Juan Carlos Carrillo
PwC Mexico


Expert Contributor

Phishing Is on the Rise: What Companies Should Know and Do

By Juan Carlos Carrillo | Tue, 08/09/2022 - 13:00

The most vulnerable link in a security architecture is the people it protects. Although complex attacks, shadow IT and ransomware attacks dominate headlines, social engineering remains a proven and persuasive way to gain a foothold on a company network.

Phishing attacks are one of the cybercriminals' preferred channels for gaining initial organizational access, and there has been a phishing scale-up in the past year – way up. The FBI's Internet Crime Complaint Center suggests that more than a third of all data breaches in the US start with compromised credentials.

Consider the implications of these findings:

Attackers often target popular companies and services because they are familiar enough to gain trust automatically. Top examples include Microsoft, Telegram, Amazon, OneDrive, and PayPal. Microsoft was the most imitated brand of the year, accounting for over 31 percent of attacks. Among the most frequently impersonated brands are productivity tools, illegal streaming sites, shopping sites, social media, finance, and logistical services.

Among targeted countries, the leading victims are the US, Singapore, Germany, the Netherlands, and the United Kingdom. The Netherlands saw a decline of 38 percent in phishing attacks in 2021, potentially due to legislation passed in 2020 that increased penalties for online fraud.

In Mexico, for years, attempts have been made to issue a law on cybersecurity in an opaque manner that excludes civil society, with content that criminalizes the daily and legitimate use of technology when exercising freedom of expression on the internet and that does not contribute to the user's safety. As of today, political parties have drafted more than 15 legislative initiatives to tackle the iniquities mentioned earlier.

Retail and wholesale saw a 436 percent leap in phishing attacks in 2021, rising from the fifth-most phished industry to the first, ahead of the 2020s most phished industry: manufacturing. Healthcare dropped by 59 percent.

Phishing is platform agnostic and present in emails, SMS, and voicemails. The agnosticism of phishing is related to the users; they are becoming skeptical of clicking links in emails but are more accustomed to viewing SMS or WhatsApp messages as legitimate platforms. As trust shifts from email to texting, "smishing" has even been used to compromise the two-factor authentication (2FA) process. This untrustworthiness has led upstream telco providers in certain countries, such as Australia, to block these attacks to protect consumers. I haven't seen any push from Mexican telcos to make an effort to stop these smishing attacks.

Phishing is also increasingly themed to capture user interest and drive engagement. In 2021, the most popular themes included COVID-19 and cryptocurrency investment. It would not be surprising to find charitable outreach to Ukraine on the list next year.

The phishing threat also continues to evolve.

Phishing is a classic social engineering attack. By duping users into entering their credentials into decoy sites, embedding tracking pixels, or clicking on malicious links, attackers gain the entry point needed to begin surveillance, perform discovery, and determine their next steps.

As organizations continue to harden defenses against malware, social engineering remains a favored method of compromise. Cybercriminals are not only looking for one objective; they are seeking to compromise organizations along the software supply chain to maximize their efforts against potential targets

Adversaries are also looking for optimal Return on Investment (ROI) and have now employed as-a-service models and automation techniques to streamline operations. Whereas in the past, phishing required some technical skill to create and deploy realistic mirrors of legitimate sites, the process has been simplified and automated.

Using tools purchased online – along with freely available email and identity databases from past data breaches (you can see them on https://haveibeenpwned.com) – almost any criminal with internet access can plan and execute a phishing attack. In addition to lowering the technical bar, these kits allow sophisticated cybercriminals to scale their efforts.

Phishing kits contain all components needed to wage the attack, including sample files for generating a phishing page, enabling attacker access, evading detection, exfiltrating data, and fingerprinting users. Free and open source phishing frameworks are also widely available online. These resources have substantially contributed to the rise in phishing.

Fifty percent of the solution is to understand the problem. Do we? Given the intimidating threat of phishing postures, how can organizations best respond? There's certainly no perfect defense, but it's possible to mitigate both the risks of a breach and the consequences should one occur.

We recommend a strategy based on understanding the threat, the attackers, and the value of your information to offer adequate user training against the attacks while deploying security solutions following best practices.

Security leaders can improve their training and build a security culture with tactics like gamification, competitions, and business unit-specific training. I have done different types of games to raise awareness of cybersecurity. In all cases, the nontechnical people understand that without that experience, they would have kept their old-fashioned vision that cybersecurity is only a technical matter.

Phishing simulations should be combined with metrics to continually identify and evaluate users who may need additional tailored training. To be effective, the difficulty of these simulations should be dialed up or down following a target's level of cyber-savvy but also based on the organizational context.

In addition to training, technologies like multifactor authentication (MFA) remain critical to defending against compromised credentials obtained via phishing. With MFA deployed, a password alone is not enough to access an account. Luckily for us, we now have a lot of apps to authenticate. I use the authenticators from Microsoft, Google, LastPass, and the ones the banks offer you. All of them are particularly effective at defending against man-in-the-middle tactics or phone porting that intercept SMS verification codes.

Unfortunately, some users will likely continue to click on phishing links. That's why it is recommended that security teams apply people, process, and technology solutions to minimize both the chances and the consequences of successful attacks.

On the technical side, the controls and capabilities that you should consider include:

● Email scanning that recognizes and blocks phishing emails upon delivery

● Reporting mechanisms by which users can notify security teams of suspected phishing attempts

● Inspection of encrypted traffic for phishing content

● URL filtering to block access to risky sites, like those on newly registered domains

● Caution pages to warn of questionable web pages

● Playbooks and automation to detect and respond to compromised identity and credentials, measuring the mean time to respond

● Updated threat profiles outlining the tactics and procedures used by adversaries

● Continuous monitoring for brand abuse that can take down phishing sites quickly when they are impersonating your trusted brand

● Security patch application that is comprehensive and timely for protecting apps and operating systems

● Zero trust architecture (ZTA) – using the principles of granular segmentation, least-privileged access, and continuously monitored traffic – to limit the scope of a breach and minimize exposed resources and infrastructure

Here are a few basic measures to always implement with your emails and other communications:

  1. Employ common sense before handing over sensitive information. When you get an alert from your bank or other major institution, never click the link in the email. Instead, open your browser window and type the address directly into the URL field so you can make sure the site is authentic. Even better, check the URL on https://www.virustotal.com/gui/home/url.
  2. Never trust alarming messages. Most reputable companies, like the bank, phone companies, or your insurance company, will never request personal information or account details via email. If you receive an email or a phone call asking for any account information, immediately delete it or hang up and then contact the company to confirm that your account is OK.
  3. Do not open attachments in these suspicious or strange emails — especially Word, Excel, PowerPoint, or PDF attachments.
  4. Avoid clicking embedded links in emails at all times because these can come with malware. Be cautious when receiving messages from vendors or third parties; never click on embedded URLs in the original message. Instead, visit the site directly by typing in the correct URL address to verify the request and review the vendor's contact policies and procedures for requesting information.
  5. Keep your software and operating system up to date. Windows, macOS, or Android products are often targets of phishing and other malicious attacks, so be sure you're secure and up to date, especially for those still running older versions.

For any CISO, there are five questions they need to answer:

1. Do your employees have the skill and knowledge to detect phishing?

2. How secure and knowledgeable are your vendors and customers?

3. What exactly is the risk posed to my organization in the event of a successful cyberattack?

4. What are the top cyberthreats facing companies such as ours today?

5. What is our company’s response plan in the event of a successful cyberattack?

Photo by:   Juan Carlos Carrillo