Business Email Compromise Phishing Attacks Soaring
Business email compromise phishing attacks are soaring. The profits that can be made from these types of attacks have made them highly popular with cybercriminals. That should be of major concern for all business leaders.
When people ask me “What’s going on with Phishing?” these days I tell them that 2015 will be remembered as the Year of the Email Phish. Not Email Phish as in “someone sent me a link to a malicious website by email”, but rather Email Phish as in “the goal of this phishing attack is to steal my email password.” During the calendar month of September 2015, we’ve received nearly 23,000 phishing reports for nearly 7,000 distinct domains that hosted a phishing attack intended primarily to lure the victim into revealing their userid and password.
Here are just a sampling from the 2,150 domains seen this week. While Dropbox phish were very popular at the beginning of the month, we continue to see multi-brand targeting attacks also for Google Docs, Google Drive, and most recently Adobe ID.
We also continue to see stand-alone AOL, Gmail, Hotmail, Outlook, Outlook Web Access, and Yahoo phish as well.
Targeting email accounts with phishing is certainly not new. The very first Phishing Trends report from the Anti-Phishing Working Group, in January of 2004, only contained evidence of 176 phishing attacks, but of the 24 brands represented, four were Email service providers — 34 AOL phish, 9 Earthlink phish, 3 Microsoft phish, and 2 Yahoo phish.
The dramatic shift this year might be best demonstrated though by comparing the top 20 phishing brands targeted in September 2014 to the top 20 phishing brands targeted in September 2015.
In September 2014, only 21% of the phishing reports we received at PhishMe were primarily targeting an Email Service Provider. Of 22,000 confirmed phishing reports on 7160 different domains, 257 different brands were being imitated. But only two of the top ten brands were Email Service Providers, and those trailed dramatically behind the leading phishing targets.
In September 2015, 62.5% of the phishing reports we received at PhishMe were primarily targeting an Email Service Provider! Of 47,800 confirmed phishing reports on 12,127 different domains, 333 different brands were being imitated. While the vast majority of these were financial services industry brands, the Top ten brands were led by five Email Service Providers! 52% of all the domains we saw abused for phishing this month contained attacks designed to steal your email address and password!
What the criminals have realized, but our employees seem to have forgotten, is that your email account is the Keys to the Kingdom! Criminals are definitely focusing on compromised email accounts as a favorite attack vehicle. The FBI’s Internet Crime and Complaint Center (ic3.gov) shared an Advisory at the end of August warning that more than 7,000 US-based businesses had lost as much as $700 MILLION due to what is being called “Business Email Compromise” scams. The key to many of these scams begins when a criminal phishes one of your employees to begin studying the nature and structure of your company.
- How do you reset a forgotten password for your bank, credit card, or online store? They send you an email!
- How do the criminals learn the types of email that you are accustomed to exchanging in your workplace? They READ YOUR EMAIL!
- How do criminals know when you are traveling? They READ YOUR EMAIL!
- How do criminals send an email to your friends and co-workers that they are CERTAIN TO OPEN? They USE YOUR EMAIL TO SEND IT!
So, phishing is on the rise in all of its forms — more financial institutions are targeted than ever before, more phishing websites are created than ever before, and more malware is being delivered than ever before. But the newest trick that we must all be wary of is that the email we just received from our co-worker? It may be from your co-worker, or it may be that your co-worker has already fallen for an Email Phishing attack!
So now what?
- Be certain if you use a File-sharing site, such as DropBox, Microsoft OneDrive, Google Drive, or Google Docs, that the email you are following is really from your co-worker! Warn your co-workers of this type of attack by sharing a link to this blog post!
- SET ACCOUNT ALERTING or Two-Step Verification for your email accounts. If a strange device logs in to your Gmail account, Google can let you know! Microsoft and Yahoo have similar features as well. If possible, require Two-Step Verification for access to Email accounts. Follow the correct link below to learn how to set this feature up for your email!
- A nine step“Protect Your Account” checklist from Gmail
- or go directly toGoogle 2-Step Verification
- A seven step“Make your Microsoft account more secure” checklist
- or go directly toMicrosoft two-step Verification
- Security Resourceson Yahoo
- or go directly toYahoo two-step verification
- or go directly toYahoo “New device sign-in verification”
- NEVER RE-USE PASSWORDS! REMIND YOUR EMPLOYEES that they should never use a password from their business accounts on a non-business account. Your personal email address and your business email address should have different passwords, as should your bank account, your credit card account, your cell phone provider account, etc.