By now, just about everyone has heard about the massive Equifax data breach. It exposed the sensitive personal information of more than 143 million consumers (nearly half of all Americans) and has been spread across headline after headline since it was first announced on September 7th.
There have been plenty of reports and advisories published since then with guidance for individuals affected. The FTC issued a useful list of steps that victims can take to reduce the risk of their information being abused, many of which could simply be copy/pasted given how frequent and common breaches of this scale have become. Set up fraud alerts, check your credit report for free, sign up for monitoring, freeze your credit files with the major credit bureaus, keep a close eye on financial statement for any unusual activity, etc.
While those are all good steps to take, we should also consider the implications when it comes to phishing.
The data compromised in the Equifax breach is a social engineering goldmine. Social Security numbers, driver's license numbers, names, birth dates, addresses, credit card numbers, and other potentially sensitive information all associated to specific individuals. It could easily be used to launch highly-successful phishing campaigns that would fool even the most savvy targets.
If the data were to be dumped or sold, any cybercriminal could use it to launch massive phishing campaigns that contain personalized info for each recipient. The impact would be severe.
So far, there have been no reports of widespread phishing attacks using the compromised data. There have also been no reports of the Equifax data being dumped or up for sale. As of right now, only the threat actor(s) that carried out the Equifax breach have it. The situation could become much worse should the data be dumped online or sold.
But even without the stolen data, other threat actors can easily take advantage of the Equifax breach just because it is a huge news story. There is a huge chorus of voices from government authorities and media saying individuals need to take urgent action. Conditions are ripe to blend into all of this attention with urgent, authoritative phishing attacks that mention the breach and provide instructions.
Some examples of likely phishing campaigns:
- Offers of "free" credit monitoring in the wake of the breach, which send victims to sites that harvest PII.
- Fake Equifax breach notifications posing as financial institutions or credit bureaus asking account holders to log-in and verify their information.
- Fake class-action lawsuit notices to get victims to open a malicious attachment or URL, infecting their system with ransomware or another type of malware.
It is critical that individuals be on high alert for Equifax phishing attacks. They will come. When they do, we all need to be prepared to see them for what they are and not fall victim.
Here are some steps organizations can take to reduce the risk presented by Equifax phishing attacks:
- Simulate at least one Equifax phishing campaign scenario with employees to raise their level of vigilance specific to the this phishing threat;
- Train users to report suspicious emails to the security team as quickly as possible;
- Ensure that reported phishing emails are reviewed immediately to identify threats;
- Analyze phishing threats and extract Indicators of Compromise (IOCs) from email lures and payloads;
- Once identified, quickly find and remove phishing emails from user inboxes and mail servers;
- Integrate phishing threat IOCs into email filters and edge protection systems to block subsequent phishing lures.
We will continue to monitor the phishing landscape for attacks leveraging the Equifax breach and provide updates as necessary. Our collection network identifies phishing attacks in-the-wild that target our clients' account holders, including those that may reference the Equifax breach as part of the email lure and phishing site . These attacks are shut down quickly by our 24/7 Security Operations Center (SOC).
Additionally, our security awareness training experts have phishing simulation campaigns ready to condition employees to recognize and report phishing attacks exploiting the Equifax breach. Suspicious emails reported by employees can be analyzed by our SOC to identify real threats and deliver IOCs to block attacks in near real-time.
PhishLabs clients that wish to learn more or request a training campaign are encouraged to speak with their PhishLabs Client Success Manager.
If you are not a PhishLabs client and you want to learn more, please contact us.