Cybercriminals are turning their attention away from the C-suite, though they are still targeting users with high levels of access.
Cybercriminals are casting phishing attacks using an increasingly wider net, turning to shared aliases—such as firstname.lastname@example.org—to target multiple users at once, according to a recent Proofpoint report. These attacks are easier to execute, as Proofpoint notes that such addresses are often public-facing, and are typically not secured using multi-factor authentication, due to the difficulty of implementing that using shared email addresses.
Likewise, the report notes that "lower-level workers were targeted slightly more heavily than upper-management and executives," noting a trend against "whaling," or attacks that target executives or people with high levels of access. Employees in R&D or engineering were attacked 30% more frequently than average, suggesting a potential use of phishing attacks as corporate espionage rather than simple credential theft.
SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
Cybercriminals are rapidly changing their targets, with just 13% of "addresses identified as the most highly targeted recipients during the quarter ranked as such in our last report, reflecting attackers' shifting focus," the report noted.
Banking trojans remained the top threat, comprising 56% of malware payloads. Of these, the Emotet family was measured as 76% of banking trojans, volumetrically. Emotet is a potent, and well-designed malware family, which is uniquely deployed with two clusters for increased resiliency, according to Trend Micro, finding that the two clusters appear to not be from different operators. Emotet attacks have subsequently increased, according to multiple reports from ZDNet.
Proofpoint recommends six strategies for protecting your organization:
- Adopt a people-centric security posture.
- Train users to spot and report malicious email.
- At the same time, assume that users will eventually click some threats.
- Built a robust email fraud defense.
- Protect your brand reputation and customers in channels you don't own.
- Partner with a threat intelligence vendor.
For more information on how to protect your organization, check out "How to prevent spear phishing attacks: 8 tips for your business," and "Hackers impersonate these 10 brands the most in phishing attacks."
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Information security policy (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2019 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)