In early May, hackers launched a major phishing attack against Gmail users. According to a report by NBC News, the email asked recipients to click on an attached Google Docs file, enter their Gmail credentials, and authorize an app called "Google Docs." In reality, it was just a scam to get the victims to reveal their Gmail login information. That same month, phishers managed to hack into a DocuSign database and steal customer email addresses, according to Engadget. The phishers then tried to trick DocuSign customers into downloading a malware-infested Microsoft Word document.
People fall for phishing attacks all the time, and when they do, they often turn to their IT consultant for help. The problem is if a malware attack hits your customers, they may blame you. It's better for your business's bottom line if you can teach customers how to avoid phishing scams altogether.
By providing phishing training to clients, you not only help protect them from scammers, but you can also head off potential lawsuits.
Which Phishing Attacks Are Fooling Your Clients?
chief research officer at
(@security_score), says his clients were hit hard by both the Google Doc and DocuSign phishing attacks. So what made these two attacks so effective?
"The DocuSign campaign was a fairly standard phishing campaign," says Heid. "If someone were paying attention, they'd pretty much be able to identify it as a fake email."
But when it came to the Google attack, Heid says phishers got a lot sneakier.
"That one was a change in the game," says Heid. "It definitely seems to have evolved in sophistication. So in that case, an attacker didn't have to create malware or even make a phishing site. They're essentially exploiting the functionality of the email service provider themselves to be able to gain access to peoples' data, and that's definitely an evolutionary step in favor of the attacker."
chief information security officer at
(@LekSecurities), says he's seen a lot of phishing scams recently involving phony UPS and FedEx emails.
"We tend to see a lot of these phishing emails indicating that someone has a new package notification, or package tracking information, and people will click those because they get excited when they have a package," says Solano.
Solano also points to phishing attacks that use the promise of Amazon gift cards as bait.
"What I'm seeing now are fraudulent IT survey phishing attempts that promise a free Amazon gift card at the completion of the survey," says Solano. "The survey will look as if it's from Amazon.com and request the person sign in – forfeiting their Amazon credentials."
senior marketing manager at
(@PhishLabs), says she has seen a lot of business email compromise (BEC).
"BEC refers to social engineering attacks used to convince those in charge of finances at an organization to send large payments to the scammers," says Havens. "These attacks are carried out over email conversations initiated by the scammer who spoofs the identity of an executive at the organization."
What Types of Phishing Attacks Can We Expect to See Going Forward?
Heid thinks we will see phishing attacks where the goal of the target is an OS token or integrating a malicious app.
"I believe we are going to see more and more of that going forward because there are not really a lot of protections in place for it, and it's an exploitation of how these systems are meant to function," says Heid.
Both Solano and Havens predict ransomware will continue to be a major threat.
"I do think more of these phishing attacks will include ransomware links, or links to download ransomware," says Solano. "Scam artists are becoming more clever and sophisticated. Attempts to construct phishing emails and malicious webpages almost look perfect, and it is easy to overlook minor design flaws that give away if something is fraudulent or not."
Havens predicts an increase in ransomware for several reasons:
- They are relatively simple, making it easy for inexperienced cybercriminals to deploy.
- Ransoms are often paid in crypto currencies, so the cyber crooks can cash out immediately and tracking is not possible.
- Ransomware is easily available for purchase in underground forums and the dark web.
Havens says some cybercriminals are even offering ransomware as a service – making ransomware threats available to less experienced criminals.
For more on how phishing has changed over the years, check out "What Is Phishing and How Has It Evolved?"
Teach Your Clients How to Avoid Phishing to Protect Your IT Business
If one of your clients falls for a phishing scam, it could be devastating for their business. They may even sue you if they think you should have done more to protect them from phishing attacks. This is why it's important to conduct phishing training for all of your clients. However, if a client does sue, Errors & Omissions Insurance and Cyber Liability Insurance may help pay for your legal costs.
Solano says he conducts phishing experiments targeting the employees at his company in order to educate them. But it doesn't stop there. He emphasizes the key is to then educate employees so they don't fall for it again.
"Successfully phishing somebody is really just step one, what really matters is what you do you after that and that's where the training comes in," says Solano.
"The best advice we can give on protecting against spear phishing attacks is in effective phishing awareness training for employees," says Havens.
She recommends IT consultants make sure their phishing training is…
- Frequent. Havens recommends sending out a monthly simulated phish that reflects real-world threats.
- Focused on point-of-failure. If someone clicks on or takes action on a simulated phish, training must be relevant to the failure. She suggests using short videos or infographics to make the lesson memorable.
- Relevant. Training must address the specific simulated phish failure and teach the user how to spot suspicious email practices in the future.
Remember, while you may be an expert on phishing, your clients are not. The more you can help educate them about what types of phishing attacks they may encounter, the less likely they are to be successfully phished – and the less likely you are to wind up in court.
For more tips about how to talk to your clients about phishing, read "Why IT Consultants Should Use the WannaCry Cyberattack as a 'Teaching Moment.'"
About the Contributors
is the senior marketing manager at PhishLabs. She has over 10 years of experience in marketing, communications, public relations, lead nurturing / generation, and analytics. With a unique blend of marketing and communications experience coupled with a background in behavioral and situational analysis, she bring metrics-driven results and the ability to focus sales and marketing efforts in a direction that offers the highest potential for long-term, sustainable growth.
is chief research officer at Security Scorecard
, a leader in cybersecurity ratings. His responsibilities include networking with the threat intelligence community while actively surveying the hacking underground for the latest tools, techniques, and procedures in use by malicious actors. Previously, Heid served as chapter chair for South Florida OWASP, and worked within the financial industry. In 2007, Heid founded Information Security Services, Inc., a full-service information technology and information consulting firm.
is the chief information security officer at Lek Securities Corporation
(LSC), where he has worked since 2008. He is responsible for establishing, maintaining, and executing LSC's policies to ensure information assets are protected from cybersecurity threats. Mr. Solano also maintains and supports LSC's global server infrastructure, IT systems, and services. Mr. Solano graduated from SUNY Oneonta in 2006, with a Bachelor of Science in sociology and holds MCP, MCTS, and MCDST Microsoft certifications.