To get a sense of what email topics are top of mind for cyber security professionals, we surveyed our customer advisory board (CAB) in the second quarter of 2019. Here is what these customers found most concerning:
- Impersonation, BEC (business email compromise).
- User email account compromise. Stolen accounts used to spoof accounts payable (AP) department.
- Phishing emails that appear to be from a trusted third-party.
- User uncertainty about whether an email is a phish.
- User ability to spot phishing emails on a mobile device.
In the first post of this two-part series, we described why impersonation and user email account compromise are concerns for our customers, and also provided recommendations to address these pain points. In this second post, we’re talking about all things phishing.
Targeted Phishing Attacks
As long as email is here to stay, phishing and spear phishing campaigns will continue to be a top concern for IT security professionals and organizations alike. While some phishing campaigns are quite sophisticated, such as this intrusion campaign possibly by APT29, other email-borne attacks are quite simple in comparison and yet still have a high success rate.
Our Q1 2019 Email Threat Report found a 17 percent rise in phishing attempts compared to the fourth quarter of 2018, so it doesn’t surprise us that three of our five top customer concerns relate to phishing. As seen in Figure 1, since 2017, we’ve observed an increase in malware-less emails (such as emails with URLs that lead to phishing sites) and a decrease in emails with attachments containing malware. This trend extended into 2018 and continues today.
Figure 1: Malware-less versus malware-based emails (source: All It Takes is One infographic)
As shown in Figure 2, the phishing attack landscape covers a large spectrum. On the left end, attackers use untargeted, high-volume phishing campaigns. They count on the broad spray and pray approach to achieve their ROI (return on investment). Moving to the right, cyber attackers use social engineering to identify and target victims. They exploit readily available online information such as LinkedIn profiles and Facebook accounts to develop portfolios of their targets (Figure 3).
Figure 2: Phishing attack landscape
Figure 3: A bad actor performs reconnaissance using LinkedIn
The attackers use the information gathered from the internet to identify employees in relevant departments such as accounting. The bad actors then personalize the content of the emails and include credential phishing links. They send the personalized emails to targets who have specific roles or administrator rights, or who are at specific organizations. Targets that have roles within accounting or information technology departments often have privileges that can be of use to attackers. The bad actors aim to manipulate the unsuspecting recipient into, for example, clicking a link to a hosted phishing site and ultimately stealing their credentials.
While there’s an upfront investment of time required to gather the unwitting victim's information, the more targeted approach typically leads to a higher success rate. The personalized email seems legitimate and psychologically manipulates targets to share confidential information.
Phishing Emails That Appear to Be From a Trusted Third Party
The prevalence of cloud-based applications such as Microsoft Office 365 has made the associated login pages a target for credential phishing. This was another trend highlighted in the Q1 2019 Email Threat Report. Each Microsoft application, including Outlook and OneDrive, has a different login page, which is why in our report Microsoft was the most spoofed brand (Figure 4). One reason these spoofed (phishing) pages are so convincing is that the emails containing URLs leading to the phishing page appear legitimate and sent from a trusted brand.
Figure 4: Most common brands detected in phishing attacks, Q1 2019 (generic and spam phishing emails do not feature a brand)
User Uncertainty About Whether an Email Is a Phish
User uncertainty about whether an email is legitimate or a phish was one of the top concerns highlighted by our CAB in the first quarter of 2019, and with good reason.
While individually customized emails provide a high ROI, many cyber criminals have discovered a more efficient technique. By including a phishing link in an impersonation email campaign, attackers can send out vaguer emails to a broader and larger number of people and still benefit from a similar open rate. Attackers spoof the friendly-display name to make it look like it’s sent from someone who is familiar (Figure 5). For example, an email address of a trusted payment company (companypayments.com) appears in the friendly display name area, which would normally be Joe Smith. Many times the user does not notice the real email address of email@example.com, or thinks it’s another recipient added to the thread that is legitimate. The user senses something isn’t quite right, but cannot pinpoint exactly what it is amiss. This leads a user to be uncertain about whether an email is legitimate or a phish.
Figure 5: Display name spoofing as seen on a Outlook desktop client
User Ability to Spot Phishing Emails on a Mobile Device
While the percentage of emails read on mobile devices varies depending on the source, one thing is certain, they have become the primary way we view email, outpacing both webmail and desktop clients.
As seen in Figure 5 and Figure 6, the legitimate email address is firstname.lastname@example.org and the friendly display name of email@example.com provides the illusion at a glance that the email originated from companypayments.com. The friendly email display name is a user-defined label to provide a recognizable description of the sender. The mobile Outlook client defaults to show only the friendly display name, which happens to be firstname.lastname@example.org instead of a typical Joe Smith display name.