The growth and impact of phishing emails is on the rise. A recent Osterman Research survey found that there has been a variety of security incidents attributable to malicious emails. For example, 41% of organizations surveyed have lost sensitive data on an employee’s computer, and 24% have lost sensitive data from a corporate network.
Also on the rise: spear phishing, typically directed at a smaller group of potential victims, including senior officers within a company. In fact, Malwarebytes’ own CFO Mark Harris was hit with one a few months back. Government organizations that are likely to possess sensitive information such as login credentials to corporate financial accounts are also highly targeted.
One of the primary reasons that phishing is so effective is that many email users are not sufficiently skeptical or discriminating about suspicious emails, often because they lack training about how to identify phishing attempts. Our research has found that once users are trained about phishing, they are less susceptible to these attempts.
Spear phishing, on the other hand, has become a successful threat vector because many potential victims provide phishers with much of the information they need for them to craft messages that will seem to be genuine. For example, Facebook, Twitter, LinkedIn, and other social media venues contain large quantities of valuable information about personal preferences, travel plans, family members’ names, affiliations, and other personal and sensitive information that can be incorporated into spear-phishing emails to make them seem more believable.
To demonstrate how phishers might use personal information to their advantage, I found someone on Facebook whom I do not know personally but has an active presence and provides a significant amount of information on his public Facebook page, including:
- He visited Tapley’s Pub in Whistler, British Columbia, on Sept. 20.
- He visited The Brewhouse in Whistler on Sept. 16.
- The names of at least some of the people he was with on Sept. 13.
- He visited the 192 Brewing Company on Sept. 12.
- He visited the Chainline Brewing Company on Sept. 11.
- He visited American Pacific Mortgage on Sept. 9.
- He went to a Seattle Seahawks game on Sept. 3.
Moreover, based on his Facebook profile, we know the company for which he works, the city in which he lives, his wife’s name, and lots of other information about him. If I were a phisher attempting to gain access to his corporate login credentials, for example, I could craft an email with the subject line “Problem with your credit card charge at Tapley’s Pub” -- a subject line that would likely resonate with him given his recent personal experience at that restaurant.
I could provide a short, believable message about a problem in running his credit card and provide a link asking him to verify the charge. That link could be to a site that would automatically download a keystroke logger to his computer, after which I would be able to capture every keystroke he made from then on, which might include login credentials and credit card numbers.
Given that smaller organizations often do not have the training or technology in place to detect phishing attempts, my chance of success at infecting his computer would be reasonably high.
Phishing and spear phishing are serious problems that will get worse in the future, often because victims are not sufficiently trained and because many provide key information to cybercriminals. Organizations must work to raise awareness among their employees or risk the exploitation of sensitive company data.