Phishing is a perennial cyber risk for businesses and organizations of every size, in every industry. It’s a popular social engineering method designed to fool recipients into clicking malicious links, providing hackers access to their networks, or divulging Personally Identifiable Information (PII) or sensitive company data like credentials or financial information. Phishing attacks exploit the weakest link in your business’s security — individual users — by preying on human emotions and negligence rather than system vulnerabilities.
According to Cisco’s 2021 Cyber Security Threat Trends report, phishing attacks top the list of cybersecurity threats, accounting for 90% of data breaches. The incidence of phishing scams has only increased since 2020, especially with so much of the global workforce transitioning to remote work. Proofpoint’s 2020 State of the Phish report indicates that 65% of organizations in the U.S. were victims of at least one phishing attack in 2020.
Here, we take a look at three of today’s most popular—and most devastating—phishing trends: business email compromise (BEC), impersonation attacks, and whaling attacks.
Business Email Compromise
Business email compromise (BEC) is a sophisticated scam in which cybercriminals send a phishing email that appears to come from a known source with legitimate requests. The seemingly reliable source (spoofed by cybercriminals) might be a trusted colleague, a longtime vendor, or a business partner.
Attackers defraud organizations of all sizes through BEC scams every day using tactics like spoofed email accounts and websites, spear-phishing emails, and malware (often, they combine tactics for a compound effect and maximum damage).
In 2020, the average sum of a BEC attack-involved wire transfer increased dramatically, from $48,000 in Q3 to $85,000 in Q4. With COVID-19 lockdowns across the globe, business leaders working at home from their personal devices were particularly susceptible to these BEC attacks.
The FBI calls BEC “one of the most financially damaging online crimes” and provides business leaders and IT teams with detailed information on how to spot a BEC scam, how to protect your business, and how to report a BEC scam if your organization falls victim to an attack.
Impersonation Attacks (AKA Executive Impersonation)
One particular phishing trend becoming more common is impersonation attacks, also known as executive impersonation. An attacker poses as a trusted person, like an executive or other high-level leader, to steal an organization’s money or access PII. Often, the target of the attack is an employee who can transfer funds or access sensitive information. This recent article from Forbes highlights the risks of spear phishing attacks that involve the impersonation of a senior executive. With just a bit of research, executive impersonation is a shockingly easy scam for attackers to pull off.
Recent COVID-19 cyber scams demonstrate the effectiveness of impersonation attacks. The World Health Organization has warned the public to “beware of criminals pretending to be WHO” after attackers used email and WhatsApp messages to execute their scams.
And since the start of the pandemic, cybercriminals have conducted countless phishing campaigns by impersonating the Small Business Administration (SBA) to scam loan applicants. To appear legitimate, the sender uses a spoofed email address that looks like it’s being sent from a government domain (like @sba.gov), but the URL in the email takes the recipient to a phishing website that steals their credentials and PII.
Another common cyber attack, whaling, is the inverse of executive impersonation. In a whaling scam, the attacker poses as an executive to dupe another high-profile target, usually a CEO or CFO. Whaling utilizes sophisticated, highly-targeted spear-phishing methods to exploit key decision-makers, compromise their security, and breach their wide-reaching digital networks.
In one recent exercise, ethical hacker Rachel Tobac was invited to hack billionaire investor and DreamWorks Animation CEO Jeffrey Katzenberg: “It Was Easy to Hack a Billionaire.” To impersonate Katzenberg’s business partner and pull off the hack, Tobac and her team employed a combination of sophisticated tactics, including a spoofed email address, a spoofed phone number, and even voice-altering technology. Katzenberg, who keeps a low profile on the internet and considers himself a tough target, fell for the scam immediately.
Like so many other cybersecurity risks, whaling is on the rise: 59% of organizations report that an executive has been the target of a whaling attack, a dramatic increase in recent years.
BEC, impersonation attacks, and whaling attacks can be devastating for businesses of every size. As cybercriminals become more adept at executing phishing attacks, the need to protect your business or organization will only increase. Insider threats are a growing concern for business leaders, and “phishing, identity fraud and business e-mail compromise are still some of the biggest threats in 2022.” It’s critical that everyone in your business is well-trained and prepared to confront attempted phishing attacks, from entry-level employees to your c-suite.
There are a variety of ways to do this. Microsoft, for instance, offers several suggestions for how to protect against phishing attacks, including several software solutions.
But one of the most surefire ways to prevent a phishing attack is to take an even more proactive approach. OpenVPN Cloud offers a content filtering feature, including the ability to block certain content categories and even have a list of specific website domain names to always block, or always allow — which allows you to custom-tailor your network access.
Get Started Today
Ready to get started with OpenVPN Cloud? Sign up today with three connections, absolutely free.