Today there’s a concerted effort for cybercriminals to go after large, valuable targets. Many of their efforts involve phishing which gets individuals to divulge personal information through deceptive activities. Once scammers obtain the information, they will use it to attempt more advanced scamming activities or sell it. Phishing is often just the foothold cybercriminals use for further attacks. Strong identity governance and other security measures are necessary to prevent phishing.

More than 80% of organizations were victims of phishing attacks last year

Proofpoint’s 2022 State of the Phish Report found that 83% of organizations were victims of phishing attacks last year. According to IBM’s Cost of Data Breach report, they cost a business, on average, $4.65 million.

Various types of phishing attacks include spearfishing which targets an individual employee, often using malicious code and whaling, which targets high-level employees and results in bigger profits for cybercriminals.

Cloning is when hackers send an email that appears to come from a popular brand. The individual goes to what appears to be a brand website and provides information hackers can use. Some of the most impersonated brands include Google, Amazon, Microsoft, Rakuten, and PayPal. Hackers may even pretend to be the CEO of a company to gain valuable information.

A Microsoft-themed attack uncovered in 2021 targeted senior business executives with titles like Vice President or Managing Director who were likely to have access to more sensitive company data. Voicemail attachments lead to fake Google reCAPTHAs. Victims were eventually directed to a fake Office365 login.

Perception Point addresses some of the advanced phishing techniques used today that can make phishing more difficult to detect. It also gives information on how to prevent them.

How to tell if websites are legitimate

One of the oldest scams around that is still being used successfully in 2022 is to create a legitimate-looking website that mimics a real-life business.

In March 2022, Hapag-Lloyd, a global leader in container shipping, became a victim of cybercrime. Customers were directed to log in to a phishing website that looked like an exact copy of the official website. Cybercriminals managed to gain access to highly confidential data.

It is not enough today to make sure that a website has an SSL certificate because cybercriminals also use them today. Some other ways to identify phishing websites are:

.Check the spelling of the URL for an extra letter or an “O” being replaced by a zero.

An URL may have extra or missing symbols or characters.

.Go to the Contact Us page and see whether there are any credible details.

.If a popup appears when you go to a link that asks for personal details, consider this a red flag.

.Check the payment method. If a website asks for a direct bank transfer instead of offering payment options like PayPal, you need to be cautious.

Today there are phishing URL checkers that use advanced machine learning to check for discrepancies.

Using free webmail accounts for BEC attacks

In Q1 2022, the Anti-Phishing Working Group (APWG) found that business email compromise attacks had remained steady, but scammers were demanding increased amounts. Cybercriminals impersonate trusted individuals to trick victims into making transactions.

Agari, an APWG member, found that there was a 68% increase in the amounts requested in wire transfers from BEC attacks from Q4 2021 to Q1 2022. Most of the emails came from free webmail accounts.

.A legitimate organization is unlikely to send emails from an address that ends in @gmail.com. Most large organizations have their own email domain and company accounts.

.If an email comes from an address that doesn’t seem to be affiliated with the sender, it could be a scam.

.More sophisticated phishing emails will include the organization’s name. The address may read something like ‘[email protected]’.

.When crafting their phishing messages, cybercriminals will often use a spell checker or a translation machine. This will give them all the right words, but they may not use them in the proper context. Recipients need to look at the context of errors and check whether the email contains mistakes a native speaker wouldn’t make.

Algorithms available in advanced email security solutions today can significantly lower the success rates of such attempts.

Using legitimate domains and hosts

When phishing websites are legitimately registered and hosted on legitimate platforms, they are harder to spot. Many domains registered on platforms like Namecheap have resulted in BEC attacks. Popular hosting platforms may also host phishing websites.

Registrars need to be informed of phishing attempts so they can begin to identify and suspend domains. Most registrars have reporting pages or abuse departments. Reporting to hosting and cloud services when phishing occurs can also help to shut down phishing websites. Parties should not be embarrassed to report phishing attempts because these attempts thrive on being embarrassed or afraid to speak out, just like other forms of intimidation.

Advanced threat detection tools

Advanced threat detection tools are required to detect phishing attempts today. Using the technology of image recognition can help to validate whether a website is legitimate. What is hard to detect using human eyesight can be detected using algorithms that know the original brand. They can analyze a potentially malicious URL or email against the original.

“Sandboxing” or dynamic scanning of all URLs can also identify senders that appear legitimate but are not. Next-generation sandbox technologies can perform scans quickly and accurately.

If you want to achieve your goals strategically, you need to use action planning, and the same applies if you’re a company wanting to defend against phishing attempts.

Reporting scams

In the U.S., companies can file an official complaint with the State Consumer Protection Office. Based on the severity of a scam, they can also contact various federal agencies.

Conclusion

As antivirus and anti-malware software continues to improve, cybercriminals have to become more creative in their attempts. Using advanced threat detection solutions together with various phishing prevention techniques allows organizations to identify and prevent sophisticated phishing techniques that can result in great losses.