The Evolution of Phishing Scams
Emailing and web browsing have become such routine parts of daily life that they are done without a second thought, like flipping on a light switch when you enter a room or answering the telephone when it rings. Unless it’s a call from an unfamiliar telephone number, which immediately throws up a red flag for most folks, making it a simple matter to avoid unwanted calls.
Similarly, people have also grown accustomed to ignoring obvious phishing scams from amateurish crooks with more greed than talent. Emails laced with misspelled words, bizarre grammar, and unlikely premises (e.g., the Nigerian prince who needs your help retrieving his untold millions) are a dead giveaway. But what happens if your clients receive a professional-looking email from a well-known company that they regularly do business with? Or they click a helpful link that (seemingly) takes them to a major bank’s website?
It’s all too easy for those clients to momentarily drop their guard, and that’s all it takes for phishing sites—which impersonate leading companies—to deliver their malware payload. Unfortunately, phishing tactics are getting smarter and more sophisticated. As an MSP, that puts added pressure on you to educate clients on the different identities and delivery mechanisms that the bad guys are using.
As Tyler Moffitt, senior threat research analyst at Webroot, explains, “What’s particularly interesting is who the targets of phishing attacks are. What our data reveals is that the great majority of attacks target either technology companies like Google and Apple or financial institutions like PayPal or JPMorgan Chase. While the volume of attacks is about a 60:40 split between tech targets and banks, we can see that there are far more attacks per tech target than bank.
“Technology companies had over 12,000 phishing sites per company, and financial Institutions over 1,100 phishing sites per company. This is somewhat expected as there are far more banks than technology companies.” (Fig. 1)
Figure 1: Technology companies and financial institutions are the most frequent targets of phishing attacks.
“Looking a bit deeper into the actual targets of phishing attacks,” Tyler continues, “we can see there are clear leaders in each category, with Google and Paypal seeing the vast majority of phishing attacks.” (Fig. 2)
Figure 2: Google and PayPal experience by far the highest percentage of phishing attacks.
Of course, many of your clients are customers (whether through business- or consumer-related transactions) of these companies, so it’s vital that you alert them to the hazards that can lurk within apparently innocuous communications that seemingly come from some of today’s most trusted organizations.
It’s important you remind clients that phishing attacks frequently impersonate highly-reputable companies, partly because they’re so familiar and trusted. Best practices dictate your clients should exercise particular caution when encountering emails and web sites that seem to originate from leading technology and financial firms.
Next Steps: Want to find out if Webroot has what it takes to protect your customers? See for yourself with a no-risk FREE trial. You don’t even have to uninstall existing security. Want to learn more about how Webroot partners with MSPs to delight customers, lower costs, and boost profits? Learn more.