the website by hand so you can be sure you aren’t being scammed.

Staying Aware

“Awareness training is critical,” says Callow. “It’s also extremely important to create a better-safe-than-sorry culture in which your team feel completely comfortable reporting suspicious or confirmed spear phishing emails. If they don’t have that level of comfort, they’re more likely to make the decision themselves. Additionally, senior management should attend awareness training sessions. While executives are sometimes inclined to opt-out, the reality is that they’re the mostly likely targets for personalized and hard-to-spot spear phishing campaigns.”

To augment awareness, technical solutions can be equally crucial. Callow advises businesses to implement spam controls, URL blocking and two-factor or multifactor authentication, as well as adding voice checks into processes.

In the end, it still boils down to promoting a security-minded culture, which takes time, and more importantly, practice.

More from Incident Response

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today