The evolution of phishing: A WatchGuard real-world example
Phishing is a type of social engineering attack where threat actors attempt to trick users into providing sensitive information via e-mail. Typically, this involves creating a phishing campaign where threat actors will send the same phishing e-mail to a large batch of recipients in an attempt to trick at least a small subset of these potential victims. Not to be confused with spear phishing, which is a more targeted phishing attack via e-mail that uses specific knowledge or details about the recipient(s) to further deceive them into providing sensitive information. Phishing is an ongoing problem that businesses are aware of and are in a constant battle to eradicate, and for good reason. Year after year statistics reflect that IT decision-makers highlight social engineering attacks as one of the primary cyber threats they face resulting in business disruption and financial loss.
The general consensus of phishing attacks is that these attacks are ever-increasing in volume, steady in their success rates, increasing costs for businesses, are commonly used to deliver malware such as ransomware, and are evolving. For example, The Anti-Phishing Working Group releases a quarterly report showcasing current trends on phishing, and their most recent report shows that phishing attacks doubled in the last year due to the COVID-19 pandemic and phishing rates have remained at a steady but high level. The FBI’s Internet Crime Complaint Center (IC3) logged similar results showing a doubling of phishing complaints in the past year. As phishing attacks increase, so do the number of breaches, and these breaches cost businesses large sums of money. IBM’s annual “Cost of a Data Breach Report”, with research by the Ponemon Institute, revealed that the estimated total cost of a data breach in 2020 is around $3.86 million and has further increased to $4.24 million in 2021, the highest average cost in 17 years. Loss of sensitive information isn’t the only threat of phishing attacks. Verizon’s Data Breach Investigations Report (DBIR) shows that almost all malware (96%) is delivered via e-mail communications, including ransomware.
However, this post was created to highlight the evolution and complexity of phishing attacks using real-world examples experienced by WatchGuard employees. The evolution of phishing has expanded beyond e-mail into other communication mediums such as SMS/text messaging services (SMiShing), voice calls (vishing) and social media (angler phishing). Just recently, WatchGuard employees experienced two of these – SMiShing and angler phishing. As you may have guessed, SMiShing is phishing, or social engineering, by use of SMS and text messaging services such as WhatsApp, Signal and Facebook Messenger. Angler phishing is when threat actors use social media communications to masquerade as a legitimate customer service representative to elicit information. This can come in the form of SMS social media services as well as Instagram, Twitter or LinkedIn direct messages, among others.
The first incident experienced by a WatchGuard employee involves LinkedIn. A user named Emily Nora was masquerading as a WatchGuard employee in a “Link Building” role, which doesn’t exist. This fake employee attempted to connect and contact several WatchGuard employees, likely just going down the list of employees associated with the official WatchGuard LinkedIn, phishing for sensitive information. Thankfully, WatchGuard employees snuffed out this angler phishing attempt immediately. A screenshot of this fake employee attempting to connect to an official WatchGuard employee can be seen below.
Another interesting phishing attempt came via WhatsApp. A user impersonating the CEO of WatchGuard, Prakash Panjwani, attempted to perform a foreign transaction (an acquisition) by leveraging an employee within WatchGuard to handle the payment. They used Panjwani’s official image and used social engineering tactics to attempt to trick the employee into performing the action (send payment). Again, this SMiShing/angler phishing attempt was detected and reported to the appropriate channels within the organization.
Protecting from phishing attacks of all types should always begin with proper training on the issues. Studies show that simulation and gamification of phishing attacks assist users in detecting and preventing phishing attacks. However, this short post highlights the importance of training not only for phishing via e-mail, but phishing via all possible communication mediums your organisation uses – primarily phishing, vishing, SMiShing and angler phishing training. Beyond training, common sense and your “gut” go a long way in the detection and prevention of phishing. For example, if your organisation has an employee directory, you can search for an employee such as Emily Nora or know that a current role doesn’t actually exist. Another example is knowing that the CEO of your organisation wouldn’t likely contact you via WhatsApp to perform a significant business decision such as an acquisition. Although, these scenarios are case-by-case for each organisation. The safest possible route is to just report any suspicious communications to a security professional within your organisation, if possible.
APWG Phishing Activity Trends Report 2Q 2021 (https://apwg.org/trendsreports/)
FBI IC3 2020 Report (https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf)
IBM Cost of a Data Breach 2021 (https://www.ibm.com/security/data-breach)
Verizon DBIR (https://www.verizon.com/business/resources/reports/dbir/)