Phishing now a year-round 'sport'

Phishing attacks have been a leading cause for breaches globally, with 83% of information security (infosec) professionals reported having experienced phishing attacks in 2018, up from 76% in 2017, according to Proofpoint. This upward trajectory is due to the ease with which threat actors can launch these attacks. As opposed to hacking through a firewall, deciphering encryption or finding a vulnerability within your system, a good trick email pitch and a fake landing website are all that is needed to launch an attack.

Cybercriminals Love the shopping season!

Shopping season is tricky for consumers, and exciting for cybercriminals. Many ramp up online shopping in the lead-up to the holiday period and, as their ‘to-do’ lists get longer, some will inevitably let their guard down online. Cybercriminals know this too well and they consequently spend a lot of effort devising schemes to take advantage of such corner cutting behavior.

According to reports, 56.1% Indians have fallen victim to discount scams by clicking on malicious links during holiday shopping online this year. While cybercriminal activity continues to grow in sophistication, popular scams like email phishing (25.3%) and text phishing (21.1%) still result in close to a quarter of Indians being duped throughout the season. 

Phishing attacks used to be a popular attack vector during the holiday season as it is easier to trick people into opening notifications for package deliveries or receipt emails from their online shopping spree but now this pattern has changed. The rise of social media makes personal data freely available to attackers anytime. They no longer have to wait for the year-end holiday shopping season to trick unsuspecting shoppers. This means that phishing has now become a year-round sport, making it a definite concern for businesses and individuals alike.

The anatomy of the “phish”

While most of us are aware of the concept and pitfalls of phishing attacks, attackers are still able to easily launch phishing attacks by preying on human behavior. These scams continue to work so well because they appear legitimate to users. By using the names of friends and colleagues—information that is relatively easy to come by through an analysis of social media accounts or via open source intel and spam lists—and by leveraging popular brands (Facebook, Microsoft, Amazon, Netflix and Apple), hackers are able to get users to lower their guard.

Furthermore, phishing emails continue to be effective because they are three times more likely to have a malicious link than a harmful attachment. These links tempt users to click on them to find out more. They, of course, lead to fake websites designed to harvest credentials, trick users into installing malware, or inject virus into the vulnerabilities found in browsers. To make such scams look even more legitimate, 71% of phishing sites use HTTPS, while 85% feature certificates by trusted authorities.

How to avoid falling for phishing attacks?

There are many ways to prevent your organizations from falling prey to these phishing scams. Coupled with awareness training and guidance on how to assess the legitimacy of emails and other types of phishing methods, organizations can also ensure incoming emails from external sources are clearly labeled to prevent spoofing.

Users should slow down and validate offers before clicking on any links, and as always, exercise more caution when required to input their personal data anywhere. Any too-good-to-be-true offers featured in popups and links need to be viewed with extra scrutiny.

Furthermore, apart from relying on regularly updated anti-virus software to stop malware installation attempts, IT teams should install a web filtering solution to prevent users from inadvertently visiting phishing sites—a handy defense tool to the anti-phishing arsenal.

Multifactor authentication (MFA) is another phishing “gap insurance” that prevents stolen credentials from being used from an unexpected location or unknown device.

Finally, with more than 90% of internet traffic encrypted and 68% of malware phoning home through encrypted tunnels, IT teams also need to deploy a decryption gateway before sending through to incident detection tools to detect infections.

By implementing these steps, it becomes difficult for threat actors looking for an easy way to make a quick buck where the game is all about low effort for high yields.

The author is Security Manager, India, F5 Networks

Nike