, 24 March 2021

Clever cybercriminals take advantage of busy employees to steal credentials, money, and data

It only takes a matter of minutes for cybercriminals to bait, hook, and catch a phishing victim among your employees and then leverage that success into a broader cyberattack on your business. The story goes like this:

1. Choosing victims: A cybercriminal launches a phishing campaign to either random email recipients (often obtained from a previous data breach) or targeted to a specific company or industry. In this case, an employee of ABC Manufacturing is randomly targeted with a phishing email.
2. Setting the bait: The employee, Andi, opens the phishing email and sees a convincing message about a document to be downloaded from a well-known file-sharing application. It’s convincing because Andi uses the application to share documents both within the organization and externally with company suppliers. The email includes the application’s branding to make it look legitimate. Furthermore, the sender appears to be her boss, which is a technique called spear phishing, a malicious email that impersonates an individual for the purpose of tricking a recipient into completing a desired action.
3. Hooking the target: Andi is incredibly busy on this day and clicks on the malicious link so she can deal with this latest interruption to her already overflowing schedule. The link takes her to a fake website where she’s asked to enter her login credentials. She enters them and opens the document, which contains hidden malware.    
4. Taking malicious actions: The malware downloads to her device and then rapidly spreads across the ABC Manufacturing company’s network, allowing the cybercriminal to steal credentials and sensitive data along the way. At some point in the attack, ransom notes begin popping up on employees’ screens and operations come to a halt.              

Phishing is a bigger threat than ever

According to the Anti-Phishing Working Group (APWG), roughly 200,000 new phishing sites crop up each month, with campaigns impersonating more than 500 different brands and entities per month. The group’s Phishing Activity Trends Report reveals that the number of phishing attacks doubled throughout 2020. Attacks peaked in October 2020, with a record 225,304 new phishing sites appearing in that month alone. 

According to consulting firm Deloitte, 91% of all cyberattacks begin with a phishing email to an unsuspecting victim. Phishing campaigns impersonate email and file-sharing service providers, pretend to be vendors or job seekers, pose as financial institutions, and much more to gain login credentials, steal money and data, and hold businesses and their systems and data hostage.      

Why phishing still works

We all know to never click on links or open attachments in sketchy emails. Yet, phishing remains a lucrative attack vector for bad actors.

That’s because attackers have become more adept at impersonation and taking advantage of our busy work lives. As humans, we’re vulnerable to experiencing momentary lapses in judgment because we’re juggling various applications such as group chats, videoconferences, emails, and other intrusions on our focus on normal work tasks. A phishing email that seems to fit within a busy workflow might just slip through in a moment of multitasking.  

Data loss is the top impact   

Once a phishing victim has taken the bait, then the malicious actor can do several things:

• Control the victim’s device using malware
• Gain access to account credentials for data or financial theft
• Access the victim’s email and contacts to further target company executives or other employees
• Spread malware including ransomware to other devices on the same network
• Gain access to other company systems, data, or intellectual property

When a successful phishing campaign turns into a successful cyberattack, the impact to the business can be devastating. A recent survey reports that data loss is the most frequent result of a successful phishing attack, cited by 60% of respondents. Compromised accounts or credentials was the second biggest impact, mentioned by 52%, with ransomware infections close behind with 47%.

Protection against phishing attacks  

To protect your business against damage from a successful phishing attack, it’s best to take a multi-pronged approach. First, provide employees with anti-phishing training and information on a regular basis to help them recognize phishing campaigns and avoid becoming victims.

Second, assume that mistakes will still happen and someone within the company will accidently click on a malicious link, open a malicious attachment, or provide login credentials to a fake website. To help limit the damage from a successful phishing attempt, make sure your anti-spam and antivirus software is up to date on employee devices.

Third, secure traffic on your network to further mitigate phishing risk. Avast Secure Web Gateway (SWG) blocks phishing attempts by analyzing and blocking bad sites, as well as blocking malicious downloads and known malicious URLs from entering the network.

To learn how to avoid becoming the victim of a phishing campaign, be sure to check out our latest infographic.