Recent Posts

Recent Blog Posts

The PhishLabs Blog

Phishing Attacks Come in a Wide Variety of Flavors...Make Sure Your Employees Get a Taste of Each


While more organizations than ever before recognize the need to educate and train their employees on the dangers
of phishing attacks, it’s important that those in charge of training make sure employees understand that not all phishing probes are alike. That’s because recognizing the “smell” of a phishing attempt is a powerful defense against17_MA_the-New-Face-of-BEC-in-the-Coming-Year.jpg the malicious bag of tricks used by cybercriminals to breach your security. 

In 2015, PhishLabs analyzed more than 1 million confirmed malicious phishing sites residing on more than 130,000 unique domains. While the typical consumer phishing attack has garnered much attention, the specialized business spear phishing attack poses increasing risk for a company and its employees. 

Here’s a brief menu of the types of phishing attacks your employees need to recognize and avoid. 

 The Chef’s Choice: Executive Wire Transfer Request

How it tempts your employees

These are fake email requests typically from an executive authority such as the CEO or CFO asking for immediate payment of an invoice due from a vendor.  Another technique spoofs a vendor asking to change payment information.  Known as Business Email Compromise (BEC) attacks, they are typically well researched for a specific company and therefore appear genuine to most employees.

Why you need it on your training menu

Used extensively in the latter half of 2015 and beginning of 2016, wire transfer phishing have been quite effective, costing companies $1 billion over 18 months.   Once a company sends money to a fraudulent source it’s almost impossible to recover so prevention through training with real word examples is essential to keep employees vigilant.


Want to condition employees to recognize and report phishing threats? Attend this webinar to learn how to turn yor employees into Security MVPs.

Register


A Seasonal Feature: W-2 or Payroll Scam

How it tempts your employees

With new reporting requirements by the IRS for healthcare coverage taking effect this year, HR department employees have been prime targets for W-2 or payroll scams. These phishing attacks appear to come from a trusted internal source, citing an imminent deadline and requesting employee files be forwarded. Or, an employee may get an email from your payroll service indicating their paycheck might be delayed if they do not update their information by clicking on a link.  

Why you need it on your training menu

These types of BEC attacks targeting W-2 and other tax related data have been so successful, the Internal Revenue Service has issued an alert to payroll and HR professionals In most cases the data collected is sold to cyber criminals for use in other types of fraudulent activities. While it’s important to make employees aware of payroll scams, your training should provide specific examples so that employees can recognize and also be empowered to question such requests for sensitive information.

The Daily Special: Social Media Request

How it tempts your employees

Social media phishing attacks typically take the form of requests to connect to friends or colleagues via popular sites such as LinkedIn, Twitter, Instagram and Facebook.  Clicking on the link in an email takes the employee to a fake (but very real looking) site that asks to input or verify personal information.  The same goes for fake streaming videos, comments on news events, and online surveys, contests or discounts embedded among legitimate messages.

Why you need it on your training menu

Phishing attacks via social media have accelerated in recent months as subscribers continue to grow across the globe.  Social media phishing often uses a “trusted” site to embed exploits, and take advantage of human nature that’s typically more trusting in a social situation.  Add the fact that more businesses than ever are using social media to market their products and services only increases the risks.

A Perennial Favorite: Password Reset Request

How it tempts your employees

The password reset request features a bogus email requiring the user “for security reasons” to change their user name and password.  It appears to come from a legitimate source and can be very convincing, citing the potential that your employee’s credentials may have been compromised.

Why you need it on your training menu

The password reset request has always been a favorite phishing attack because of its simplicity and potential rewards.  Since many companies use the same password safeguards for users as for privileged users (such as IT administrators), once compromised, these accounts can provide hackers with the keys to the kingdom in terms of accessing critical information---often going undetected for weeks or months.

The Budget Buster: Ransomware Attacks

How it tempts your employees

Users typically get an email that looks like it’s from a legitimate sender requesting an immediate action such as getting a supplier invoice or verifying a shipping notice.  Once the user clicks on a link, malware is downloaded and encrypts files on a system’s hard drive using an unbreakable key.  A message appears on the user’s screen demanding payment with an online currency such as Bitcoin.  Ransoms can range from hundreds of dollars for individuals or thousands of dollars for businesses, and files are hopefully decrypted by the attacker once the ransom is paid but there is no guarantee.

 Here is an example of a bogus email with a ransomware link requesting action from what appears to be a government agency.

Why you need it on your training menu

Ransomware phishing attacks have increased dramatically over the past few months because they work easily to make money for cybercriminals.  Other types of phishing typically require an attacker to search through company networks for valuable data, extract and process it, and then try to sell it.  Ransomware, in contrast, is simpler to execute and its financial rewards are immediate.


Security leaders considering purchasing security awareness training solutions should download this guide.
Download the Buyer's Guide


How PhishLabs can help

Because PhishLabs is constantly monitoring and analyzing millions of phishing attacks every day, gaining extensive visibility into the diverse and emerging methods used by attackers to exploit people. Our T2 Employee Defense Training uses this intelligence to accurately assess your risk posture, deliver tailored simulations of the phishing attacks that pose the highest risk to your organization. We use real world lures in our training to simulate the attacks your employees are most likely to actually experience. To speak with a PhishLabs advisor, simply get in touch via our website.

Topics: Phishing, Ransomware, Spear Phishing

What's this all about?

The PhishLabs Blog is where we share our insights and thoughts on cybercrime and online fraud.

Recent Posts

Posts by Topic

see all