These days, checking emails and browsing the web are so strongly ingrained in our daily lives that we often do them without a second thought. Like switching a light on when you enter a room or answering the telephone when it rings, we’re practically conditioned to open messages from colleagues and friends the moment our smart devices ding, or do a Google search when we need to answer a question.
Along the same lines, people have also grown accustomed to ignoring more obvious phishing scams from amateurish crooks with more greed than talent. These emails are often peppered liberally with dead giveaways, such as misspelled words, not-quite-right grammar, and unlikely premises (e.g., the Nigerian prince who needs your help retrieving his untold millions). But what happens if your clients receive a professional-looking email from a well-known company that they regularly do business with? Or click what looks like a helpful link to increase the security of their account with a trusted, major banking institution?
It’s all too easy to momentarily drop one’s guard, and that’s all it takes for phishing sites—which impersonate leading companies—to deliver their malware payload. Unfortunately, phishing tactics are getting smarter and more sophisticated. That puts even more pressure on MSPs to educate clients on the different identities and delivery mechanisms the bad guys are using.
According to senior threat research analyst Tyler Moffitt of Webroot, “What’s interesting is who the targets of phishing attacks are. Our data reveals that the majority of attacks target either technology companies like Google and Apple or financial institutions like PayPal or JPMorgan Chase. While the volume of attacks is about a 60/40 split between tech targets and banks, we can see that there are far more attacks per tech target than bank.
“Technology companies had over 12,000 phishing sites per company, and financial Institutions over 1,100 phishing sites per company. This is somewhat expected as there are far more banks than technology companies.” (Fig. 1)
Figure 1: Technology companies and financial institutions are the most frequent targets of phishing attacks.
“Looking a bit deeper into the actual targets of phishing attacks,” Tyler continues, “we can see there are clear leaders in each category, with Google and PayPal seeing the vast majority of phishing attacks.” (Fig. 2)
Whether through business- or consumer-related transactions, many of your clients are customers of these companies. That’s what makes it so vital that you alert them to the hazards that can hide within seemingly innocuous communications that appear to come from some of today’s most trusted organizations.
Recommendations
Be sure to remind clients that phishing attacks frequently impersonate highly-reputable companies, in large part because they’re so familiar and trusted. Best practices dictate your clients should exercise particular caution when encountering emails and websites that seem to originate from leading technology and financial firms.
- The Good, the Bad, and the Ugly in Malware Trends - April 11, 2017
- MSPs Address Customer Security Complacency - January 23, 2017
- Phishing Scams are Stepping it Up - December 7, 2016