A Thing
The Green SheetGreen Sheet

Tuesday, January 28, 2020

Security scams catch more phish

In an ironic twist, recent studies found fake security alerts generate more attacks than all other phishing categories. KnowBe4’s Q4: 2019 top-clicked phishing report, published Jan. 15, 2020, found security-related subject lines are just as beguiling to consumers as giveaway offers. Additional insights by Retruster Inc. indicated that 90 percent of all data breaches stem from email phishing attacks. 

Researchers found 39 percent of survey respondents clicked on messages to check a password immediately. Top-clicked social media attacks were found in messaging apps on LinkedIn (55 percent) and Facebook (28 percent). Social media messaging apps are frequently exploited due to their familiar, legitimate appearance, the study found.

Stu Sjouwerman is CEO at KnowBe4, a security awareness company that simulates phishing attacks on its technology platform to improve threat intelligence. Noting that criminals are exploiting public sector awareness and fear of cybercrime, Sjouwerman warned consumers to be suspicious of emails that appear to be too good to be true, stating, “As identifying phishing attacks from legitimate emails become trickier, it’s more important than ever for end users to look for the red flags and think before they click.”

Just don’t click

Mark Carl, CEO at ControlScan, cited threat intelligence and multifactor authentication as essential protections against malicious email attacks. “Email is the primary tool we have in business, but it’s also the most high-value target for an attacker, especially if you’re using Office365 and/or SharePoint to store all your company files,” he wrote in an Aug. 6, 2018 blog post titled “Email Security Basics You Need to Know.”

KnowBe4 researchers similarly noted that the most-clicked email subject lines referenced Microsoft/Office 365: De-activation of Email in Process (14 percent); Dropbox: Document Shared With You (8 percent); IT: Scheduled Server Maintenance – No Internet Access (7 percent) and Slack: Password Reset for Account.

Following are KnowBe4’s top 10 phishing subject lines:

  • SharePoint: Approaching SharePoint Site Storage Limit
  • Microsoft: Anderson Hauck has shared a Whiteboard with you
  • Office 365: Medium-severity alert: Unusual volume of file deletion
  • FedEx: Correct address needed for your package delivery on [[current_date_0]]
  • USPS: Your digital receipt is ready
  • Twitter: Your Twitter account has been locked
  • Google: Please Complete the Required Steps
  • Cash App: Your Account Has Been Closed
  • Coinbase: Important Please Resolve Error Now
  • Would you mind taking a look at this invoice?

High-cost attacks, low-cost prevention

Retruster reported that the FBI investigated more than $12 billion in losses in 2019 and that, according to IBM Corp. statistics, the average financial cost of a data breach is $3.86 million. Phishing attacks are growing at a rate of 65 percent a year, researchers noted. Webroot analysis suggests approximately 1.5 million new phishing sites are being added every month. Also, in 2019 alone, 76 percent of businesses reported being victimized by phishing schemes, and Verizon’s 2019 Data Breach Investigations Report found that 30 percent of phishing attacks are successful, Retruster researchers stated.

Retruster provides an add-on for Microsoft Outlook that checks incoming emails for signs of ransomware, phishing and fraud. Users of the add-on who receive an email that shows signs of ransomware, phishing or fraud are automatically warned within Outlook and given reasons for the warning.

KnowBe4’s Sjouwerman recommends that organizations “phish” employees, using simulated attacks, to help them identify potential threats and email scams while demonstrating how easily attackers can gain unauthorized access to an organization’s network. KnowBe4 provides fully automated simulated phishing attacks and community phishing templates, he added.

ControlScan’s Carl pointed out that phishing emails are frequently a delivery system for malware, as attackers embed links in emails that appear to be legitimate. ControlScan, a managed security service provider, provides targeted services designed to meet specific requirements for a range of industries, including healthcare, retail, hospitality and payments industry companies, he noted.

A link to KnowBe4’s phishing email infographic can be found at: www.knowbe4.com/press/q4-2019-knowbe4-finds-security-related-and-giveaway-phishing-email-subject-lines-get-the-most-clicks

A link to the Retruster 2019 phishing and email fraud infographic can be found at: retruster.com/blog/2019-phishing-and-email-fraud-statistics.html

A link to ControlScan’s 4 ways that malware can sneak into your network infographic can be found at: www.controlscan.com/4-ways-malware-attacks-infographic/

end of article

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

2022 2021 2020 2019 2018 2017 2016 2015 2014 2013 2012 2011 2010 2009 2008 2007
A Thing