Phishing continues to be one of the biggest cybersecurity threats facing enterprises today. According to the 2021 Data Breach Investigations Report (DBIR), phishing is the top data breach tactic, accounting for 36% (up from 25% last year) of reported breaches. The consequences can be crippling. There may be regulatory fines, loss of company value and reputation, and a disruption of business workflow. And of course, there is also the monetary loss. The FBI’s 2020 Internet Crime Complaint Incident Report notes that companies lost $54,241,075 because of social attacks, including phishing.
What is Phishing
At Social-Engineer LLC, we define phishing as “the practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.”
The top 3 types of data compromised in a phishing attack according to the 2021 DBIR are:
- Credentials, such as passwords, usernames, and pin numbers;
- Medical data, such as treatment information, insurance claims;
- Personal data, such as name, address, and email address.
The following news stories show how criminals are successfully carrying out phishing attacks
Attackers steal Microsoft Outlook credentials via Zoom invites
Armorblox detailed a clever phishing attack that targeted a major North American online mortgage brokerage company. The email was titled “[External]Zoom Meetings 11:00 AM Eastern Time [US and Canada]” and the body contained the message, “Your participants have joined you in a meeting.” When the end user clicks on the “Start Meeting” button, they are taken to a spoofed Microsoft Outlook login page where they are asked to enter their email address and password.
Phishing attacks spoof the US Department of Labor (DOL) to steal account credentials
As reported by Inky, these phishing emails invited recipients to submit bids for “ongoing government projects” and claimed to be from a senior DOL employee responsible for procurement. Each phishing email also had a 3-page PDF attachment. On page 2, recipients were instructed to click on the “BID” button to access the DOL’s procurement portal. However, the BID button was a malicious link that led to a spoofed DOL website. On the fake DOL website victims were instructed to click the “Click here to bid” button and to sign in and bid entering their Microsoft or other business email account.
Multi-phase phishing attack first steals credentials then distributes phishing emails
Attackers begin this multi-phase attack by sending phishing emails to steal credentials. In the next phase, Microsoft reports that the attackers use the stolen credentials to register devices onto the target organization’s corporate network for further phishing attacks.
Phishing attack on Children’s Hospital of The King’s Daughters exposes protected health information (PHI)
Several employees of Children’s Hospital of The King’s Daughters had their email accounts compromised in a phishing attack. As reported by HIPAA Journal, the email accounts contained the following types of protected health information: full name, date of birth, patient account number, health insurance number, and/or other health related information and, for a limited number of individuals, their Social Security number.
Social-Engineer Phishing Service —Test, Educate, and Protect
How can you protect your company from the crippling effects of a successful phishing attack? Social-Engineer’s Phishing Service (SEPS) is a fully managed program that measures and tracks how employees respond to email phishing attacks. The SEPS provides the following:
- Levelized emails
- Custom templates
- Tailored training based on failures
- Comprehensive reporting
- Phish notification feature
Employees who understand the threat posed by phishing attacks are less likely to click malicious links and more likely to report suspicious activity. Please contact our team today for a quote.