New Research: Smaller Companies Receiving Higher Rates Of Phishing Emails

Researchers at Barracuda have found that smaller companies tend to receive a higher rate of phishing attacks spread across the organization, according to a report looking at the phishing attack surfaces of companies of different sizes.

This is likely due to the smaller number of potential targets and the higher level of access possessed by each employee. At larger organizations, spear phishing attacks generally focus on specific, high-value targets, such as executives or employees with access to financial decisions.

“Smaller companies tend to have flatter organizational structures with easier access to names or contact details,” Barracuda explains. “This could mean that attackers can target a wide range of employees. Due to their smaller size, they are also likely to have more people with privileged access to data and systems. There are fewer degrees of separation between employees, enabling attackers to move laterally quickly. As a result, inbound attack emails are more evenly distributed across the business and could target the intern as well as the CEO.”

Phishing remains a top threat for large organizations as well. Barracuda found that attacks against large companies often involve lateral phishing, in which threat actors use compromised accounts to send phishing emails to other accounts within the organization.

“Just under half (42%) of the targeted email attack detections in the largest companies involved lateral phishing, compared to only 2% for the smallest organizations,” the researchers write. “This internal attack vector is a major risk for large businesses. The prevalence of account compromises among larger businesses may reflect the fact that credentials for many companies are likely already available for purchase on the dark web, making lateral phishing a straightforward attack.”

READ MORE

Global Cyber Attacks See Highest Increases in the Last Two Years

New analysis of Q2 2024 cyber attacks shows the number of attacks experienced weekly by organizations globally is on the rise.

Each quarter, Check Point Research puts out a quarterly report covering what cyber attack activity they’re seeing globally.  Their latest report covering Q2 of 2024 highlights an unexpected rise in overall attack numbers.

According to the data:

  • Q2 saw a 30% YoY increase in cyber attacks globally, as well as at 25% increase over Q1
  • An average of 1,636 attacks per organization per week were experienced
  • Top 3 most attacked industries were education/research, government/military, and healthcare

q1-1

Source: Check Point

The education industry was a primary cause for the overall rise in attacks last quarter; that sector saw a 53% increase YoY, experiencing an average of 3,341 attacks per organization every week.

Check Point make a number of recommendations to help minimize the risk of successful cyber attack that I want to echo:

  1. Vulnerability Management – Assess and patch systems and applications to ensure the strongest security stance
  2. Advanced Threat Prevention – Check Point discuss solutions designed to detect and block attacks at several stages
  3. Network Segmentation – Be able to isolate compromised systems to reduce the attack surface
  4. Security Awareness Training – Check Point are spot on citing the importance of “fostering a culture of vigilance”

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

 

READ MORE

Avoid Donating to Charity Scammers

The Federal Trade Commission provided some helpful tips to help you and your users to donate safely this holiday season and all year round:

  1. Do some research online – Start by searching for causes you care about along with phrases like “best charity” or “top rated charity”. When you consider giving to a specific charity, search its name plus “complaint,” “review,” “rating,” or “scam.” You can use resources such as Charity Navigator or CharityWatch to verify your search.
  2. Be careful how you pay – If someone wants donations in cash, by gift card, or by wiring money, don’t do it. That’s a trap for scammers to take your money. Be on the safe side and pay by credit card or check, and keep records of your donations. Before you click on a donation link, check out this FTC article to help you make sure your money is going where you think it is.
  3. Keep scammers’ tricks in mind – Some cybercriminals try to trick you into paying them by thanking you for a donation that you never made, or use a local area code when making a call. Make sure to watch out for red flags such as guaranteeing sweepstakes winnings in exchange for a donation (it’s illegal) or claims that your donation is tax-deductible when it’s not. If you’re feeling rushed or pressured to make a donation, that should also be a red flag that something isn’t quite right.

Every year cybercriminals prove there is no social engineering scheme too low for them to use in their attacks. New-school security awareness training can train your users on how to spot and report any malicious activity.

Take time to read the article on

Shocking Charity Scam Statistics: VPNRanks Predicts Staggering $6.2 Million in Losses by 2025

It shed more light on this topic.

Happy reading.

READ MORE

Phishing Attacks Continue to Leverage URL Shorteners to Obfuscate Malicious Links

Analysis of current phishing attacks by security researchers have uncovered an increase in the use of trusted shortlink services.

To be successful, phishing scammers need to establish legitimacy as much and as early as possible.

Brand impersonation within an email has long been one method, but to establish legitimacy to security solutions, scammers have had to do more than just have a look-alike domain.

According to security researchers at Barracuda, a wave of phishing attacks is leveraging legitimate URL shortening services to add a layer of obfuscation to their malicious links in emails.

While some security solutions actually follow links to – and analyze – their final destination, many solutions simply look at the link itself. By using a shortlink – like those created by bit.ly that look similar to “bit[dot]ly[slash]FakeURL”, solutions that take the link at face value will see it as legitimate.

Barracuda theorizes that threat actors are compromising credentials at these shortlink services to gain access and utilize them as part of phishing attacks.

There’s really only two ways to counteract this:

  1. Employ security solutions that traverse links and scan final web destinations for malicious content
  2. Teach users through continual new-school security awareness training to be vigilant each and every time they interact with an email, at attachment, or a web link, not trusting the content or context in front of them and choosing to scrutinize before proceeding.

And because cybercriminals will continue to evolve their methods, both of the ways mentioned should be put in place.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

READ MORE

Newly Discovered Phishing Attacks Target Bank Customers

First National Bank has warned of an increase in phishing and smishing attacks, IT-Online reports.

Trish Ramdhani, head of fraud at FNB Card, stated, “In recent cases, some consumers received SMSes claiming that their bank requires them to urgently FICA by clicking on a link that takes them to the fraudster’s platform, where their information is then compromised. The technique now includes attempting to entice the user to divulge both their card information and the one-time password (OTP), which is subsequently used to complete successful transactions using smart devices.”

FNB offers the following recommendations to help people avoid falling for these scams:

  • “Don’t panic: Fraudsters rely on people acting hastily due to a sense of panic. The tactics include threats that your accounts will be blocked or that fraud has been identified and must be stopped immediately. Whatever the scenario, keep in mind that such things will never compel you to give away OTPs, PINs, or passwords. It is safer to end such communication and contact your financial institution right away.
  • “Do not click on email or SMS links: When opening emails from unknown sources or those that appear suspicious, proceed with caution. Clicking on links or downloading attachments from these kinds of messages should be avoided because they may include harmful malware or redirect you to fake websites.
  • “Enable two-factor authentication (2FA): Enable 2FA wherever possible since it adds an extra layer of security by requiring a second verification step, which is often transmitted to your mobile device or an authenticator app, such as the FNB Apps for FNB customers.
  • “Take note of the card and digital safety measures recommended by your financial institution: There is a lot of misleading information about how people may protect themselves from fraud, but it is always preferable to follow your financial institution’s recommendations on how to secure your money.
  • “Keep software and devices up to date: Update your operating system, web browsers, and antivirus software on a regular basis to guard against vulnerabilities. To ensure that you get the most recent security fixes, enable automatic updates whenever possible.”
READ MORE

Spear Phishing Trends in 2023

50% of organizations surveyed were victims of spear phishing attacks in the last twelve months, according to a new report from Barracuda. The report also found that, on average, organizations receive five “highly personalized spear phishing emails per day.”

“In an analysis of 50 billion emails across 3.5 million mailboxes, Barracuda researchers uncovered nearly 30,000,000 spear phishing emails,” the report states. “While these emails make up less than 0.1% of all emails sent, they greatly impact organizations when attacks are successful. (For comparison, high-volume attacks, such as spam and malware, make up about 16% of emails, but their impact is not as high.) The average cost of a data breach caused by business email compromise was nearly $5 million in 2022, according to IBM. And no business is immune.”

The researchers found that while spear phishing makes up a very small percentage of email attacks, it’s responsible for a majority of successful breaches.

“Three-quarters of respondents surveyed said they fell victim to an email attack in the last 12 months. Half said they were the victims of spear phishing,” the report says. “That means 2 out of 3 successful email attacks are spear phishing attacks that use personalized messages, social engineering, and other tactics. This is significant because these attacks make up only 0.1% of all email-based attacks according to Barracuda’s data but are responsible for 66% of all breaches. On the other hand, high-volume attacks such as spam and malware, make up 16% of emails but are only responsible for one-third of breaches. Spear phishing protection is critical because even just one successful attack can be devastating.”

Almost all the organizations that fell victim to spear phishing suffered adverse effects.

“Nearly every victim of a spear phishing attack in the last 12 months saw impacts on their organization, including malware infections, stolen data, and reputational damage,” the researchers write. “While a direct monetary loss is one of the effects, all the other impacts could also result in some financial damage for an organization as a result of an attack.”

New-school security awareness training can enable your employees to thwart targeted social engineering attacks.

READ MORE

[Mastering Minds] China’s Cognitive Warfare Ambitions Are Social Engineering At Scale

As the world continues to evolve, so does the nature of warfare. China’s People’s Liberation Army (PLA) is increasingly focused on “Cognitive Warfare,” a term referring to artificial intelligence (AI)-enabled military systems and operational concepts. The PLA’s exploration into this new domain of warfare could potentially change the dynamics of global conflict.

The PLA’s interest in “cognitive warfare” is particularly intriguing. Cognitive warfare refers to operations that leverage techniques and technologies such as AI to influence the minds of adversaries, shape their decisions, and create a strategically favorable environment. This approach could potentially allow China to achieve victory without resorting to conventional weapons. We’re talking social engineering at potential massive scale.

The PLA’s exploration into cognitive warfare is part of China’s broader commitment to AI and other cutting-edge technologies, as emphasized by President Xi Jinping. China aims to become the world’s leading AI power by 2030, and it is integrating AI into three common areas: information processing, unmanned weapons, and decision-making.

However, China is taking it a step further by exploring the use of AI in cognitive warfare. This involves influencing the thinking of decision-makers, military commanders, and the general public in rival countries. For instance, Beijing could use social media and other means to spread disinformation, manipulate public opinion, and discredit U.S. efforts to support Taiwan.

To achieve this, China would need to develop the necessary cyber, psychological, and social engineering capabilities. It would also need to amass a great deal of detailed personal information. There are concerns that China has already collected a massive amount of data on government officials and ordinary U.S. citizens, which could be used to influence perceptions.

The PLA is also focusing on using AI to influence the state of mind of its own troops. They are working on wearable technology and a “psychological support system” to better prepare soldiers for real combat situations. This includes smart sensor bracelets that can record facial information and judge psychological states in real time.

Whether or not China’s “AI-driven warfare” succeeds, it is crucial to pay attention to social engineering at massive scale, as it has become increasingly feasible thanks to recent breakneck advances.

 

READ MORE

Financial Fraud Phishing Attacks Increase 72% In One Year; Financial Industry Takes the Brunt

With attackers knowing financial fraud-based phishing attacks are best suited for the one industry where the money is, this massive spike in attacks should both surprise you and not surprise you at all.

When you want tires, where do you go? Right – to the tire store. Shoes? Yup – shoe store. The most money you can scam from a single attack? That’s right – the financial services industry, at least according to cybersecurity vendor Armorblox’s 2023 Email Security Threat Report.

According to the report, the financial services industry as a target has increased by 72% over 2022, and was the single largest target of financial fraud attacks, representing 49% of all such attacks. When breaking down the specific types of financial fraud, it doesn’t get any better for the financial industry:

  • 51% of invoice fraud attacks targeted the financial services industry
  • 42% of payroll fraud attacks
  • 63% of payment fraud

To make matters worse, nearly one-quarter (22%) of financial fraud attacks successfully bypassed native email security controls, according to Armorblox. That means 1 in 5 email-based attacks made it all the way to the Inbox. The next layer in your defense should be a user that’s properly educated using Security Awareness Training to easily identify financial fraud and other phishing-based threats, stopping them before they do actual damage.

READ MORE

The Number of Phishing Attacks Continues to Grow at a Rate of 150% Per Year

The latest Phishing Activity Trends Report from the Anti-Phishing Working Group (APWG) shows an unrelenting upward trend in the number of phishing attacks per quarter.

Despite the alarm that the growth in the number of phishing attacks should generate, this report sheds some light on what seems to be working for cybercriminals if you dig a little deeper. According to the report:

  • The number of unique email subjects increased by 99.2%, totaling over 250,000 in Q4
  • The number of brands impersonated decreased slightly by 4% to 1780
  • The number of unique phishing websites increased slightly by 6% to just over 1.3 million

In essence, it appears that more unique campaigns is the answer – after all, there are only so many brands that have a broad appeal. It is interesting to see that the number of phishing websites is not increasing with the unique email subjects, although the “unique” email subjects may simply be variations on a theme aimed at using the same phishing website to capture credentials, banking details, etc.

The scarier part of this report is that 150% continual growth.

4-19-23 Image

Source: APWG

This growth is a mix of new threat actors getting into the game, improvements in the “as a service” of just about every facet of cyber attacks, and the fact that successful attacks are also increasing in numbers.

READ MORE

Cyber Insurance Demand Grows as Cybercrime is Expected to Rise to $24 Trillion by 2027

As cyber attacks continue to grow in sophistication, frequency, cyber insurers are expecting their market to double in the next two years.

I’ve spent a lot of time here on this blog educating you on attack specifics, industry trends, and the impacts felt by attacks. I’ve also talked quite a bit about cyber insurance and the trends therein. But seldom have we been able to  combine the two and present the state of cyber attacks from an insurer’s perspective.

Cyber Insurer Munich Re recently released their Cyber insurance: Risks and Trends 2023 report which provides us with some insight into the state of attacks and the impact on cyber insurance. According to the report:

  • Cyber crime costs in 2022 are estimated at $8.4 trillion
  • They are expected to be approximately $11 trillion in 2023
  • They are expected to rise to $24 trillion by 2027

According to Munich Re, “ransomware was, by far, the leading cause of cyber insurance losses”, making it primarily responsible for the projected massive growth in cyber insurance – which is estimated to have been a market size of $11.9 billion in 2022 and projected to reach $33.3 billion by 2027.

There’s a 3x growth estimated in cyber crime costs over the next 4 years and a 3x growth in the cyber insurance market in the same timeframe. This means that organizations should expect both a rise in the frequency of attacks in the coming years, as well as an increase in the cost of cyber insurance. Rises in insurance costs should be a clear indicator that spending budget on prevention methods (that include security awareness training) is far better than putting all your eggs in the cyber insurance basket.

READ MORE