Phishing Email in 2017

By February 15, 2017Blog

Phishing Email Evolution

The term “phishing” was first documented and coined online in January of 1996. During this time hackers were stealing the usernames and passwords of AOL accounts. Phishing is a criminal mechanism employing both social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. However, phishing wasn’t a common word used among society until about 10 years after it’s first documented use. As of late, phishing emails have been in the news due to the many ransomware attacks they’re a part of. During quarter 3 of 2016 there was an average of 200,000 new malware samples discovered per day.

Phishing attack’s focus used to be online payments, now they’ve become much more sophisticated and stealthy. In the beginning, hackers used email worm programs to send phishing emails to PayPal customers. The message lead the victims to an illegitimate site where they were prompted to update credit card and other personal information, unknowingly surrendering their information to the criminals. Today the email’s look so legitimate that even those highly educated in cybersecurity could fall victim. 

Phishing Still Works?

Phishing emails continue to work because human error is inevitable. Cybercriminals have made their phishing attacks seem legitimate by using the correct business logos, proper grammar and spelling, and using URLs that mimic the site they’re posing as. Phishers are depending heavily on social engineering tactics as well to trick the receivers. They address the recipient by name, send message directly to email addresses with relevant content, and the sites the victims are being redirected to all look more credible than ever before.

A Famous Attack

In early 2016, John Podesta, the Clinton campaign chair, received a phishing email saying that someone had attempted to log into his Gmail account in Ukraine. The email looked very real even though it had a suspicious extension, this particular email had a malicious link that appeared to be the URL to change passwords.  Charles Delevan at the HFA help desk said the message was legitimate and that Podesta should change his password immediately, later it was stated that Delevan had made a typo and the message should’ve said illegitimate. Delevan included the correct Gmail link to change a password but the shortened and malicious link was clicked instead — resulting in Podesta’s account being hacked.

Current phishing attack

Recently there has been a Gmail attack floating around that looks so realistic, many technical professionals have been caught or almost been caught by it. It starts with an email appearing to be from a known contact with an attachment. When the attachment is clicked a new tab opens that prompts users to sign into Gmail and looks like the real sign-in page. After receiving the sign-in information hackers now have access to all emails sent and received and will use the victim’s contact list to launch more attacks. This is also especially successful since the hackers can see what kinds of subject lines the victim typically uses.

Targeted attacks

Targeted phishing emails cost the threat actors more time and initial money. Researching the victims being targeted and having correct information makes it more likely to catch the victim. These targeted attempt lead to higher pay-outs in the long run making. In the past 20 years, cybercrime has changed a lot, especially phishing emails. They have evolved in ways we never would’ve thought were possible.

Implementing an email security solution like Sendio Opt-Inbox or Sendio Server Recon will protect you and your employees from these nefarious emails attacks. Server Recon is the first line of defense, scouting for potentially malicious servers in real time. Opt-Inbox uses the trusted community within your email list, so every email that comes through is one that wants to have a real conversation. By utilizing these two solutions to protect the inbox, phishing emails will be eliminated before they have a chance to trick you. Why take time out of the workday to train your employees when you could just train your inbox instead.