Cybercriminals who employ phishing as their attack method of choice use various tricks and techniques to lure their unsuspecting victims into divulging private information. The strategy is to concoct an email or other communication that exploits a company or brand or product that has some interest or relevance to the recipient. With tech brands such a common thread among people today, cybercriminals are leveraging some of the world’s largest tech companies to trap users, as described in a report released Wednesday by Akamai.
The “Akamai 2019 State of the Internet/Security Phishing: Baiting the Hook” report found that criminals are exploiting certain top global brands and their users through highly organized and sophisticated phishing operations. In particular, Akamai discovered that technology was the top industry targeted by phishers, with users of Microsoft, PayPal, DHL, and Dropbox the biggest targets for phishing attacks.
SEE: Phishing attacks: A guide for IT pros (free PDF) (TechRepublic)
Cybercriminals use phishing kits to carry out their attacks. Such kits are readily available for sale on the Dark Web and provide anyone with the necessary software and tools to initiate and manage a phishing campaign. These kits are also available in different variants based on the possible targets, evasion methods, and other factors. Many kit developers even operate phishing as a service (PaaS) businesses by offering an admin panel that contains all the necessary functions and services for buyers to launch an attack. Beyond the kits, phishers need only to hijack or purchase a domain to set up shop.
Over a period of 262 days, Akamai found that Microsoft took up 21.8% of the total phishing domains with 3,897 domains and 62 different phishing kit variants. PayPal accounted for 9.37% of the total domains with 1,669 domains and 14 kit variants. Next, DHL took up 8.79% of the total domains (1,565 domains and seven kit variants. Dropbox accounted for 2.59% of the total domains (461 domains and 11 kit variants).
Beyond hitting tech brands, phishers are targeting other industries. Financial services came in second place with 3,658 domains and 83 kit variants. E-commerce with 1,979 domains and 19 kit variants, and media with 650 domains and 19 kit variants were next in line. In total, more than 60 global brands were exploited by phishings, according to Akamai’s research.
Phishing is no longer just limited to email, as discussed in the report, and has branched out to social media and mobile devices. Phishing has also generated losses for enterprises through business email compromise (BEC) attacks. Between October 2013 and May 2018, these types of attacks led to worldwide losses of more than $12 billion, according to the FBI.
“As the phishing landscape continues to evolve, more techniques such as BEC attacks will develop, threatening a variety of industries across the globe,” Martin McKeay, editorial director of the “State of the Internet/Security” report for Akamai, said in a press release. “The style of phishing attacks is not one size fits all; therefore, companies will need to do due diligence to stay ahead of business-minded criminals looking to abuse their trust.”
To protect yourself and your business against phishing attacks, Akamai offers the following bits of advice:
- Awareness training. You can and should train your employees to spot and report basic and generic phishing attacks. However, this isn’t a silver bullet, according to Akamai. Cybercriminals have learned to adapt to basic awareness training models. In fact, targeting the natural workflow of an intended victim is how phishers have been able to launch more BEC attacks.
- Phishing simulations. A good defense requires a good offense. As such, phishing simulations can help organizations better protect themselves and decrease the odds of a security incident. However, such simulations should be customized to the individual or business unit. For example, a phishing simulation sent to people in human resources could spoof resumes for a recent job posting. A simulation sent to sales employees could spoof lead generation responses following a recent event. Simulations can go even further. Instead of spoofing a random prize from some no-name company, the simulated phishing email could include a prize from a local restaurant or retailer.
- Endpoint protection. Beyond training and simulations, protecting your endpoints is another way for you to stay ahead of the phishing game.
- Learn from other companies. Companies whose users or customers may be targeted in phishing attacks have published their own warnings and words of wisdom. The links below will bring you to articles and FAQs from different businesses about phishing attacks:
“Some phishing attacks are loud and easy to spot, but lately, that hasn’t been the norm,” Akamai concluded in its report. “As phishing expands beyond email, new attacks can come from people and places that are known and trusted by the victim. This makes it infinitely harder to track and stop. Not impossible, mind you, just more difficult.”