Criminals are Doing Their Cybersecurity Homework

Posted by Compass Computing Group, Inc.
On May 7, 2021
0 Comments
Cybersecurity Information technology, Data security, IT Solutions, tech companies in portland

Phishing scams are on the rise. And cybercriminals know full well that your staff members are their best bet for phishing attack success. Your employees aren’t dumb, nor are they being intentionally negligent. Rather, they are being manipulated by increasingly clever and realistic scams from a growing community of cybercriminals, also known as bad actors, who have done their cybersecurity homework and prey on human error.

Typo-laden financial support requests from foreign princes are a thing of the past. Today’s phishing emails are incredibly hard to detect, even for the most diligent and cyber-savvy among us. A seemingly legit LinkedIn request from a new co-worker. A FedEx tracking request branded to look identical to other legitimate FedEx tracking requests you may have received in the not-so-distant past. A survey from your HR department, with nary a typo in sight, requesting your input as they reassess their suite of employee benefits. Anything from PayPal (incidentally, PayPal is one of the most commonly imitated phishing brands in the world).

Why is Phishing So Effective?

For starters, our brains are wired to make fast decisions. “We’re moving quickly, reading through tons of email, and these criminals are doing their due diligence,” Compass Computing Group President Robert Phillips states, “If you are not paying attention, it’s so easy to get caught. We tell our clients, if they are at all suspicious about an email, to look at the ‘from’ email address. That’s usually a dead giveaway if it’s fraudulent.”

This act of manipulating employees through phishing is referred to as social engineering, and it’s on the rise. More than three billion phishing emails are sent out globally on a daily basis. It’s easier for a criminal to exploit natural human inclination and tendencies than it is to discover new ways to hack software.

Furthermore, cybercriminals are getting really, really good at their craft. They are doing a bang-up job of replicating existing workflows from trusted sources. “Something we’re seeing a lot of with our clients is wiring fraud,” Phillips explains. “One of their vendors gets hacked and sends a realistic-looking invoice. It looks legit so the company pays it. And then they find out that it was fake.”

The latest in Cybersecurity Phishing Threats

Here are 6 types of phishing scams that are keeping cybersecurity experts busy.

1. Deceptive phishing

This threat is the most common one on the list. That LinkedIn request, the FedEx tracking email, the fictitious HR survey, and, of course, PayPal – all fall under this category, in which a bad actor impersonates a legitimate person or organization. With deceptive phishing, the perpetrator is counting on users to take specific action based on the email (click here, see attached) which then launches the attack.

2. Spear phishing

Spear phishing is a phishing scam that is well-executed and intentionally targeted. Whereas other phishing threats may rely less on investigation and more on the sheer volume of targets, with spear-phishing campaigns the name of the game is quality over quantity. If your organization is on a cybercriminal’s spear-phishing radar, you can bet they are conducting extensive research to craft a credible and compelling narrative, designed to dupe their victims.

3. CEO fraud

With this type of phishing threat, also referred to as whaling and business email compromise (BEC), the bad actor is playing the role of high-powered executive. In impersonating an executive, the perpetrator coerces employees to undertake actions, such as those designed to compromise data security, like unauthorized wire transfers or providing confidential tax information. Between May 2018 and July 2019, there was a 100% increase in this specific fraudulent activity.

4. Vishing

Whereas phishing refers to scams perpetrated via email, vishing is fraud by phone call, so named because the cybercriminals use a Voice over Internet Protocol (VoIP) server to conduct the fraudulent behavior. Oftentimes, they will disguise their phone number to make it look like it is coming from the target’s region. Last August, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned the public about an increase in vishing schemes, where the attackers targeted remote workers in an attempt to obtain their digital log-in credentials.

5. Smishing

Like vishing, smishing also relies on phone numbers for exploitation purposes. However, the cybercriminal will send malicious text messages, attempting to glean personal data or trick recipients into clicking on a dangerous link. Clicking on this link can give the attacker the ability to remotely control the victim’s mobile device.

6. Pharming

In a pharming attack, the cybercriminal redirects the victim to a fake website, intended to replicate the legitimate site they thought they were visiting. From this fake site, the intent is to obtain digital credentials, such as usernames and passwords. Pharming is often used as a precursor to online identity theft.

It’s Time to Take Control of Your Cybersecurity

Cybercrime can be devastating. It’s an ever-evolving and complex field and one best left to the cybersecurity experts who specialize in keeping businesses secure and free from disruption. IT solutions provider Compass Computing Group, one of the leading tech companies in Portland, takes a layered approach to ensure a robust security plan. This includes live and modular employee training, simulations, policy and procedure development, remedial training for simulation slip-ups, and resources for ongoing education. Connect with Compass Computing Group today to take advantage of their free one-month training and simulation trial, and learn what it means to be truly cyber-aware.