Types of phishing attacks and business impact
Much like any other kind of fraud, the perpetrator is able to cause a significant amount of damage, especially when the threat persists for an extended period.
Phishing has a list of negative effects on a business, including loss of money, loss of intellectual property, damage to reputation, and disruption of operational activities. These effects work together to cause loss of company value, sometimes with irreparable repercussions.
To fully understand the impact of phishing attacks on businesses, you would need to get a grasp of the common types of phishing scenarios that exist. From then on, it would become easier to comprehend the measures to avoiding and preventing these attacks.
Types of Phishing Scenarios
Referring to the Wikipedia definition once more, phishing is typically carried out by email spoofing, instant messaging, and text messaging. It is a deceptive way of making individuals reveal personal information. It is also a form of trickery to download malware or ransomware onto a system. Either way, the perpetrator gets privileged access to sensitive information.
This is an increasingly frustrating threat because there are numerous ways through which perpetrators attack. Here are the most common phishing scenarios:
The most common phishing scenario takes the shape of malicious emails sent to individuals mimicking an authentic organization. Also known as spam phishing, this kind of attack lets the cybercriminal get access to a large number of customers registered on a site. So phishing emails are often sent en masse. There is a high possibility of success since some individuals out of the lot will often fall prey.
In a clone phishing scenario, the attacker takes advantage of actual email messages that an individual may have received. By creating a virtual replica or a clone, the phisher replaces any links or attachments with malicious ones.
This is often effective because the attacker could claim that the original message had a faulty link, hence the need to resend the mail. Since the business name would be a familiar one, the recipient wouldn't think to be wary of the sender.
As you can imagine, clicking on such links would either launch malware on your device or grant the attacker access to do so without you realizing it.
With clone phishing, there is often a sense of urgency, such as a limited time to take advantage of an offer or a threat to close your account on the site unless you change your password. Of course, in the latter case, the ruse is always for security reasons.
The second kind of email phishing comes in the form of domain spoofing, where the perpetrator spoofs a notable organization's domain name. This technique makes it appear as if you are receiving an email from a legitimate company.
Email addresses are unique, so the phisher can only mimic the organization's address. They do so using character substitution like 'r' and 'n' together for 'rn' instead of 'm.' Otherwise, they use the organization's name with a different domain, in the hopes that only the local part of the email address will appear in the inbox of the recipient.
A domain spoof could also create a fraudulent website that looks like the real deal. They would replicate the real site's design. Once again, the emphasis is on the phrase "looks like." While the fake domain may be similar, it is not identical to the original website.
This implies a technique where the phisher targets a specific individual or group of individuals rather than a generic user base.
These attacks succeed precisely because they are more personalized. The perpetrator customizes emails with the recipient's name, company, phone number, and similar information, making the target believe that they share some form of connection to the sender.
Achieving convincing spear-phishing emails takes a great deal of time since the phisher has to acquire multiple data from various sources. It is no wonder then that this kind of malicious attack is prevalent on social media platforms like LinkedIn, where the phisher can utilize social engineering tactics.
In this case, the targets are usually high-profile members of an organization like project managers, department heads, etc. In a successful attack, the hacker steals the target's credentials and gets full access to sensitive areas within the company structure.
This is a type of spear-phishing where the target is the highest authority in the organization, the CEO. The fraudster tricks the executive with bogus emails in order to get access to their login credentials. Catching such high-ranking officials off guard is not as easy as any standard phishing attempt, so hackers often swap fake URLs and malicious links for tax return emails which obviously requires tailored information like the target's name, position, and other personal info which are accessible on social media platforms.
A successful whaling attack is usually the precursor to Advanced Persistent Threats (APT). In most cases, the fraudster uses the CEO's credentials to commit CEO Fraud.
As the name suggests, this is a fraudulent activity by an attacker impersonating the CEO. With the compromised email account of the CEO, the phisher is able to authorize wire transfers to third party accounts or file fake tax returns on behalf of employees.
Since the targets here are lower-level employees, they would move at light speed upon receiving an urgent email from the CEO to process a banking transaction or forward sensitive information. The fraudster may also ask employees to install a new application on their computer through which the hacker can launch malware or ransomware.
CEO Fraud is quite delicate and is said to cost businesses in the US billions of dollars yearly.
What could be more evil than a malicious WI-FI network?
WI-FI access points are frequented by hoards of individuals looking for fast wireless connection to surf the web and carry out other internet-based activities.
The hacker in this scenario replicates the WI-FI hotspot with a fake. When users connect, they are then able to eavesdrop on their network traffic. The attacker steals account names and passwords. The phisher is also able to view any attachments that the user accesses while on the compromised network.
Vulnerable WI-FI access points include those at coffee shops, airports, shopping malls, hospitals, and other public hotspot locations.
SMS Phishing (Smishing)
The advent of mobile technology brought about a myriad of advantages in communication and online banking. At the same time, it opened up a new point of contact for unscrupulous individuals to commit more crimes. One of such is smishing, where cybercriminals lure victims through text messaging to:
- Visit rogue websites
- Download malicious apps
- Contact tech support
Whether in the guise of a coupon code or an offer to win free tickets or free money, a smishing attempt will more often than not require you to click on a link that redirects you to a website. Quite common also are links that trigger the automatic download of dangerous apps. Although they appear to be from legitimate sources with URLs that are familiar to you, they are merely aimed at stealing personal information or installing malware on your mobile device.
Less common but equally as dangerous is the technique of requiring you to contact customer support for some assistance with rectifying an issue. The scammer will then masquerade as a legit customer service representative and trick you into providing personal information. This combines another type of phishing attack that is prevalent on mobiles, known as Voice Phishing.
Voice Phishing (Vishing)
Vishing campaigns are a lot bolder than email or messaging scams. Rather than hide behind a virtual screen, the attacker convinces the victim to disclose personal information while speaking to them through the phone.
Since the attacker is able to convince their victims verbally, they often dispel any doubt that it could be a scam. The scammer will often impersonate your bank, a company executive from the head office or some other branch, a representative from the Internal Revenue Service, and so on. With the claim of a suspicious activity or some other ruse, they'll request your data for verification.
Of course, they apply tactics to spoof their phone numbers to appear legit or to reflect your area code. The latter often creates a false sense of security, prompting the targets to let their guard down.
Pharming comes in as an advanced variant to phishing, and some fraudsters choose to forego traditional phishing scams for more complex alternatives like this one.
With pharming, the perpetrator doesn't attack individuals. Rather the attack is directed at the DNS (Domain Name System), where the fraudster causes DNS cache poisoning. This changes the IP address associated with a website name, so even when individuals input the correct site name, the scammer can still redirect users to the malicious website.
Although less widespread, targeting the DNS server could compromise millions of URL requests by web users.
Watering Hole Phishing
This is described as the phishing scenario where one employee falling prey to an attack compromises other members of the organization.
On opening the malicious website, link, or attachment, your computer is automatically loaded with malware that spreads to other systems within the company. To perpetuate successful watering hole attacks, the hacker will often identify websites that employees visit regularly and monitor email patterns used within the organization.
Real-Life Examples of Phishing Attacks
These threats are one aspect of cybercrime that isn't showing any signs of slowing down. Rather, the exact opposite appears to be the case. According to recent research by Google, there was a 3505 increase in phishing websites from January to March 2020. Another survey by Check Point Research revealed that 64% of businesses in the past year had been victims of phishing attacks. More findings by Verizon have confirmed that phishing is involved in 78% of cyber-espionage incidents.
These numbers have all been compiled using hard facts from real-life phishing attacks over the years. These are five of the most notable examples:
Whaling Attack Leads to Firing of FACC Boss
In 2016, Austrian Aerospace company FACC, had been subject to one of the most prominent Whaling attacks ever, dubbed the Fake President Incident, where the attacker made away with $56 million.
In a classic whaling attack, the perpetrator impersonated the CEO and sending an email to an employee of the finance department requested an immediate funds transfer.
The attack didn't only cost the firm financial losses, but it also cost the CEO at the time, Walter Stephan, his position. Although the details were not clearly revealed, the sack was on the grounds of violation of duties.
Spear Fishing Targeted at Ubiquiti Networks Inc.
In June of 2015, the American network technology company Ubiquiti Networks became the target of a spear-fishing email campaign.
The attacker impersonated higher-ranking executives from an overseas branch with spoofed email addresses and domain look-alikes. The employees were fooled into believing that they were getting legitimate requests from company officials to transfer funds to a secure account. Ubiquiti Networks was unaware that it was being scammed until it was notified of the activity by the FBI.
Although the company didn't suffer any compromise to its systems, it lost $46.7 million in transferred funds.
Facebook and Google Invoice Scam
Between 2013 and 2015, US behemoth companies Facebook and Google were reportedly scammed out of $100m in an elaborate wire fraud scheme.
The perpetrator set up a fake business impersonating the Taiwanese Quanta Computer company. The latter regularly conducted multi-million dollar transactions with the social media companies, and over the two years, the attacker would send phishing emails with forged invoices to be paid to fake bank accounts.
The scheme avoided suspicion for so long by creating phony supporting documents for transactions and forged corporate seals. The attacker was later identified as Lithuanian Evaldas Rimasauskas, who was given a five-year prison sentence following his arrest in 2017.
In 2020, one of the biggest smartphone companies in the world, Apple, was reported to have been the target of a smishing campaign. With a fake Apple chatbox, the messages informed users that they had eon the chance to be part of Apple's 2020 testing program for the new iPhone 12. The recipients were requested to pay a delivery charge. Redirecting to a malicious website, the attackers hijacked the victims' payment card credentials.
People nowadays keep lots of sensitive information on their smartphones, and the widespread usage of iPhones and iPads has made them recurring targets for SMS phishing schemes. Attackers regularly send out messages to users. These messages will contain a link to follow to unlock a frozen Apple ID account or to prevent it from expiring.
Some messages appear so convincing as the scammer will provide the option of unsubscribing from future messages of the sort. Others will bait users with the idea that a lost iPhone has been found. Victims are duped out of their login credentials, and the hackers gain access to their media, documents, and other information stored on the device.
As an ongoing threat, the amount lost during successful attempts adds to the statistics for annual cybercrime losses. Even though not everyone falls victim, the attacker earns significant rewards for the small percentage of people that wasn't any wiser.
RSA Security Breach
All it took for an attacker to gain access to the popular cybersecurity company's network system was an email with the subject line "2011 Recruitment Plan." In the email was a virus-infected Excel file, and once opened by an unknowing employee gave the attacker access to private passwords. Making this a perfect example of a watering hole phishing attack.
Ironically, the RSA provides cybersecurity services to several branches of the US government and other business enterprises. This breach gave the hackers access to the networks of US government departments, becoming an Advanced Persistent Threat.
Impacts on a Business
Loss of Money
From every phishing incident that has ever taken place in history, one constant effect is financial loss. First is the direct loss from transferred funds by employees who were fooled by the hackers. Second is the fines for non-compliance imposed by regulatory bodies like HIPAA, PCI, and PIPEDA, among others.
In the event of serious violations to data protection standards, these fines could go through the roof.
Finally, there are costs of investigating the breach and compensating the affected customers, which would further compound the company's financial losses.
A 2018 Internet Crimes Report by the FBI revealed that Business Email Compromise (BEC) attacks cost US business over $1.2 billion.
Loss of Intellectual Property
Financial losses are not the only thing businesses have to worry about in the event of a phishing attack. Even more devastating is the loss of customer data, trade secrets, project research, and blueprints.
When the company at stake is in the tech, pharmaceutical, or defense industries, a stolen patent would mean millions of research expenditures going down the drain.
While it is relatively easy to recover from direct monetary losses, it is more difficult to make up for the loss of sensitive business information.
Damage to Reputation
Businesses often try to hide the fact that they have suffered any phishing attacks. The major reason for this is the damage to reputation. Customers often patronize brands they consider to be reliable and trustworthy. Not only will the disclosure of a breach taint the brand image, but it will also break that established trust. Regaining customers' confidence is no easy feat, and the value of a brand is directly related to its customer base.
An exposed breach attack will also damage the company's reputation in the eyes of investors. Cybersecurity is essential during all stages of project development. Hence, investor confidence drops when a company experiences a data and privacy breach.
With combined damage to customer and investor confidence, a successful phishing attack could potentially sabotage hundreds of millions in market capitalization.
It is nearly impossible for a business to run exactly as it used to after suffering a phishing attack, especially one involving malicious bugs. Attacks involving malware usually take a while to rectify. Systems will have to be taken offline or shut down, and this could result in a substantial decrease in productivity.
Interruption to businesses providing services like transportation, technology, waste disposal, and other critical infrastructure could cripple the economy significantly.