The 8 Most Convincing Phishing Schemes Of 2016
The year is young and high-profile phishing attacks keep coming seemingly every week. Here are eight reasons why security pros have to get serious about combating phishing.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltbee72b10842e0ca9/64f0dca1e2bb44f3925daf28/thefishingman.jpg?width=700&auto=webp&quality=80&disable=upscale)
It’s only mid-April, yet there is no shortage of convincing phishing schemes to highlight for 2016.
Gartner reports that one in every 4,500 emails today is a phishing attack, threats that rely on social engineering to gain illicit access to personal and corporate assets.
Aaron Higbee, co-founder and CTO of PhishMe.com, says that this year’s crop of phishing attacks center around three main types:
CEO fraud, where scammers who claim to represent legitimate third parties try to get administrative people to believe that the CEO has authorized a wire transfer for thousands, or in some cases millions, of dollars.
Tax schemes, where phishers aim to get administrative people, claims adjusters at insurance companies, or auditors, to send employee W-2s. The W-2s have social security numbers and other PII that lead criminals to the personal bank accounts of employees.
Fraudulent IRS sites, where users are duped into thinking that the IRS sent them an email requesting more information. These attacks are especially infuriating to experts because the IRS would never send such an email to a taxpayer.
“What’s happened is that all the techniques that security people have used in the past, such as sandboxes or combing URLs in a body of email, simply don’t work anymore,” Higbee says. “In many of these cases, the criminals bypass all the technical controls and exploit human factors, such as following up an email with a phone call to prove they are legitimate.”
Brian Reed, a Gartner analyst who focuses on data security, adds that the latest phishing scams have gotten increasingly sophisticated. Criminals are doing their homework, he says, finding out who has responsibility at companies for wire transfers and who in the chain is the most vulnerable to a phishing scam.
“These emails are not blindly sent from a fictitious Royal Prince with numerous misspelled words or other obvious errors in the message body,” he says. “They are done by criminals who have studied the inside of these organizations, understand how organizations communicate, and have combed social media to gather information about specific people to target at companies.”
Higbee adds that in many cases, the phishing scams still emanate from West Africa, but today they are major criminal operations.
“Some have even gone so far to set up entire call centers to study companies and follow up with phone calls,” Higbee says. “We’re finding that many of the prospects evaluating our solutions are demoralized. They’ve put every security control they know in place yet they still fall prey to these phishing scams.”
The following phishing schemes we highlight here represent the most egregious of these three type of phishing cases.
A criminal organization of phishing scammers recently tricked an employee at Seagate Technology into giving away W-2 tax documents on all current and past employees, according to KrebsOnSecurity
These type of phishing scams are significant because W-2 forms contain employee social security numbers, salaries, and location data that are highly prized by criminals filing phony tax refund requests with the IRS.
Seagate says the attack hit on March 1. The scam focused on the 2015 tax form information for current and former US-based employees. Several thousand employees were affected, the storage firm said.
According to the Federal Trade Commission, tax refund fraud was responsible for a nearly 50% increase in consumer identify theft complaints last year.
News of a phishing attack at Main Line Health in the Philadelphia area broke in early March.
According to the local NBC TV affiliate, a spear phishing email was sent to a Main Line Health employee on February 16. The employee believed it was a legitimate email and responded to the request by providing personal information on all Main Line Health employees.
Officials determined that the email was part of a nationwide phishing scheme in which criminals use phony emails to gain personal information. On the plus side, officials say no patient information was released or compromised during the attack.
Source Location: Main Line Health
Research treatment and cancer center City of Hope was attacked during the week of January 18, an incident the resulted in the unauthorized access to the email accounts of four staff members, according to a press release issued by the center.
Following an investigation, it was determined that three of the affected email accounts included a number of emails that contained one or more elements of protected health information, such as patient names, medical record numbers, dates of birth, addresses, email addresses, telephone numbers, and some clinical information.
However, for the majority of patients, the information contained within the three breached email accounts contained only patient name and medical record number. With the exception of one patient, the information in the email accounts did not contain any social security numbers or financial information. Early indications found that the attackers were not interested in protected health information, their goal was to send spam emails to other individuals.
Research treatment and cancer center City of Hope was attacked during the week of January 18, an incident the resulted in the unauthorized access to the email accounts of four staff members, according to a press release issued by the center.
Following an investigation, it was determined that three of the affected email accounts included a number of emails that contained one or more elements of protected health information, such as patient names, medical record numbers, dates of birth, addresses, email addresses, telephone numbers, and some clinical information.
However, for the majority of patients, the information contained within the three breached email accounts contained only patient name and medical record number. With the exception of one patient, the information in the email accounts did not contain any social security numbers or financial information. Early indications found that the attackers were not interested in protected health information, their goal was to send spam emails to other individuals.
It’s only mid-April, yet there is no shortage of convincing phishing schemes to highlight for 2016.
Gartner reports that one in every 4,500 emails today is a phishing attack, threats that rely on social engineering to gain illicit access to personal and corporate assets.
Aaron Higbee, co-founder and CTO of PhishMe.com, says that this year’s crop of phishing attacks center around three main types:
CEO fraud, where scammers who claim to represent legitimate third parties try to get administrative people to believe that the CEO has authorized a wire transfer for thousands, or in some cases millions, of dollars.
Tax schemes, where phishers aim to get administrative people, claims adjusters at insurance companies, or auditors, to send employee W-2s. The W-2s have social security numbers and other PII that lead criminals to the personal bank accounts of employees.
Fraudulent IRS sites, where users are duped into thinking that the IRS sent them an email requesting more information. These attacks are especially infuriating to experts because the IRS would never send such an email to a taxpayer.
“What’s happened is that all the techniques that security people have used in the past, such as sandboxes or combing URLs in a body of email, simply don’t work anymore,” Higbee says. “In many of these cases, the criminals bypass all the technical controls and exploit human factors, such as following up an email with a phone call to prove they are legitimate.”
Brian Reed, a Gartner analyst who focuses on data security, adds that the latest phishing scams have gotten increasingly sophisticated. Criminals are doing their homework, he says, finding out who has responsibility at companies for wire transfers and who in the chain is the most vulnerable to a phishing scam.
“These emails are not blindly sent from a fictitious Royal Prince with numerous misspelled words or other obvious errors in the message body,” he says. “They are done by criminals who have studied the inside of these organizations, understand how organizations communicate, and have combed social media to gather information about specific people to target at companies.”
Higbee adds that in many cases, the phishing scams still emanate from West Africa, but today they are major criminal operations.
“Some have even gone so far to set up entire call centers to study companies and follow up with phone calls,” Higbee says. “We’re finding that many of the prospects evaluating our solutions are demoralized. They’ve put every security control they know in place yet they still fall prey to these phishing scams.”
The following phishing schemes we highlight here represent the most egregious of these three type of phishing cases.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024