image description


Phishing Emails | The Complete Overview

Phishing Emails | The Complete Overview

Business is no longer the same as it was. The internet has transformed the world from a collection of pagers to completely distributed companies and entirely new items of value, such as crypto-currency. As the world has shifted online, the criminal world has followed, and even led in some cases. Cyber crime has spiralled and is impacting every business across the world.

Unfortunately, with technology on the rise, there's more room for cyber crime in 2018. According to the Cyber Security Breaches Survey 2018, 43% of businesses were a victim of a cyber security breach in the last 12 months. In the U.S., the state of California lost more than $214 million through cyber crime alone.

Before you can stop it, you need to understand it.

Phishing is a low-risk crime that can deliver huge payoffs, and today cybercrime is relentless, impacting hundreds of millions of people every year. The costs are steep, from compromised intellectual property, personal, and business information, to damaged reputations and lost opportunities, and with the rise of cryptocurrencies, and untraceable payments as a result, phishing can only be expected to rise.

Common forms of cybercrime

The most common forms of cybercrime include:
  • phishing: using fake email messages to get personal information from internet users;
  • misusing personal information (identity theft);
  • hacking: shutting down or misusing websites or computer networks;
  • spreading hate and inciting terrorism;
  • distributing child pornography;
  • grooming: making sexual advances to minors.

    Nowadays, all digital devices (including computers, tablets, and smartphones) are connected to the internet.

    The most common form is phishing.

    Phishing is a form of fraud in which an attacker masquerades as a reputable entity or person in email or other communication channels. The attacker uses phishing emails to distribute malicious links or attachments that can perform a variety of functions, including the extraction of login credentials or account information from victims.

    Dilbert Phishing Cartoon From

    Businesses and their employees are a primary focus for phishing scammers. This is often because the types of scams that can be inserted into a business email server can result in more emotional manipulation.

    30% of phishing emails in the U.S. are opened That's almost one-third of all emails, according to Verizon's 2018 Data Breach Investigations Report.

    And indeed, what's happening with phishing attacks against both consumers and businesses is a what's known as social engineering. Phishing attempts work toward 4 appeals: fear, greed, obedience, and helpfulness. Especially as it applies to business employees, it's easy to imagine how an employee might be manipulated into clicking on a phishing attack utilizing any of these appeals.

    For example, a phishing email scam warning an employee about an open enrollment deadline for healthcare could lure in enough clicks do to reasonable damage. Employees may feel both the fear of missing the deadline and the need to obey the command to sign up before the deadline has passed, potentially clicking on the link and entering personal information or downloading malware before realizing the mistake.

    Scam artists continue to hone their skills of behavioral manipulation, persuading unwary consumers and business employees to click on phishing emails, links, and web pages: As of 2015, 97 percent of consumers could not correctly identify phishing scam emails. The McAfee survey had 19,000 respondents from around the world, highlight the global impact of phishing scam emails in general. (Source: McAfee) Unexpectedly, those 55 or older are more likely to know what phishing is over their younger peers aged 18-29. 71 percent of those 55 or older effectively identified what phishing is, as opposed to 61 percent for the other age group. (Source: Wombat Security) Germans and UK residents were also more likely to successfully define phishing versus their US counterparts. Over 70 percent of Germans and UK residents could define phishing correctly, versus just 61 percent of US respondents. (Source: Wombat Security)

    How phishing got its name

    The history of the term phishing is not entirely clear.

    One common explanation for the term is that phishing is a homophone of fishing, and is so named because phishing scams use lures to catch unsuspecting victims, or fish.

    Another explanation for the origin of phishing comes from a string -- <>< -- which is often found in AOL chat logs because those characters were a common HTML tag found in chat transcripts. Because it occurred so frequently in those logs, AOL admins could not productively search for it as a marker of potentially improper activity. Black hat hackers, the story goes, would replace any reference to illegal activity -- including credit card or account credentials theft -- with the string, which eventually gave the activity its name because the characters appear to be a simple rendering of a fish.

    Types of phishing

    As companies continue to educate their employees in cyber-defense and deploy anti-phishing strategies, cybercriminals continue to improve their existing phishing attacks and roll out new types of phishing attacks.

    Some of the more common types of phishing attacks:

  • Spear Phishing
  • Whaling attacks
  • Pharming
  • Clone phishing
  • Evil twin Wi-Fi
  • Voice phishing
  • SMShing and 2FA spoofing

    This article will provide details on Spear Phishing

    Spear phishing attacks attacks feature highly sophisticated targeting, usually using information specific to the victim that has been gathered to more successfully represent the message as being authentic. along with a mix of potential tactics (including social engineering, email spoofing, or computer intrusion) to fool the target into believing that an email is coming from an executive within the organization or from a trusted partner. The key strength of spearphishing attackes are that they don't look spammy. They are well crafted, built and link properly, so as not to cause suspicion.

    Spear phishing emails might include references to coworkers or executives at the victim's organization, as well as the use of the victim's name, location or other personal information. Sometimes they are even email chains that are replied to.

    They are the weapon of choice of cyber criminals currently, because they WORK.

    Often, the primary purpose of spear phishing attacks is to manipulate the target into executing an unauthorized transfer of funds. According to the FBI's 2017 Internet Crime Report, in 2017 the Internet Crime Complaint Center (IC3) received 15,690 complaints with adjusted losses of more than $675 million.

    This figure is nearly twice the 2016 figure of $360 million.

    Firebird Analytical Solutions & Technologies estimates that the average successful spear phishing attack is worth $130,000 to the cyber criminal. The question is can your business afford $130 K for clicking an email?

    These are some current statistics from

  • 77% of the Spear Phishing attacks are laser-focused - targeting only 10 E-Mail inboxes, and only 33% of them focused upon just one E-Mail inbox.
  • 47% of Spear Phishing attacks lasted less than 24 hours. All other types of Phishing schemes lasted at least 30 days or more.
  • Another tactic that the Cyber attacker uses is what is known as the "Drip Campaign." For example, 35% of the Spear Phishing attacks lasted at least 12 months or even longer.
  • The Cyber attacker has become even stealthier when it comes to bypassing the E-Mail Spam filters. In these instances, 20% of Spear Phishing based E-Mails were able to get around these filters and their way into the inbox.
  • 42% of IT Security professionals consider Spear Phishing to be amongst one of the top 3 Cyber-attack concerns.
  • At least 30% of the Spear Phishing campaigns are deemed to be successful.

    Compared to a general Phishing campaign, Spear Phishing campaigns cost 20X per victim, and the return is 40X greater. A Cyber attacker will spend an enormous amount of time also trying to find a hidden "crack" or "hole" in the organization in as a stepping stone to collect the relevant information/data on their victim

    Most spear-phishing attacks are basically bank heists. They want to steal your cash. As a result they will often impersonate your financial institutions, getting you to log into a fake website, steal your credentials and then spend your money.

    Paypal Phishing Form An example of a spear-phishing paypal login in form

    It's happening every day. Here are some latest incidents, source []

    Ubiquiti Networks: Total loss of $46.7 Million to scammers
    This attack actually occurred on June 5th, 2017. The company was hit by a Spear Phishing attack with a disastrous financial toll. They were able to reclaim roughly $45 million of the stolen funds, and it was determined that this attack was the direct result of "employee impersonation and fraudulent requests from an outside entity targeting the Company's finance department." (SOURCE: Further details can be seen here.

    FACC: Total loss of $55 Million to scammers
    FACC manufactures the interior engine components for the major aircraft manufacturers that include Boeing and Airbus. They were hit with a Spear Phishing attack on January 19, 2016. The company lost 17% of its total stock value, and the CEO was immediately fired as a result. Outside attackers were the culprit in this incident. More details of it can be seen here .

    The Crelan Bank: Total loss of $75.8 Million
    In January 2016, this major financial institution located in the Netherlands fell victim to a Spear Phishing attack. The bank claimed that it had taken further steps to protect their customers, their information, and their data. More details of this attack can be seen here.

    Facebook and Google: Total loss of $100 Million
    These two major tech companies were reportedly hit with a Spear Phishing attack [unconfirmed] as well on March 21, 2017. Additional details can be seen here.

    If you think your organization is safe from a phishing attack because you haven't yet been targeted, think again.

    Your employees remain your organization's weakest security link.

    Many, if not all, of your employees are unlikely to be able to spot a phishing email - according to Intel, 97% of people around the world are unable to identify a sophisticated phishing email, while a report from MediaPro has found that 88% of employees lack the ability to prevent privacy or security incidents.

    What does a successful attack mean for your business?

  • In short, it's pretty devastating.
  • According to Deloitte, one-third of consumers said they would stop dealing with a business following a cyber-security breach, even if they do not suffer a material loss.
  • According to Aviva, after your company is breached, 60% of your customers will think about moving and 30% actually do.