The Phishing Season is Now 365 Days

Photo credit: iStockphoto/Carlos_bcn

With the Lunar New Year upon us, most Singaporeans would be engaging in some form of online shopping to usher in the year of the Rat – be it purchasing your new ensembles for the festivities, to even sending eAngbaos to your family and friends. Historically, such celebrations provided hackers with a window of opportunity to target unknowing shoppers, specifically through phishing attacks, but is that still the case?

Phishing attacks have been a leading cause for breaches globally, with 83% of information security (infosec) professionals reported having experienced phishing attacks in 2018, up from 76% in 2017, according to Proofpoint.

This upward trajectory is due to the ease with which threat actors can launch these attacks. As opposed to hacking through a firewall, deciphering encryption, or finding a vulnerability within your system, a good trick email pitch and a fake landing website are all that is needed to launch an attack.

A dark threat rises

According to the Cyber Security Agency of Singapore (CSA), 378 business email impersonation scams were recorded in 2018, an increase from 332 in 2017. This led to businesses in Singapore suffering close to SGD 58 million (USD 42 million) in losses, an increase of about 31% from the previous year.

In October 2019, the National University of Singapore (NUS) suffered a significant phishing attack where an attempt was made to gain access to academic research. The affected students and alumni were sent an email informing them that their access to the library system was set to expire soon, encouraging them to renew it by clicking on a link to continue having access to all online library services.

The rise of social media makes personal data freely available to attackers anytime, making phishing a year-round sport.

Phishing attacks used to be a popular attack vector during festive shopping seasons as it is easier to trick people into opening notifications for package deliveries or receipt emails from their online shopping sprees, but now this pattern has changed.

The rise of social media makes personal data freely available to attackers anytime. They no longer have to wait for festive shopping seasons to trick unsuspecting shoppers. This means that phishing has now become a year-round sport, making it a definite concern for businesses and individuals alike.

The anatomy of the “phish”

While most of us are aware of the concept and pitfalls of phishing attacks, attackers are still able to quickly launch phishing attacks by preying on human behavior. These scams continue to work so well because they appear legitimate to users.

By using the names of friends and colleagues—information that is relatively easy to come by through an analysis of social media accounts or via open source intel and spam lists—and by leveraging popular brands (Facebook, Microsoft, Amazon, Netflix, and Apple), hackers can get users to lower their guard.

71% of phishing sites use HTTPS, while 85% feature certificates by trusted authorities.

Furthermore, phishing emails continue to be effective because they are three times more likely to have a malicious link than a harmful attachment. These links tempt users to click on them to find out more. They, of course, lead to fake websites designed to harvest credentials, trick users into installing malware, or inject a virus into the vulnerabilities found in browsers.

To make such scams look even more legitimate, 71% of phishing sites use HTTPS, while 85% feature certificates by trusted authorities.

Avoiding the con

There are many ways to prevent your organizations from falling prey to these phishing scams. Coupled with awareness training and guidance on how to assess the legitimacy of emails and other types of phishing methods, organizations can also ensure incoming emails from external sources are clearly labeled to prevent spoofing.

You need to deploy a decryption gateway before sending through to incident detection tools to detect infections.

Furthermore, apart from relying on regularly updated anti-virus software to stop malware installation attempts, IT teams should install a web filtering solution to prevent users from inadvertently visiting phishing sites—a handy defense tool to the anti-phishing arsenal.

Multifactor authentication (MFA) is another phishing “gap insurance” that prevents stolen credentials from being used from an unexpected location or unknown device.

Finally, with more than 90% of internet traffic encrypted and 68% of malware phoning home through encrypted tunnels, IT teams also need to deploy a decryption gateway before sending through to incident detection tools to detect infections.

As phishing attempts become increasingly sophisticated and difficult to spot, users will need to pay close attention to sieve out such scams. By implementing these steps, it becomes difficult for threat actors looking for an easy way to make a quick buck where the game is all about low effort for high yields.

Shahnawaz Backer, security specialist, APCJ, at F5 Networks, wrote this article. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Photo credit: iStockphoto/Carlos_bcn