Increasing Sophistication of Phishing Attacks

This is part one of a three-part series on the anatomy of a phishing attack. Our partners at Cisco have outlined the facts on phishing below.

With the increasing sophistication of phishing attacks, IT security teams today face the daunting task of defending an extended perimeter and attack surface due to the increased use of cloud services and the sheer volume of mobile devices that access corporate applications. Enterprise use of cloud apps continues to climb, while employees typically use multiple devices for work to access the many cloud services.

The recent shift to remote work has further blurred the line between personal devices and corporate-managed devices as employees use them interchangeably for work and recreation. While organizations were forced to adapt to a distributed workforce at an accelerated pace, the dependency on traditional technologies and the quick deployment of new technologies have created security gaps¹ around connecting devices and trusted access.

According to Verizon’s 2020 Data Breach Investigations Report (DBIR), 67% of breaches were due to credential theft, errors, and social attacks. This statistic indicates that hackers focus their efforts on social engineering and spear-phishing tactics to gain the trust of unsuspecting victims and compromise their credentials. Sophisticated attacks are becoming increasingly common as hacking and phishing tools, along with documentation on how to use them, are readily available online to hackers. This has significantly lowered the barrier for hackers’ entry with time and resources to target organizations, gather information about security controls that organizations have implemented, and execute an attack to bypass those controls.

Social Engineering

According to the Cybersecurity and Infrastructure Security Agency(CISA), social engineering uses human interaction (often through email or phone calls) to obtain or compromise information about an organization or its computer systems.

Social engineering uses people’s psychological manipulation to get them to perform a specific action or divulge confidential information. Through information gathered by research and manipulative interactions, social engineers may be able to piece together enough information to infiltrate an organization’s network and impersonate an actual employee. The hacker may seem unassuming and respectable, possibly claiming to be a new employee, repair person, or researcher, and may even offer credentials to support that identity.

Spear Phishing

Spear phishing or targeted phishing is a form of social engineering tailor-made for the individual or organization that receives it. Like regular phishing, this attack aims to acquire sensitive information, install malware, or steal credentials. Unlike regular phishing, spear phishing takes advantage of an individual’s personal motivations, interests, and incentives to encourage them to fall for the attack.

These types of attacks are opportunistic in nature, taking advantage of the human element of an organization’s security. Even the most technologically savvy employees can fall victim to a well-designed social engineering attack. And that’s exactly the situation that played out in the high-profile breach we discuss in the case study in part two.

Has your company been a target of a phishing attack? Do you need help in training your employees to spot the signs of a phishing email or text? Contact us and see how we can partner together so your company is protected.