Scams have been prevalent from the earliest days of the internet when e-mail was more of a novelty than a necessity. Yet, the threat of these emails was limited by a technology in its infancy and the often-outlandish nature of the scams themselves. An infamous scam technique was that of the “Nigerian Prince” which asked e-mail recipients to send money with a promise it would be repaid with interest. Whether these emails tried to have individuals reveal private information or asked directly for money, they were effective in building a cultural understanding that the internet would not be without crime.
Your “Coworker”- The New Nigerian Prince
Since the 1990s, both technology and the internet have evolved at rapid pace. Modern businesses are reliant on the internet to remain competitive and the threats they face from embracing the digital future are now equivalent to, or perhaps greater than, any faced in the physical world. Employees of corporate entities must now be way of the ever-evolving threats that mimic email addresses, websites, and even entire corporate processes in the attempt to steal information or threaten network infrastructure.
Phishing cyberattacks are broadly defined as an attack strategy that purports to be a legitimate source while seeking private or confidential information via email such as social security numbers, credit card information and addresses. Due to the changing complexity in the manner these attacks are conducted, experts have created subcategories that describe specific types of phishing techniques.
If phishing sees a criminal cast a large net to scam individuals, spear-phishing does the exact opposite. This technique is individually targeted to make use of information related to the individuals career or personal life to have the victim give information via a fraudulent email or access materials that infect their device (or even their entire corporate network) with malware. A variant of spear-phishing, known as whale-phishing, targets CEOs or similar company executives that are known to have access to a significant amount of information.
Other social engineering exploits are becoming increasingly popular as they target a victim’s voicemail (“vishing”) or SMS platform (“smishing”) in attempt to extract information or receive payments. These schemes are often broader than spear-phishing attacks, but criminals have become adept at making use of email origin locations to better target their campaigns.
One of largest cyber-attacks in American corporate history occurred in November 2014 and began with phishing emails that targeted Sony Picture Entertainment executives. The emails, which purported themselves as being from Apple, asked for login credentials that would later be match-tested to corporate email accounts to grant system access so as to install malware. This hack is estimated to have caused Sony to lose more than $150 million in revenue, in addition to compromising its entire IT infrastructure.
The attack on Sony occurred in 2014, and although the damage was widely publicized, businesses are just as vulnerable as we approach 2020 as they were then. Criminals attack both large and small businesses with fake invoices, impersonated emails, and complex landing pages that replicate entire business processes. Even a trained eye can be taken in by these schemes, so investment in protection has become necessary for any organization that has integrated technology into their day-to-day functions.
Defense is the Best Offense
Phishing preys on human error to succeed, but it is the job of a company to have policies and procedures that help to prevent phishing emails from arriving and create a culture of awareness if they hit an employee’s inbox. If you are a company that handles external data and private information, a SOC2 report can provide assurance to clients and cooperating organizations that these procedures are in place. If your company needs guidance regarding your internal IT environment, Boulay also can perform Risk Assessment procedures that provide insight into where to invest to protect your organization.