Evolving phishing schemes pose new risks to cybersecurity

Email is perhaps the single most crucial attack vector in cybersecurity today.  According to Verizon’s latest Data Breach Investigations Report, email is the channel used in 94% of attacks where hackers target executives for phishing schemes.  Phishing remains as culpable as ever in data breaches, and based on new insight from Carbon Black and Symantec, it is still evolving.

Targeting executives within an organization to click on malicious attachments is nothing new, but hackers are employing creative approaches to what are known as “supply chain” attacks.  Supply chain attacks are unique because they use an organization’s associates, like outsourcing companies, to spread their attacks across that entity’s network of partners, vendors, etc.  Since C-suite executives are 12 times more likely to be targeted by a hacker, this is providing a lucrative new avenue of attack for cyber thieves.

To analyze examples of this type of cybercrime, Forbes observed the Indian company Wipro.  Hackers used phishing to infiltrate the company’s network, which they then used as a launching pad for attacks against other companies in Wipro’s business network.  Another type of case they studied involved a Silicon Valley software developer that was the victim of a “long-line” phishing attack.  This method seems to be a recent hacker alternative to traditional scattershot tactics, where thousands of emails probe at susceptible employees to get just one of them to take the bait.  In long-lining, however, only one or two executives are targeted, in such a way that the hacker spends a great deal of time studying and building a profile of the person to ultimately compromise their credentials.  This is what Forbes saw happening at the developer.  Five created identities targeted an executive with seemingly legitimate communications—though naturally they were not, but contained malware-infested attachments.

This software developer is not alone in phishing ventures, of course.  Dennis Serocki, controller at construction contractor F.W. Madigan, tells the Worcester Business Journal how he has received a bunch of sham messages supposedly from his bosses.  “Email – it’s very, very dangerous,” he says.  According to Better Business Bureau research, 2018 alone saw $1.3 billion in costs due to phishing efforts.  Over the last three years, $3.1 billion.  Serocki has made efforts to prevent F.W. Madigan from joining this list by informing employees of the risks and ways to counter them.

He and others in his position have had to do just that, as hackers adapt to circumvent ever improving cybersecurity technology (which received a global $124 billion in spending in 2018).  IT teams must adapt in turn by maintaining vigilance, current security measures, and constantly checking for vulnerabilities in their networks.  And, as important as anything else, always be careful with your email clicks.