As we’ve said many times, humans are your first line of defense against cyber threats. Attackers have known and exploited this vulnerability since the dawn of the digital age, with phishing attacks being their weapon of choice.Â
Phishing attacks target the people in and around your organization to sidestep your cybersecurity defenses. After all, what can software do to protect the system when unsuspecting users hand off the keys to intruders?
Now, the tech literacy of the average person has improved tremendously over the last decade. So it stands to reason that people shouldn’t be falling prey to dubious email schemes anymore. But as a 2020 report by Verizon has highlighted, 22% of all data breaches involve phishing in one form or another.
To understand why, let’s dive into the evolution of phishing attacks over the last few decades.
But as a 2020 report by Verizon has highlighted, 22% of all data breaches involve phishing in one form or another.
The Early Days of Phishing Attacks
The beneficiary of a billion-dollar trust. The winner of a lottery draw. The recipient of the generosity of the infamous Nigerian prince or some other exotic royalty. These are just a handful of the many bizarre scenarios promised by phishing emails of the early days. Their goal was to extract sensitive data of unsuspecting individuals, including social security numbers and banking details.
While curiosity got the better of some people, most individuals never fell for these schemes. So attackers tweaked things by impersonating trusted sources. An email from the bank warning about the closure of the account or a password reset request are two common examples where attackers impersonate a trusted email sender.
The attackers lure the victim into clicking a link that looks like the original website, but it’s actually a fake copy that is designed to steal the login credentials of the user.
These attacks were further enhanced by attaching malware-laced files to the emails. What made these attacks particularly potent was that the attackers would spoof file extensions. For example, most people would never open “Program.exe” from even a trusted sender because executables are dangerous. A file named “January Invoice.pdf”, however, seems entirely harmless.
Unfortunately, spoofed files were just the beginning of this long evolution of phishing attacks.
The Sophisticated Attacks of Today
Until this point, phishing attacks were relatively easy to avoid. One look at the email reply-to field was all it took to confirm if an email sender was who they claimed to be. Avoiding malware was as easy as staying away from unknown files.
Remember when phishing involved being the beneficiary of a billion-dollar trust? The winner of a lottery draw? The recipient of the generosity of the infamous Nigerian prince or some other exotic royalty?
Sadly, that is not the case anymore. One major shift we’ve seen is that phishing attacks are a lot more personalized today. The rise of social media has made it possible for attackers to gather a lot of personal data on their victims. This makes it easy for them to either use that data to gain trust or create fake profiles to impersonate the people those victims already trust.
We’re also seeing large-scale versions of these attacks on social media platforms like Twitter and YouTube. Since any number of users can have the same name, image, bio, and other details, it takes minutes for an attacker to create an impersonator account that looks exactly the same as the original.
These accounts then share fake giveaways and other offers by commenting on the posts of the original accounts. The users, thinking that they are interacting with the actual influencer, end up losing their data and even money by participating in those fake offers.
On the tech side, we have drive-by code injections that let attackers compromise a system without any downloads. All the attackers need is to get the victim to open a link. No form submissions. No downloads.
Thanks to the ease of acquiring personal details of users and impersonating sources they trust, getting someone to open a link is far from a challenge today.
As you can see, attackers can sidestep some of the most advanced software protections by exploiting the mistakes of the people operating them. Training your team on the best practices of cyber defense then is the only way to minimize your organization’s exposure to digital disasters.
For more information on Optistar’s cyber security solutions or our Security Awareness Training, contact us here or email us at ask@optistartech.com.
Mark Jordan
President
Optistar Technology Consultants
Don’t miss our other articles for tips and alerts regarding Cyber Security on our blog section here:
