Nine in ten organizations surveyed by Egress in its Email Security Risk Report 2024 indicated that they or their employees were the victims of phishing attacks. A phishing attack is where a cyber-criminal will email you pretending to be a colleague, family member, or trusted person or business to trick you into parting with your login credentials, money, or personal details. The typical phishing scam starts with an urgent text or email to work or home which, if you follow a link, download an attachment, or call a seemingly legitimate 800 number you are being relayed to the cyber-criminal. The name derives from the way that fraudsters “fish” for sensitive data. According to Verizon’s 2024 Data Breach Investigations Report (DBIR), the median time it takes users to fall for phishing emails is less than 60 seconds (21 seconds to click then 28 seconds to enter their data on a phishing site) with an average of 31,000 phishing attacks dispatched daily causing data breaches, financial losses and reputational damages for companies.
Examples of Phishing
The Federal Trade Commissions’ Cybersecurity for Small Business says that a phishing email will appear to be from someone you know such as:
- one of your company’s vendors and asks that you click on a link to update your business account
- an email that appears to be from your boss and asks for your network password
- an email that looks like it is from someone in your family
This informative article from Usecure has screen shot examples of common phishing emails. Email is the method of choice for delivering 94% of malware and cyber-criminals are now utilizing generative AI tools like ChatGPT to craft fake corporate- and banking-themed websites, professional looking phishing messages (avoiding the classic typo errors common to past phishing emails) and even creating deep-fake voicemails that appear to be from trusted sources.
- PayPal Scam –fraudulent emails often relate to your account being closed, suspended, or that you have been paid too much and are owed a refund giving you a phishing link to a fraudulent website made to look like PayPal. Entering your login credentials exposes you.
- Act Quickly – common to popular paid subscriptions such as streaming services, this phishing scams offers discounted subscriptions or a chance to win a free subscription urging you to act quickly.
- The Dropbox phishing email – Dropbox is a cloud storage solution and the victim is informed that a ‘file’ which has been emailed to them is too large and needs to be opened with a quick click on this (fake) link.
- Facebook scam emails – Facebook, as one of the largest platforms, is often used by phishing emails pretending to be notifications of friend requests, messages, events, photos, and videos.
- McAfee scam email – a fraudulent email from McAfee urges you to immediately renew your subscription though the link is to a phishing website.
- Cloud storage scams – the fraudulent email will inform you that your iCloud storage is full and you need to free up space or purchase more room (e.g., Microsoft OneDrive, Apple iCloud, Google Drive).
Data from the Federal Bureau of Investigation (FBI) IC3’s Internet Crime Report 2023 estimates the amount of losses reported by business email compromise (BEC) victims to be over $2.9 trillion. Business email compromise is the umbrella term a type of multi-tiered attack that often includes phishing, spoofing, impersonation, and fake invoices.
The Federal Bureau of Investigation (FBI) cites these common scams:
- Business Email Compromise – Exploiting the fact that many of us rely on email to conduct personal and professional business, the cyber-criminal poses as an authority figure or staff member at the victims’ company. The cyber-criminal changes a few characters in a legitimate email to hide their identity:
- A fraudulent email from company CEO asks you to purchase dozens of gift cards to send out as employee rewards. He/she asks for the serial numbers so he/she can email them out right away.
- Business and Investment Fraud – Investment or business fraud schemes will try to lure you in with the promise of low- or no-risk investments.
- Advance fee schemes ask you to invest upfront money for a larger return later.
- Nigerian Letter or 419 schemes ask someone to share in a percentage of millions of dollars that the author—a self-proclaimed government official—is trying to transfer illegally out of Nigeria.
- Ponzi schemes use current investors’ money to pay previous investors. They inevitably collapse.
- Pyramid schemes ask you to bring in new investors to make a profit or recoup your investment.
- Telemarketing fraud schemes try to steal your money over the phone, whether by telling you won a prize, are in legal trouble, or some other approach.
Scams tracked by the Federal Trade Commission (FTC) website include:
- Fake Family Emergencies – Someone contacts you saying they are a family member or close friend who needs money either to get out of trouble or to respond to an emergency. Scammers insist you pay in ways that make it tough to get your money back by wiring money, sending cryptocurrency, or putting money on a gift card and then giving them the numbers on the back.
- Website Domain Impersonation – Attackers impersonate trusted names such as Microsoft, Google, Salesforce, Apple, YouTube, Mastercard, Airbnb and Amazon. In parcel delivery scams criminals pose as legitimate delivery companies to convince victims they need to pay additional fees or reschedule a delivery.
- Google Docs phishing scam – Google Docs is a cloud-based word processing software. A cyber-criminal needs only your email address to “share” a file with you under the guise of a team project or collaboration via the typical Google Drive sharing process. A cyber-criminal will create a Google Doc containing viruses, phishing links or fake websites that download malware.
- Microsoft 365 scam -Phishing emails focus on running out of storage in your Microsoft 365 cloud account or potential threats to your computer needing to download new fraud protection software giving you phishing links or attachments. Egress’s Email Security Risk Report 2024 survey of professionals shows that nearly 9.5 in 10 people were targeted within their Microsoft 365 environments.
Raising Awareness of Phishing Sources
The FBI reports that phishing has evolved and now has several variations that use similar techniques:
- Vishing scams happen over the phone, voice email, or VoIP (voice over Internet Protocol) calls.
- Smishing scams happen through SMS (text) messages.
- Pharming scams happen when malicious code is installed on your computer to redirect you to fake websites.
Accessing social medical through work or mobile devices poses risks. The report Phishing Activity Trends Report for 4th Quarter 2023 indicates a 126% increase in phishing URLs scattered into posts or comments on social media sites such as Facebook, LinkedIn, Twitter, Tumblr, Snapchat, Google+, and Instagram.
Suspicion should be raised for emails or texts that ask you to click a link, give your password, provide your business bank account, or divulge other sensitive information. Cyber-criminals go to great lengths to spoof trusted company logos and hide malicious code in fake email addresses. The FBI identifies spoofing when “someone disguises an email address, sender name, phone number, or website URL—often just by changing one letter, symbol, or number—to convince you that you are interacting with a trusted source.”
Urgency is another key tactic pressuring you to act now or something bad will happen. Scammers also take advantage of national emergencies. In 2020, the FBI saw a rise in fraud schemes related to the Coronavirus (COVID-19) pandemic with fake Centers for Disease Control and Prevention (CDC) emails purporting to provide information on the virus, fraudulent online charity donation websites, fake links to news stories claiming to track COVID-19 cases worldwide purchasing products online or convincing victims to give up their personal information in order to receive money or other benefits.
Phishing Statistics
A March 2024 report from Jumpcloud reports:
- 57% of organizations experience phishing attempts on a weekly or daily basis.
- Almost 1.2% of all daily emails (3.4 billion) sent are malicious.
- 80% of reported IT security incidents are due to phishing resulting in a loss of $17,700 every minute.
Data from Palo Alto Network’s Incident Response Report 2024 shows that in 2021 the time between a compromised weak point through phishing and exfiltration (unauthorized transfer of information from an information system) was nine days. As of 2023, cyber-criminals had managed to conduct their illicit extractions in just two days.
In the U.S., the FBI is the lead federal agency for investigating cyberattacks and intrusions. The FBI’s cyber strategy is to “impose risk and consequences on cyber adversaries…change the behavior of criminals and nation-states who believe they can compromise U.S. networks, steal financial and intellectual property, and put critical infrastructure at risk without facing risk themselves.” The FBI leads this task force of more than 30 co-located agencies from the Intelligence Community and law enforcement named the National Cyber Investigative Joint Task Force (NCIJTF).
Due Diligence Before You Click on A Link
First and foremost, do not prioritize convenience over security. The FBI reminds us that companies generally do not contact you to ask for your username or password and when creating a password create a strong and unique passphrase for each online account. You should carefully examine the email address, URL, and spelling used in any correspondence as cyber-criminals use slight differences to trick your eye and gain your trust. Never open an email attachment from someone you do not know and be wary of email attachments forwarded to you. Also be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
If an offer seems too good to be true, it almost always is and you should be wary. In this era of inflation and rising consumer prices, scammers prey on the lure of cheap deals or high-returns for investments. Being pressured to act quickly throughlimited-time deals or warnings of negative consequences if action is not taken is usually a red flag and genuine companies will not solicit you to send personal information such as your PIN or password.
The FTC recommends simple due diligence to protect your data and your company’s data:
- Look up the website or phone number for the company or person behind the text or email.
- Make sure that you are getting the real company and not a scammer.
- Talking to a colleague might help you figure out if the request is real or a phishing attempt.
- Call that vendor, colleague, or client who sent the e-mail using the phone number you already have (not the one in the email) to confirm the e-mail was real.
- Use a number you know to be correct, not the number in the email or text.
To protect your business, the FTC recommends:
- Regularly back up your data and make sure those backups are not connected to the network.
- Always install the cyber/network security latest patches and updates.
- Apply additional protection like email authentication and intrusion prevention software.
- Alert your staff via regular training with tips for spotting the latest phishing schemes as phishing attacks often happen to more than one person in a company.
- Limit the damage, if a scammer has access to your network, by immediately changing any compromised passwords and disconnect from the network any computer or device that is infected with malware.
- Notify customers if their data was compromised as they could be at risk of identity theft.
To report spoofing or phishing attempts or to report that you have been a victim you may:
- file a complaint with the FBI’s Internet Crime Complaint Center (IC3)
- forward phishing emails to [email protected] (an address used by the Anti-Phishing Working Group, which includes ISPs, security vendors, financial institutions, and law enforcement agencies)
- report phishing emails to the FTC at https://reportfraud.ftc.gov/.
- If you spot a scam, report it to your state attorney general.