With 13 percent of phishing attacks targeting financial businesses, it was no surprise when TechInsurance was targeted in an email phishing scheme last week. Spoiler alert: we didn't bite.
The attack on TechInsurance HQ is a pertinent reminder to our staff about the importance of employee education. Our employee spotted the phishing email and alerted IT before other employees could be duped. The attack was fairly sophisticated and it shows how phishing emails have changed in the last few years.
According to Verizon's 2015 Data Breach Investigations Report...
- 23 percent of recipients open phishing emails.
- 11 percent of recipients open the attachments.
These numbers have actually increased over the years because cyber criminals are better at disguising their fraudulent campaigns. Here's a look at how scammers have upped their game.
Most Improved Hacking Award Goes to Phishing Scams
If your first phishing attack doesn't succeed, try and try again – and mind your English. That's one lesson hackers learned to get better at disguising their attacks. Here's how phishing attacks have changed in the last few years:
- Email grammar improved. For a long time, it was easy to spot phishing emails because the grammar was so bad it verged on abstract art. (You can check out the Spam Poetry Institute to see the best of this jumbled jargon.) Now, phishing campaigns are reasonably well-written.
- Attachments are better disguised. The old refrain was "don't open any .exe attachments," but hackers are using all kinds of attachments to trick users. In fact, over 13 percent of phishing attachments are now workplace-friendly .doc or .pdf files.
- The content of emails developed. Phishing campaigns are now disguised as work correspondence. Often, they're sent from someone asking you about a project, or including you on an email chain discussion of work-related topics (e.g., a website issue, payroll problem, etc.).
- They can be socially engineered. You know your LinkedIn account? Well, some cyber criminals will scout your social media, look at which third-party vendors you know, and send you an email that looks like it comes from them.
We saw these four improvements in the email that targeted TechInsurance. The email was presented as a chain. For our employee, it looked like they had been cc'd mid-conversation into a discussion with a third-party vendor.
4 Signs that Will Help You Spot a Phishing Campaign
Phishing attacks aren't impossible to stop, but they're sophisticated enough to trick employees who aren't keeping a watchful eye. It'll be up to IT departments to emphasize good security habits with employees.
You (or your clients) may be dealing with a phishing scam if...
- An email references a project you haven't heard of.
- It asks you to click a link or open an attachment.
- You don't normally get correspondence from the sender.
- It uses generic language, referring to things like "the team" or "the project" and is excessively vague.
To learn more about recent trends in spear phishing campaigns (and how they're targeting small businesses), be sure to check out "Re: Your Recent Spear Phishing Attack."
Phishing Prevention: Managing Your Professional Liability Risk
IT consultants can be sued if email filters don't flag phishing emails or anti-malware software doesn't block a phishing attachment. Any time your client's security is compromised, you could find yourself on the wrong end of a lawsuit.
While Professional Liability Insurance (aka Errors and Omissions) can step in when a client claims you shirked your duties or didn't deliver high quality IT, it's better to prevent these breaches before they occur.
Check out TechInsurance's free Customer Education Kit for ways to prevent data breaches and security incidents, and share this information with your clients.