Why are phishing scams still so successful?

Phishing scams have been around for decades. By now, you'd assume most people should be wise to them and their success rate should be increasingly small. Yet they continue to succeed, and several high-profile phishing failures have recently made the headlines.

On March 1, Seagate Technology gave up the 2015 W-2 forms of all its current and former U.S.-based employees in a phishing scam, according to a report from KrebsOnSecurity. The W-2 forms included Social Security numbers, salaries and personal information. The week before, Snapchat revealed it was also the victim of a phishing scam when an employee released company payroll information to an attacker pretending to be CEO Evan Spiegel. The payroll specialist that received the email did not realize it was a scam and dutifully responded with the requested data.

A more sophisticated approach
Why are businesses still falling for these scams? Part of the reason is because cyber criminals have become more shrewd.

“Phishing schemes are growing increasingly sophisticated, as cybercriminals use new tools and tactics to create authentic-looking emails,” said Shahryar Shaghaghi, leader of BDO’s Technology Advisory Practice.

The most common type of attack today involves a criminal posing as a high-level executive in an email message to an employee with access to the desired system or information. In December, anti-phishing company PhishMe said phishing emails pretending to be regular office communications are the most effective, with an average clickthrough rate of 22%.

“Whether the criminal seeks a wire transfer, such as what occurred at Mattel and Ubiquity Networks, or employee tax details in the case of Snapchat and Seagate, the ruse is essentially the same: pose as an executive and leverage trust and human desire to please our superiors to achieve the nefarious goal,” said John Wilson, CTO of Agari Field. Wilson has been combating email-based fraud since 2006, when he developed an authentication-based anti-phishing solution as CTO of Brandmail Solutions.

The perpetrators of a phishing scam are generally after one thing: money. The CEO-to-CFO wire request takes a very direct approach, while the criminals targeting Snapchat and Seagate are playing the long game. With the employee tax details in hand, the criminals can now use identity fraud to file phony tax returns, open new lines of credit, and even buy real estate using the stolen identities, explained Wilson.

As KrebsOnSecurity recently noted, phishing scams are an easy way for criminals to get all the necessary information to commit tax fraud. Tax refund fraud accounted for almost 50% of all identity theft complaints last year, according to the Federal Trade Commission.

How can phishing be stopped?
Unfortunately, there is no silver bullet to completely eliminate these forms of phishing.

“Identifying malicious content and security intelligence sharing are positive steps, but neither of these reactionary techniques address the main problem of spear phishing – identity deception,” said Wilson. “Successful attacks feature identity deception at their core, as we can see with Snapchat. Enterprises must ensure their employees receive and interact with only authentic and trustworthy messages. Only by establishing per-message authenticity can the risk of targeted email attacks be mitigated.”

Wilson said DMARC, a technology that can prevent spoofed email, has been around since 2012, but unfortunately many companies have not implemented this crucial security standard.

While security companies continue to build products that can prevent these types of attacks in the workplace, education around email security must be a cornerstone for all enterprises. Human error – paired with corporate cultures that sometimes fail to prioritize cyber security education – are often the culprits when businesses fall victim to phishing attacks, explained Shaghaghi. All employees should understand what a phishing email looks like and how to avoid becoming a victim.

“That human element is key, and habits are difficult to break or change,” said Shaghaghi. “Having said that, users must be given the tools and the culture to ask questions about a potential phish or suspect email. Just as you would validate a person who rang your doorbell at home or called you on the phone to ask for your credit card information, the same rigor should be applied when it comes to business communication.”

Whether you are a restaurant owner or a large multinational corporation, users need to be more aware of common phishing schemes and have the training to identify a potential phishing email when it is received. In addition, companies need to develop policies and provide instructions on what users should do if they suspect phishing, added Shaghaghi.

What happens if you do become the victim of a phishing scheme? The impact is often severe, with initial scams sometimes resulting in wire transfers in the hundreds of thousands of dollars, said Karen Schuler, national leader of BDO Consulting’s Information Governance practice.

“Once compromised, organizations take measures to prevent future events, but ideally, they would preempt a phishing attack by embracing a proactive approach beforehand,” said Schuler. “Should a phishing incident occur, organizations should engage law enforcement immediately, double down on account monitoring and implement other controls to thwart future scams.”