Spear Phishing Gets Us Nearly Every Time: Lessons From Europol’s Report

January 21, 2020
| |
4 min read

“Phishing and malware will also continue to be relentless threats, leveraged by both cybercriminals and APT actors that require organizations to address the inadvertent actor risk.” — 2019 IBM X-Force Threat Intelligence Index Report

The stronger our technical defenses become, the more threat actors look to target the human dimension of security. Just how susceptible are people to phishing and spear phishing? Recent statistics from numerous sources point to an increase in the level of phishing activity and sophistication, as well as a heightened impact on organizations in terms of money stolen, data held for ransom and intellectual property pilfered.

This is no time for organizations to be complacent about this form of social engineering, as the stakes are high, and technology-based controls can only get us so far.

A Thriving Phishing Industry

Judging by the amount of activity, the phishing industry is a thriving business. In their latest report covering Q3 2019, the Anti-Phishing Working Group (APWG) labeled this period as “the worst period for phishing that the APWG has seen in three years.” For each month from July to September 2019, they reported over 80,000 phishing sites, with three-quarters of all attacks targeting just three industry sectors: SaaS/webmail (33 percent), payment industry (21 percent) and financial institutions (19 percent).

From a global law enforcement perspective, Europol recently released a report focused on spear phishing that noted how “spear phishing is still one of the most common and most dangerous attack vectors.” The report further detailed how one organized criminal group caused over 1 billion dollars in losses to the financial services industry by leveraging spear phishing as part of their activities to move money via ATM withdrawals and wire transfers.

Like the APWG’s statistics, Europol’s findings show that the number of phishing websites has reached new record levels. Europol noted that 65 percent of targeted attacks involved spear phishing as the primary infection vector. With regard to cyber espionage, phishing was used in 78 percent of cases.

Phishing Pairs With Business Email Compromise

Because phishing is a means to an end, one common follow-up that’s often observed alongside a phishing campaign is business email compromise (BEC). If BEC attacks have been getting a lot more coverage in 2019, it’s because there has been an uptick in activity and in losses reported by businesses and individuals.

In September 2019, the FBI issued a rare warning about BEC attacks via its IC3 reporting center. In the release, titled “Business Email Compromise: The $26 Billion Scam,” the FBI shared sobering statistics about just how effective BEC fraud has become. From 2013 to 2019, the FBI reported nearly 70,000 American victims, totaling over 10 billion dollars in losses for the U.S. alone. Globally, there were over 150,000 victims, with more than 26 billion dollars at stake.

BEC attacks often involve tricking the victim into transferring funds to accounts under attackers’ control, and fraudsters have three main vehicles for “cashing out” in this way. As the APWG noted, the preferred method was to ask for gift cards (56 percent), with another 25 percent moving funds via payroll diversion and 19 percent via direct transfers. However, attackers leveraging wire transfers were able to move substantially more money ($52,325 on average) compared to those choosing the gift card route, who averaged just $1,571.

Security Awareness Isn’t Enough

There is a running theme in the reports from the APWG and Europol and the warnings from the FBI/IC3: Take phishing seriously and review your preparations now. Europol warns that there is a wealth of at-risk information online about organizations and specific employees, such as top-level managers and finance or payroll staff. This information enables highly effective spear phishing attacks that can result in “much greater damage overall.” According to Europol, “one successful attempt can be enough to compromise a whole organization.”

To avoid raising suspicion and increase their chance of success, spear phishing campaigns tend to seek critical information related to three key aspects of a target organization:

  • The structure of the organization — who works where and to whom they report
  • The various tools, skills and knowledge bases staff use routinely
  • The processes in place at that particular organization or location

Extensive use of job advertising sites and social media platforms by organizations and employees alike can make the process of assembling this information much easier and faster than it would have been just a decade ago.

Beyond Awareness: Security and HR Must Work Together

As phishers up their game in terms of both the frequency and capabilities of their attacks, HR and organizations’ security functions must work together to achieve more than awareness. But much of the advice which was common as recently as five years ago is no longer sufficient. For example, the APWG reported that by the end of 2019, 68 percent of all phishing sites used SSL protection — up from around 10 percent in Q1 2017 — so telling users to look for SSL/TLS visual clues in websites is no longer an effective strategy by itself.

Some key recommendations from the Europol report are as follows:

  • Review your organization’s social engineering footprint, especially on the topics of structure, processes and software. For example, the website Hunter.io provides the general format of email addresses for a given organization. Since an email address usually represents half of the credentials one would need to authenticate (with a password representing the other), it’s important to remind users about good password hygiene and safe surfing/clicking. For example, one phishing campaign used fake unusual sign-in activity notifications to get users to share their legitimate credentials.
  • Europol has indicated that many organizations are simply unprepared to investigate spear phishing and BEC incidents adequately. Top leadership should encourage the development and refining of dedicated incident response and investigation processes for phishing and BEC incidents.
  • Organizations should also conduct a yearly review of controls and processes to get assurances of their effectiveness. Such reviews must address the human dimension of security with tailored security awareness campaigns and phishing tests as well as a review of technology controls and response processes. According to IBM Security, “routinely providing employee education and test campaigns with updated phishing techniques used by attackers can help mitigate these threats.” For example, you could test employees with a fake performance appraisal attachment or a privacy policy annual review. This would also present a good opportunity to review data backup and restoration capabilities, given the many ransomware incidents that plagued companies and government targets in 2019.
  • Implement best practices for responding to Office 365 phishing. Since many organizations have moved their email and office applications to Office 365, they should also ensure that they have configured effective preventive and detective controls by deploying multifactor authentication (MFA), mailbox auditing and log preservation. There must also be a system in place to respond to unusual activity.

Email and social media keep us connected to our friends, families, employers and favorite brands. However, they are also a portal through which attackers can take advantage of our human nature. Organizations and individuals must remain vigilant for spear phishing and BEC attacks by combining awareness with robust security controls and processes that boost overall cyber resilience.

Christophe Veltsos
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato

Chris Veltsos is a professor in the Department of Computer Information Science at Minnesota State University, Mankato where he regularly teaches Information ...
read more