Anti-Phishing Start-Up Reveals VIP Impersonation, Sender Forgery and Corporate Email Spoofing Top the Charts
INKY Technology Corporation, an email protection startup that leverages the power of unique computer vision and artificial intelligence (AI), today announced the release of the company’s 2018 Q4 email security report, Welcome to 2019: Phishing Gets Personal. The holiday period is typically the peak time of year for online shopping, and with that comes higher rates of cybercrime, especially phishing scams.
This Q4 of 2018 was a busy period for phishing scammers. INKY researchers saw a spike in email volume this time of year as people use email to gather their receipts from online shopping, shipping notifications, returns, and virtual holiday greetings. INKY pulled out the highest volume attack types and broke down each one. The majority of attacks that were analyzed showed an increase in target personalization, making them considerably more difficult to detect.
- 12% of phishing attacks took the form of VIP Impersonations.
- 10% of assessed phishing attacks are Sender Forgery.
- 6% of phishing attacks were via Corporate Email Spoofing.
Corporate VIP Impersonation
This type of attack is usually fairly involved and often delivered in real-time. A typical scheme can involve a scenario where the CEO (or perhaps someone from finance) is in a meeting, or is in a limited cellphone reception area where a confirmation call is not possible. The victim then becomes engaged with a request for help which eventually leads to handing over sensitive data without verification to the scammer on the other end.
An email that presents itself as having come from a known contact is a classic in terms of phishing attacks. This type of attack perseveres as contacts maintain personal and professional emails. Often contacts cycle through Gmail, Yahoo and other popular mail providers, making it difficult to discern a legitimate message from a phishing attack.
Corporate Email Spoofing
This attack blends the elements of VIP impression with sender forgery. This type of attack is sophisticated in that it deliberately targets a specific corporate entity. It often occurs after a major announcement. The nature of the announcement has no bearing on the frequency of attacks. Both positive and negative news can be leveraged to provide cover for the phishing attacker’s true intentions. In the past (and for those remaining unprotected) corporate spoofing has resulted in the loss of corporate intellectual property, private information, financials and even protected healthcare information.
“Phishing attacks remain one of the largest threat vectors as cybercriminals have increasing access to sophisticated toolkits through the Dark Web and the human element remains the most porous aspect of cybersecurity,” said Dave Baggett, CEO of INKY. “Even the most informed and vigilant members of an organization that take extra measures to practice proper cybersecurity posture can fall prey to phishing attacks that are becoming indistinguishable from legitimate channels of communication.”
INKY has found that over half of phishing emails are passing traditional anti-spam filters. The reality is that older generation phish filters are simply not capable of identifying the personalized attacks that were so prevalent in Q4. The time for relying on associates as a competent, qualified and aware cyber defense has passed. Educated associates are vital, but their effectivity as a deterrent is daily undermined.
To download the full report visit here: https://inky.com/inky-phishing-report-4q18