Phishing is one of the most popular types of cyberattacks. In the corporate environment, social engineering fraudsters prefer to exploit employees as a vulnerability to obtain sensitive information such as log-in and financial data or to trigger malicious actions.
Although numerous tools and procedures for e-mail security are already available on the market, phishing continues to grow. As in a game of cat and mouse, cybercriminals continue to adapt and evolve their attack techniques. The latest scams include the theft of session cookies and conversation hijacking, i.e. the unnoticed hooking into existing e-mail correspondences.
Despite the increasing threat level, many companies are not sufficiently prepared. They should implement a comprehensive cybersecurity strategy as soon as possible, ranging from advanced email security techniques to security awareness training for employees. An incident response plan should be in place to limit the impact of successful phishing attacks.
Phishing emails are among the main gateways for cybercriminals – and the trend is rising. How companies can protect themselves against the increasingly sophisticated social engineering attacks.
The numbers speak for themselves. According to a study by the National Cybersecurity Alliance (NCA), 82 percent of cybersecurity incidents are due to human error. In the corporate environment, social engineering attackers prefer to exploit employees as a vulnerability to grab sensitive information such as passwords and financial data, or to trigger certain actions: for example, downloading malware or executing a wire transfer. At the top of the popularity scale are e-mail attacks in the form of phishing, as cybersecurity provider Hornetsecurity found out in its latestCyber Security Report. According to the report, phishing is the most common type of attack via electronic message, accounting for 39.6 percent.
Little effort, good chances of success
One reason is that phishing requires considerably less expertise and effort than hacking technical vulnerabilities. Even inexperienced threat actors can acquire millions of e-mail addresses on the darknet to send masses of spam e-mails. Even if the success rate is only half a percent at a time, the investment more than pays off. This allows fraudsters to penetrate internal company systems in order to place extortion software there. Customized spear phishing emails are also relatively easy to produce using personal data found about employees on social networks and other Internet sources.
In addition, the users in the companies are often inexperienced laymen who can be easily tricked with the help of psychological tricks. In their emails, phishing scammers pose as a boss, colleague, business partner, or customer and so skillfully appeal to their victims’ helpfulness, fear, sense of authority, or curiosity that they open a malicious email without thinking.
Always targeting new loopholes
Despite the many email security tools and techniques available on the market, phishing continues to grow as attackers continue to adapt and evolve their techniques: Cybersecurity is a constant cat-and-mouse game between perpetrators and IT security experts. Here are some examples of attack methods that open up new loopholes for phishing fraudsters:
- Session cookie theft
Security experts from the Security Lab at Hornetsecurity are seeing an increase in session cookie theft with the help of new and improved malware introduced via phishing emails. Normally, session or authentication cookies are used to recognize the user of a web service after he has logged in. This way, he does not have to identify himself every time he visits. With stolen session cookies, cybercriminals can even bypass two- or multi-factor authentication (2FA/MFA) and break into a new web session. Since much of the workplace is now web-based, session cookie thieves gain access to critical corporate resources.
- Conversation Hijacking
There has also been a sharp rise in conversation hijacking, in which phishing attackers insert themselves into existing business correspondence or initiate new conversations. To do this, they hijack employees’ email accounts and spy on their internal and external correspondence for important information – whether it’s operational procedures, current business transactions or payment procedures. They then use this information to craft authentic-looking phishing emails sent from spoofed domains. Since account takeover also gives the fraudsters access to their victims’ entire email address book, they can expand their reach at will.
Prominent victims of conversation hijacking were the technology giants Google and Meta. In both cases, a fraudster interfered in an ongoing conversation with a business partner and used fake emails to have large sums of money transferred to his own accounts. While Google lost around 23 million US dollars in the process, Meta lost no less than 100 million US dollars.
- Exploitation of single sign-on (SSO) systems
For systems that use single sign-on (SSO) authentication, phishing attackers have an even easier time. For example, session cookie thieves can use an active session to log in to all other services in the enterprise that authenticate via SSO. The same is true for hackers who have gained access to employee email inboxes. This is because they can use it to determine which services these employees use and log in easily via single sign-on.
Cybersecurity as a corporate strategy
Although the number of phishing attacks continues to grow, IT professionals and businesses are often underprepared. Hornetsecurity’s Ransomware Report 2022, for example, concluded that the percentage of companies that do not have a contingency plan for cyberattacks is increasing. While the percentage was 16 percent in 2021, it was 19 percent in 2022.
With phishing threats on the rise, a comprehensive cybersecurity strategy is more imperative than ever. On the technical side, spam and virus protection, email encryption, advanced threat protection to protect against ransomware, fraud and industrial espionage attacks, as well as replication and recovery of emails are essential.
At the same time, employees should be trained to recognize phishing emails as part of special security awareness training. Spear phishing simulations, in which authentic attacks are simulated in everyday work, are particularly effective. Employees learn which suspicious features of an e-mail they should look out for, such as misspelled letters in the e-mail address, fake subdomains or dubious links.
A contingency plan
Companies should also be prepared for the worst-case scenario. If an employee falls victim to a phishing attack despite all prevention and protection measures, business operations and data must be restored as quickly as possible. There is an increased need for action, especially for operators of critical infrastructures (CRITIS). At the beginning of 2023, for example, the European Union (EU) issued the new cyber security directive NIS2 (Network and Information Security) in response to the increasing cyber threat situation and digitalization, which must be implemented in national law by October 2024. According to this directive, CRITIS must take more stringent measures to prevent IT system failures and in response to IT security incidents. They, like all other companies, are recommended to have a systematic incident response plan in place to limit the impact of successful cyberattacks.