When we look back at the early days of phishing emails, they can seem almost impossibly quaint. The world we lived in a decade ago was far less cyber security-aware, and hackers were often able to extort money from victims through grammatically challenged phishing emails telling tall tales of long-lost relatives and wealthy princes. Fast-forward to 2020, and the cyber threat landscape has changed significantly. Whilst people are far more aware of the phishing email threats they face and how to spot them, hackers are far more sophisticated, too.
Since the UK Government enforced a nationwide lockdown to tackle the spread of coronavirus, hackers have increased their focus on targeting remote workers with phishing email attacks. This focus on remote workers makes sense – employees are typically less alert to cyber threats when working remotely, and so sophisticated phishing emails are more likely to slip through the net and enable hackers to deploy ransomware and other malware payloads.
In this article we’ll explore phishing trends in 2020, and provide guidance around how organisations should adapt to keep the hackers at bay.
Phishing Emails as Cyber-Attack Launchpads
When we analyse phishing trends, we should understand that phishing emails are often viewed by hackers as a means to an end – not an end in themselves. In a recent high-profile attack, hackers dubbed the Florentine Banker launched a sophisticated cyber-attackon three large finance sector firms, attempting to transfer £1.1 million to unrecognised bank accounts. To date, around half of the money has been recovered. The initial phishing emails acted as a launchpad from which the hackers could launch a more sophisticated cyber-attack that involved creating lookalike domains to divert emails and convince the victims to make malicious payments.
The Florentine Banker is a fascinating case, and hackers certainly see credentials for the likes of Microsoft 365 accounts as high-value targets. However, many – if not most – phishing emails today are sent by hackers as a launchpad for the latest cyber-attack trend: double-extortion ransomware.
The Rise of Double-Extortion Ransomware
Ransomware is a form of cyber-attack launched by hackers for financial gain. In a typical ransomware attack a target organisation’s network is penetrated by hackers, often by sending a phishing email to individuals in the organisation that contains malware, or sometimes through exploiting a vulnerability in the organisation’s network.
The malware enters the network and the hackers conduct reconnaissance and further activity to achieve the right access they need to execute the ransomware. Once this is done, the target organisation’s network is encrypted and effectively unusable until either a ransom is paid or the organisation reverts to backups to bring the network back online.
This may all be fairly familiar so far. But what is relatively new is the trend for double-extortion ransomware attacks. Double-extortion first became a prominent tactic as a further method to make money from late-2019 onwards. As part of the ransom demands to the victim, the hackers also threatened to leak stolen data onto the internet. The intention of double-extortion ransomware attacks is to shame victims into paying a ransom, even if the appropriate backups are in place to mitigate a traditional ransomware attack.
Many double-extortion ransomware attacks lead to sensitive data being publicised on social media. In mid-2020, there has been an increasing trend for the publication of screenshots of the stolen data by hackers and security researchers. This means that often the first public indication that an organisation has been hit by ransomware will be stolen sensitive information appearing on social media.
Adapting to Keep Hackers at Bay
Double-extortion ransomware attacks are a relatively recent development in the cyber security landscape. By adding a layer of reputational damage that goes beyond typical phishing and ransomware attacks, they present an even greater risk to target organisations. As many of these attacks use phishing emails as a launchpad, organisations should be proactive in their approach to cyber security if they are to remain safe from compromise.
The first thing organisations should do to keep hackers at bay is to implement multi-factor authentication. In 2020 there really is no good reason for not using multi-factor authentication to control access across an organisation’s entire infrastructure. Hackers can and will exploit any vector they can to launch cyber-attacks across an organisation; multi-factor authentication makes their jobs much, much harder.
But the latest phishing trends also warrant a broader assessment of an organisation’s cyber security posture. Here are four ways organisations can more effectively protect themselves from the latest phishing trends and other cyber-attacks:
1. Implement multi-factor authentication – using multi-factor authentication for access to Microsoft 365 and other accounts will repel the vast majority of cyber-attacks.
2. User robust email security – email is by far the number one vector for hackers to infiltrate organisations’ networks, and phishing emails are the number one threat in the email space. Organisations should incorporate a robust email security solution to protect themselves from such attacks.
3. Educate employees – proper and ongoing education of employees around the evolving threat landscape will ensure they are able to identify and address phishing emails when they slip through the net and enter their mailboxes.
4. If a breach has been detected in an organisation, the organisation should make sure to notify all of its business partners as well – any delay in notification only works for the benefit of the attacker.
Adapting to Phishing Trends
As we transition into the ‘new normal’ way of working together, we should all be proactive in our approach to handling the cyber threats we face. By understanding developing phishing trends and other cyber-attack methods, we can implement measures to keep hackers at bay and protect our organisations from financial, operational and reputational damage.