Deceptive Phishing - How Hackers are Luring Victims
We’ve written a few blog posts about spear phishing over the last year or so. My colleague Paul Ibarra wrote a great article dissecting a phishing email. Our sales director, John Garza, wrote one about the four different types of phishing. Today, I’d like to dive deeper into what’s called deceptive phishing, which is aimed to lure the victim into clicking on a malicious URL or email attachment, so that they will hand over their personal data.
Prevalence of Deceptive Phishing
Deceptive phishing prevalence is directly correlated to the adoption of new technologies. The more we rely on applications to help us day-to-day, the more information we have that must be protected by passwords and encryption technology. Access to this data must be limited, but the easiest way for a criminal to gain access to it is to go straight to the source, you! We have all heard about deceptive phishing. A person receives an email from their bank, goes to a login site, types in their credentials, and realize that they weren’t on their bank site at all, rather, the entire site was a guise by a malicious actor. Now, the actor has your username and password, your email address, and the ability to gain access to any account that the username, email and password work.
What tricks are working best, and who is most vulnerable?
Disguising malicious attachments as fake invoices remains the most popular method for deceiving users into opening phishing emails and taking the bait. Recently Symantec reported, one in every four major malware spam campaign took this approach in 2016.
Naming scanned documents after typical printer or copiers in an office is another strategy attackers are increasingly using to trick a victim into clicking. One particular form that hackers have had success with recently is W-2 phishing emails. Tax season is a time everyone should be on high alert when it comes to email correspondence. Tamara Powell, the IRS Return Integrity Compliance Services Director, reported earlier this year, “in the first four months of 2017, 870 organizations reported to the IRS that they received a W-2 phishing email, up from about 100 organizations in the first four months of 2016.” The IRS even deemed it the “one of the most dangerous email phishing scams” they have ever encountered. So, overwhelmingly, scammers create emails that look as close to everyday correspondence as possible to gain user trust.
But who is most vulnerable?
Spoiler alert, EVERYONE. If there is anything the recent US election tells us, it doesn’t matter how much education you have, or how important you are or aren’t, everyone is a target. Over the course of 2017, phishing rates have skyrocketed and this is across all industries not just large enterprises or certain verticals, such as finance and healthcare. There are many things you can do to protect your company, and paramount is end-user training. But, most often, that’s not enough, particularly in the fast-paced whirlwind we tend to do business in. Thus, companies must turn to providers like Jungle Disk who can offer strong security technologies to mitigate your risk from every angle.
Deceptive phishing is clearly going to be around for awhile, and so it’s up to us to be mindful and wary of oncoming threats. Let us empower you to defend yourself from bad actors!