Gone Phishin’ is now sophisticated.
In the early days of phishing email scams, cyber attackers used the tactic of blasting millions of email addresses with the hopes of catching a few unaware people with the phishing scam attempt. This practice is still going strong today in our technological universe.
These attackers will engage victims by suggesting you do something, such as open an infected email attachment, click on a link or share a password. These methods have traditionally been accomplished through emails.
As the cyber-crime world has evolved, attackers have become more advanced with their approach. Their email attempts have become more difficult to detect due to increased customization and have become better tailored to the intended recipient. The traditional phishing attacks have transitioned out of conventional email format and into other platforms such as telephone calls, text messaging or social media.
Attackers are doing their homework.
The typical process for phishing campaigns would involve basic emails with subtle cues of vocabulary or grammatical errors being blasted out to the masses with the hope that victims would carelessly click or respond to the attempt to garner the desired sensitive information from the victim.
Now that this practice has become widely known as a scam. The attackers have refined their approach by examining their victims in more detail. What used to be an email blast to millions has now transitioned to specific groups of single- or double-digit targets.
Profiles of targets may be found online through websites, the dark web, and even professional networking sites. Messaging is then generated to the target from what appears to be trustworthy sources. They may know your recent travel history or conferences you’ve attended; they may learn about things you like to do or interests you may have.
- The attacker groups will target various types of businesses, such as governmental agencies and corporations, they will focus on the board of directors, finance personnel, key decision makers for the target entity.
- Their intent is to capture information about who they are going to exploit. They want to get specific information of customary transactions to build a scam that is believable and trustworthy of these unsuspecting targets.
- The goal is to find targets that perform transactions for their organization and or on an individual level. Typically, these pressures fall within the boundary of performing a financial decision, operation, or transaction.
Don’t let your guard down!
These cyber phishing attacks are becoming more difficult to spot even with current training and additional controls in place. We need to know what we are looking for to know when we are being scammed by these attackers.
Questioning emails is the first line of defense. Does the tone of the messaging in the email seem off from the individual, does the email prompt you to make a financial decision or transaction that appears a bit abnormal, consider these call-to-action types of email suspicious.
These are a few of the clues to be aware of and suspicious about, train your instincts to question transactions that appear abnormal for your organization. Seek out opinions of your IT and or department advisors before moving forward with a transaction.
Mitch Eaden, Risk Manager