Phishing is THE main culprit of modern-day data breaches.
It shows no favoritism by attacking both ordinary people and businesses alike and will only increase in prominence over the next few years. The Federal Bureau of Investigation (FBI) estimates that as high as 90% of all cyber incidents are sourced at phishing and believes we could see a 400% increase in attempts year-over-year.
Cybercriminals use phishing as an attack vector because of its versatility and ability to exploit our most vulnerable assets — people. It works by a threat actor pretending to be a trusted colleague or familiar company through what appears to be a legitimate email. The idea is to get the victim(s) to complete a task such as submitting credential data into a spoofed webpage, transferring funds to an untraceable bank account, downloading malware, or enabling network access to the scammer.
Defense contractors, unfortunately, are not excluded from phishing or its sophisticated techniques. If one Facility Security Officer (FSO) or cleared employee falls victim to these attacks, sensitive national security information could fall into the wrong hands. Even scarier, cybercriminals stay ahead of the game by adapting their methods to our controls — keeping us in a constant reactionary state. Therefore, to keep your facility safe and mitigate risk, you must understand past, present, AND future phishing techniques.
The Past, Present, and Future of Phishing
Phishing evolved in the 1990s from what was considered “junk” or “spam” mail once it incorporated malicious software, fraudulent commands, or links to spoofed websites. Since then, attackers have maintained a proactive framework that constantly adapts by taking advantage of significant news events, user circumstances, and the popularity of specific companies or software tools.
Phishing Techniques That Were
While we can go point-by-point on the complete history of phishing, the primary technique we should focus on is how scammers leverage current events. For example, during the COVID-19 pandemic, many cybercriminals took advantage of the work-from-home (WFT) models and deployed mass attacks that used context relating to the pandemic. They crafted emails pretending to be from trending tools like Zoom, Slack, or DocuSign or used messages regarding getting urgently vaccinated.
The result was a 220% spike in phishing incidents. Another example was when there was a 300% increase in phishing attempts by Russia against NATO countries just after they invaded Ukraine. Why does this all matter? FSOs must understand that history tells us phishing will always exploit trends and follow the news. Stay up-to-date on what’s happening in the business and technology world, and you’ll be able to easily identify threats.
Phishing Techniques That Are
Today’s phishing methods are showing just how versatile these attacks can be. While a recent report saw a 102% increase in phishing attempts in Q1 2023, the most alarming trend is how it’s deployed. Attackers are now using non-traditional channels, such as text or voicemail, to boost the urgency of the requests to the victims.
“Another channel of phishing gaining popularity is through Google ads. A scammer will lure a consumer to a spoofed retail or online service website by deploying an advertisement at the top of a results page that adheres to keywords from someone’s previous Google searches. As far as the individual consumer knows, they’re seeing and clicking on a site link from a legitimate ad by the company when they’re actually on the verge of submitting personal, financial, or credential data to a cybercriminal.”
Phishing Techniques Yet to Come
Now, we get to the future of phishing and related cyber threats. As we add new and advanced email security controls, cybercriminals will adapt to focus on more targeted attacks. There’s been a steady increase in business email compromise (BEC), where attackers gain access to a colleague’s existing email account (or use a spoofed address) to trick someone into sending money somewhere or divulging sensitive data.
We predict this will lead to an uptick in individually-targeted (spear) phishing or whaling attacks focusing specifically on high-level executives and directors. Artificial intelligence (AI) will also likely play a huge role in obtaining information on individual targets and crafting highly-sophisticated email content.
Phishing Security Best Practices for FSOs
Protecting against phishing requires a holistic and layered security approach. The system needs to consist of solutions that identify, prevent, detect, and respond to malicious emails while acting as safety nets should one of the controls fail. Here are the best ways to help mitigate phishing risks in your organization:
- Train, train, train: Awareness is the best protection against phishing. You can prevent it altogether if employees know what phishing looks like and what to do if they’ve identified it.
- Encourage open dialogues: Most phishing is done on a mass scale targeting numerous individuals in an organization. If one person receives it, odds are another will shortly after, so maintain policies on reporting suspected phishing to your IT or security teams.
- Utilize spam filters: Spam filters allow an organization to secure its entire network from malicious emails. Today’s filtering tools use AI to identify suspicious messages and prevent them from entering user inboxes.
- Employ email security tools: In addition to spam filters, endpoint security tools can analyze the contents of an email, even ones sent from already-trusted addresses. AI-powered tools will scan messages and alert users of potential email impersonation and phishing.
- Prioritize multi-factor authentication (MFA): Specifically for when scammers are phishing for passwords, MFA is the best safety net should all the other layers fail. Even if employees submitted their credentials to a cybercriminal, the additional login requirements would prevent them from accessing the targeted system.
In addition to the standard best practices, inform your personnel to use common sense when dealing with phishing and ensure procedures are well documented. If a colleague makes an email request that seems out of place, the targeted employee should call to confirm that the request is legitimate. Alternatively, if employees receive emails from service and software providers to complete an action, they should verify the request by contacting support lines or checking their account notifications.
Stay Up-to-Date on Facility Security Trends with MathCraft
As long as email remains the most commonly-used company resource, phishing will continue as the primary attack method for cybercriminals. FSOs and their teams must stay resilient and informed on all attack trends while deploying top-of-the-line tools that prevent and detect malicious emails.
Contact us to learn how our suite of industrial-security management software helps FSOs secure their facilities, manage audits and complex contract requirements, and oversee cleared personnel in one highly-intuitive software platform.