Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

4/9/2016
08:00 AM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The 8 Most Convincing Phishing Schemes Of 2016

The year is young and high-profile phishing attacks keep coming seemingly every week. Here are eight reasons why security pros have to get serious about combating phishing.
Previous
1 of 9
Next

It’s only mid-April, yet there is no shortage of convincing phishing schemes to highlight for 2016.

Gartner reports that one in every 4,500 emails today is a phishing attack, threats that rely on social engineering to gain illicit access to personal and corporate assets.

Aaron Higbee, co-founder and CTO of PhishMe.com, says that this year’s crop of phishing attacks center around three main types:

  • CEO fraud, where scammers who claim to represent legitimate third parties try to get administrative people to believe that the CEO has authorized a wire transfer for thousands, or in some cases millions, of dollars.
  • Tax schemes, where phishers aim to get administrative people, claims adjusters at insurance companies, or auditors, to send employee W-2s. The W-2s have social security numbers and other PII that lead criminals to the personal bank accounts of employees.
  • Fraudulent IRS sites, where users are duped into thinking that the IRS sent them an email requesting more information. These attacks are especially infuriating to experts because the IRS would never send such an email to a taxpayer. 

“What’s happened is that all the techniques that security people have used in the past, such as sandboxes or combing URLs in a body of email, simply don’t work anymore,” Higbee says. “In many of these cases, the criminals bypass all the technical controls and exploit human factors, such as following up an email with a phone call to prove they are legitimate.”

Brian Reed, a Gartner analyst who focuses on data security, adds that the latest phishing scams have gotten increasingly sophisticated. Criminals are doing their homework, he says, finding out who has responsibility at companies for wire transfers and who in the chain is the most vulnerable to a phishing scam.

“These emails are not blindly sent from a fictitious Royal Prince with numerous misspelled words or other obvious errors in the message body,” he says. “They are done by criminals who have studied the inside of these organizations, understand how organizations communicate, and have combed social media to gather information about specific people to target at companies.”

Higbee adds that in many cases, the phishing scams still emanate from West Africa, but today they are major criminal operations.

“Some have even gone so far to set up entire call centers to study companies and follow up with phone calls,” Higbee says. “We’re finding that many of the prospects evaluating our solutions are demoralized. They’ve put every security control they know in place yet they still fall prey to these phishing scams.”

The following phishing schemes we highlight here represent the most egregious of these three type of phishing cases.

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Previous
1 of 9
Next
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Dan Euritt
50%
50%
Dan Euritt,
User Rank: Apprentice
4/11/2016 | 10:39:10 AM
These problems were all preventable
All companies should be conducting awareness training on these issues, and this article looks like a great place to start. Thanks for posting it up.
nathanwburke
100%
0%
nathanwburke,
User Rank: Author
4/13/2016 | 6:17:55 AM
Re: These problems were all preventable
Security awareness training can help, but that is also just one piece of a comprehensive security plan that includes the triumvirate of People, Process and Technology. Security awareness training can help with the People component, making employees more cognizant of the low-level, commodity attacks that use emails with attachments and links to compromised sites. 

However, this only applies to the obvious. Don't download and run applications from attachments. Don't click links in emails from people you don't know.  The problem is that many attacks are more sophisticated. In some cases, the phishing attack comes from a compromised email address using language that mimics the hacked sender. In those cases, all of the awareness training available will likely fail.

Creating a Process for flagging potentially malicious activity and quickly removing any threat organization-wide is key to reducing risk of threats introduced accidentally (despite awareness training). Having Technology in place to identify and remediate obvious threats is essential to keeping this process timely and scalable.

Awareness training is important, but simply telling people not to do the obvious isn't enough anymore.
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...
CVE-2019-1940
PUBLISHED: 2019-07-17
A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certifi...
CVE-2019-1941
PUBLISHED: 2019-07-17
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because th...