Still Phishing in Troubled Waters

You might think that we have become good at identifying phishing attacks today, but that’s a dangerous assumption. The frightening truth is, that around 90% of all cyberattacks start with a phishing or spear phishing email.

Yes, almost all of us can spot a dubious request from a “Nigerian prince” asking us for our bank details a mile away, but phishers have improved their game to keep on outsmarting us. With the US tax season in full gear, cybercrooks are sending phishing emails to get personal and financial information. The spoof email bears the IRS logo, and contains a hyperlink for checking the recipient’s tax refund. Once clicked, the link redirects to a fake page and can also download malware. But phishers don’t stop at individual tax payers, organizations are also being targeted. The FBI has issued a warning about a spear phishing attack aimed at HR staff. In this case, the aim is to get the W-2 information of all employees. Healthcare remains a favorite target, as the UnityPoint Health phishing attack shows. UnityPoint Health is a multi-hospital delivery system serving parts of Iowa, Illinois and Wisconsin. The hackers were after patient names, dates of birth, medical record numbers, treatment information, diagnoses, lab results, medications, healthcare providers, dates of service, insurance information, Social Security numbers and financial information. Even holidays and special occasions are now times to stay on guard and keep aware, since cybercrooks are boosting their attacks using all sorts of fake greetings and special offerings.

A worrying trend is the rise of phishing attacks on mobile devices. With employees allowed to BYOD for work purposes, phishers smelled a new opportunity. Those devices are not connected to traditional firewalls, often lack endpoint security, and access a wide range of apps and messaging platforms not used (or blocked) on work desktops. As a result, a high number of users fall victim.

Although organizations have been beefing up their security and training their employees to be vigilant, there is still much to be done. To illustrate: The Global Cyber Alliance warns that more than 95 percent of the 26 email domains managed by the Executive Office of the President (EOP), including Budget.gov, OMB.gov, WhiteHouse.gov, USTR.gov, OSTP.gov and EOP.gov, are vulnerable to large-scale phishing attacks.

It’s not much better at the other side of the pond. According to a recent European phishing response trends report, more than half (57%) of European firms (in the UK, Germany, France, the Netherlands, and Belgium) believe they are unprepared for a phishing attack, although 78% have been hit by a cyberattack that started with a phishing email. Their security teams have a hard time responding to the number of suspicious emails that are received. Understandably, since 23% of UK companies receive more than 500 suspicious emails a week, followed by the Netherlands (22%), France (20%), Germany (18%) and Belgium (16%).

As it looks now, organizations of all size will keep on being pounded by phishing attacks, also since they are effective and easy for cybercrooks to use. All it takes is writing a spoofed email or using a phishing software kit that is easily available on the Dark web. Hence, any criminal without any hacking experience can start a phishing attack.

It’s up to the cybersecurity and IT teams to keep their organization safe. Below are some helpful tips:

  1. Take proactive action by testing your organization’s security exposure against phishing attacks.
  2. Your employees are your first line of defense. By training them regularly on how to identify phishing, spear phishing and other email-based attacks, you can boost your organization’s security posture.
  3. Keep your security solutions updated and test regularly how well they perform.

To test how well an organization holds up against phishing attacks, Cymulate’s Breach & Attack Simulation (BAS) platform offers several modules that are a great help for cybersecurity staff and IT teams. The phishing module tests if employees are vulnerable to (spear) phishing attempts and will click on malicious links or open suspicious attachments. The secure email module assesses the email security framework, while the secure web browsing module checks if the security solutions are working properly by preventing employees to reach phishing and other infected websites.

Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate’s platform.

Start a Free Trial

Don’t speculate, Cymulate