Phishing

Phishing: Who Is Being Targeted by Phishers?

Daniel Brecht
February 17, 2019 by
Daniel Brecht

Phishing Targets

Industries

Overview of Phishing Targets

Though phishing has been around for years, it continues to affect many users who still fall prey to tactics used to bait victims into disclosing personal identities and login credentials. Research reveals that the average Internet consumer is normally not aware of (or not particularly concerned with) phishing before having fallen prey to this type of high-tech scam, which happens to be the number one culprit to most network breaches inflicted by hackers today. Chosen targets can see their computers be infected or compromised, data stolen or misused, system devices and/or equipment intruded upon or damaged.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

There are several reasons why this type of threat is so dangerous. First of all, it is fairly inexpensive and easy to carry out. Phishing is a means of tricking e-mail recipients into opening an attachment that masquerades as being legitimate and urgent or into clicking on a malicious link that opens a website that is actually infected with malware. Perpetrators prepare mass mailings, hoping to lure even just one victim into giving out information or allowing access to a system.

In the case of spear-phishing, a more directed approach that targets specific victims within organizations, malicious hackers can find most information needed to perpetrate the attack right on the Internet, on info pages of companies and social network profiles.

The most effective of the social engineering techniques, phishing is also a serious and dangerous cyberthreat, as it targets every sector of society; phishing attacks have been directed against targets in every industry and country for some time.

Though the simplest and most common form of phishing (referred to as mass phishing) has progressively been showing lower success rates, other types are proving to be effective ways for malicious hackers to gain access to the information they need. Spear-phishing has raised e-scams to a new level by directing attacks at specific individuals or companies and accounting for most attacks; whaling is directed at high-profile targets (CEOs, government, military) and has proved to be even more effective thanks to the level of detail that is put into the crafting of the attack baits.

Phishing: Most Common Targets?

Real-life cases of phishing show how any organization or individual can be a target and, unfortunately, a victim. Employing different tactics, phishers have proved to be able to reach many users regardless of their position in companies, presumed level of expertise, or employment field. Targets are not necessarily key employees in a business; anybody can be a victim; social network users, for example, are often the focus of specific campaigns. Even random targeting can provide opportunities for phishers to gain invaluable knowledge of the actual victim as well as of most of his or her contacts; the information can be vital when crafting baits for further, better targeted attacks.

In businesses, employees of any level can actually be victims and nobody should feel they can’t possibly be fooled by skilled scammers. Information on e-mail addresses, hierarchy, and projects that specific teams are working on, can be easily retrieved by scammers perusing a company’s website or social network page. Names, job responsibilities, and coworkers’ name can be used by scammers to lure users into falling prey to spear-phishing attempts and giving what is needed to access the company systems.

Higher executives are not exempt either and might be actually easier targets, as their information are more widely available to the public. According to a survey commissioned by Cloudmark, C-suite executives are often the victims of phishing attempts: 27% of the 300 respondents surveyed in the study revealed their CEOs were targeted, while CFO attacks accounted for 17% of the cases. For years, in fact, executives have actually been one of the most targeted groups. In 2008, a famous whaling incident proved how no one can feel safe from social engineering threats: In the infamous phishing scam of the United States District Court in San Diego, in fact, thousands of high-ranking executives received what appeared to be official subpoenas via e-mail. Each message was carefully crafted and contained exact information on company, names, and phone numbers and included a file, the alleged copy of the subpoena, which was carelessly opened by at least 2000 executives upon receipt. The file actually contained a keystroke logger and software able to take control of the computer remotely.

One of the problems with phishing is that selection of targets is not always clear-cut. Often, a phisher’s motive is simply to get many victims rather than deciding on selected targets. A mass e-mail looking to solicit bank account access credentials, for example, might provide the info needed by less sophisticated hackers to obtain financial gain with fraudulent wire transfer or opening accounts through identity theft. However, that is not always the case. Often phishers are targeting an enterprise and a selected group at an office (staff, management, executives) that is responsible for a project or service. Selection will vary according to the phisher’s motive, either to target internal corporate data and trade secrets or commit economic industrial espionage, to name a few reasons. In the survey commissioned by Cloudmark, surprisingly, the targeted group of employees within companies was often the IT staff (44 percent) because of its control of the technical infrastructure and access to data followed by, obviously, the finance staff (43 percent) in charge of everything money-related.

Motives can also vary. News is often made by attempts to steal personally identifiable information (PII) for financial gain or by scams perpetrated to gain access to financial information. Often, we hear reports of attempts to break into the secrets of industrial giants, but money and trade secrets are not the only incentives. Social and political reasons are also valid motivations and this leads phishers to identify the most unusual and unsuspected targets. The attempt to cause a competitor's loss of reputation is also a likely motive.

Most Targeted Industries and Companies – Who Is at Risk?

The study commissioned by Cloudmark from independent research firm Vanson Bourne surveyed 300 IT professionals from the U.S. and the U.K. about spear-phishing threats from the enterprises’ perspective. The survey reported that 84% of the respondents admitted their company was victim of spear-phishing attacks. In addition, 20% believed spear-phishing to be their top security concern and 42% believed it to be among their organization’s top three.

According to 90% of the respondents, the majority of attacks are still conducted through e-mails; however, new media for spear-phishing are quickly becoming the new norm. Attacks conducted through mobile platforms are second most likely (48 percent of respondents), followed by social networks (40 percent) and removable media (30 percent).

It is clear, then, how scammers are hitting a wide range of industries in a variety of ways. Online payment services, Internet-based financial services businesses, and retail sites are among the most targeted sectors, according to Statista, a statistics companies on the Internet, which provides "Phishing Activity Trends" highlighting the number of global phishing incidents by industry sectors and type of organization. In fact, “during the third quarter of 2015, 20.43 percent of phishing attacks worldwide were directed towards financial institutions. Payment services accounted for 14.91 percent of phishing attacks.”

This is confirmed also by the Anti-Phishing Working Group (APWG) "Phishing Activity Trends Report 2015," which analyzes phishing attacks that have been registered. The study considered at least 123,972 unique phishing attacks worldwide in the second half of 2014. Not surprisingly, ecommerce was the most likely target of phishing attempts; in fact, the sector accounted for 39.5 percent of the total number of known attacks in the second half of 2014. The banking and money transfer industry followed with 22 and 20.7 percent of attacks, while social networking and email providers were the target of 11.6 percent of the phishing attacks.

[cta id="1462895684866" post="35445"]

The reasons these are the most targeted industries are clear. Financial gain is obviously the main motive, with scammers hoping to gain access to users’ accounts and/or gather enough information to steal identities and profit from it. Banks or financial services web sites are fairly easy to target through a variety of methods. Scammers often pose as representatives of these institutions and solicit information. Bank of America, for example, has warned its clients for years through the official website about e-mails that “may ask […] to call a phone number and provide account information,” or about “phony [e-mails that ask] you to go to a website that looks like a Bank of America site, but is actually a site the criminal has set up.” Similar problems have been noted by financial services companies like Wells Fargo, which complained of a website with a similar name “seeking to deceive Internet users by providing a web site containing a near identical copy of [its official] web site and seeking to fraudulently obtain personal information from Internet users through a phishing scam.”

In addition to fraudulent look-alike websites and requests for information, phishing campaigns with malware attacks are one of the most used means of attacks against financial institutions; “online banking customers in the UK are being warned of a major phishing campaign using a notorious piece of malware designed to steal financial data” reports, for example, from UK technology news site V3. In the summer of 2015, almost 20,000 e-mails were sent to customers of important UK financial institutions including Barclays, Santander, and Lloyds; the e-mails were sent by an alleged tax accountant and carried a file which proved to be Dyre malware, an infamous code that had already affected customers of Bank of America, Deutsche Bank, and others. Although the attack was sophisticated, it still relied on customers to open the attachment to begin its replication. The financial sector, however, is also vulnerable thanks to less-than-obvious reasons. According to an interesting analysis reported by the Financial Times, “The problem many global financial institutions have is old and incompatible technology that was taped together as the result of mergers. [Some institutions] have trading platforms that are not easily or cheaply transferred on to new systems.”

Other sectors, however, are not off the hook; actually, new companies are increasingly becoming preferred targets of phishing attacks. The APWG report, in fact, highlights how new targets are insurance companies, utilities or electricity providers, and even toll-road collection systems, “demonstrating that criminals [are trying to collect] the credentials of consumers in places where they least expect it.”

And consumers and businesses alike can’t even hope that only industry giants will be the object of phishers’ attention. According to Symantec Corporation, “no company, whether large or small, is immune” to phishing attacks, as stated in its 2015 "Internet Security Threat Report" (ISTR). While large companies are still a prime target, a lot of attacks struck small and medium-sized companies last year. In fact, SMBs with less than 250 employees were the victim of 43% of global spear-phishing attacks compared to 18% in 2011. As Symantec's ISTR points out, attacks have increased from the last reporting period and attackers often choose a target that has less security infrastructure in place, regardless of size. In fact, smaller companies are often a preferred target, as hackers are able to break through security measures in an easier way and aim to gain valuable information to eventually attack larger companies the target has business dealings with. This is especially true when it comes to government subcontractors; phishing attempts aimed at government agencies have often been perpetrated through small subcontractors of larger government contractors with access to secure government systems and classified information.

How Not to Be a Target

As seen, phishing goes far beyond any size company and can target any sector and user, from a business executive to a home social network user or online banking consumer. So how can enterprises protect themselves from phishing scams? Technology can help somewhat by catching and identifying the most common traits of phishing attempts, stopping malicious attachments, warning employees about the dangers related to clicking on links, or preventing scam e-mails from even reaching their Inbox.

But not much can be done to prevent legitimate-looking e-mails crafted specifically to lure a target. So the main line of defense is actually phishing awareness. Whether the user is a high executive of an industry giant, a clerk of an ecommerce company or an online banker, being aware of the most common scams and getting used to critically questioning messages that are delivered, especially when unexpected, is a crucial step in preventing or at least reducing the odds of falling victim to phishing. As humans are the target of social engineering tactics, it is humans who need to be trained to be the best line of defense for systems and information.

Newest phishing attacks show that scammers are now reaching high level of sophistications and are exploiting natural workplace behaviors, In fact, in the majority of cases, they build on the trust relationships that are naturally created within companies. The latest attacks, for example, have been carried through a variant of spear-phishing; BEC (business email compromise) attacks are being increasingly carried forward in the first few months of 2016 against the employees of dozens of businesses to steal tax records and information. Companies such as Seagate Technology, Applied Systems Inc., and Polycom were targeted by phishing e-mails that looked like internal communications or requests by CEOs and other executives.

Steve Ragan, Senior Staff Writer for CSO explains that BEC attacks play on the unwillingness of employees to deny a request a boss made or take advantage of the natural desire to help a coworker. Many of the attacks prove, in fact, that even when affected employees questioned a request in the beginning, eventually they fell prey to the scam if requests were repeated. "No type of anti-virus can protect an organization from being the victim of this type of attack. […] Until organizations become more proactive in training their employees to look for the signs of this now all-too-common phishing scam, the attacks will continue into the foreseeable future," said Nathan Sorrentino, of STEALTHbits Technologies.

An awareness program can help employees recognize signs of deception but, as Ragan explains, “awareness programs that focus on disrupting trust between co-workers or senior staff are doomed from the start.” Training can only help if employees are aided by policies that require verification (for example, a second person would be needed to verify each request that deals with financial information); in addition to that empowerment, employees must be give the ability, without consequence, to question requests for sensitive data regardless of the source.

In addition, continuous sensitization campaigns are necessary. System administrators can use simulation models on workers, for example, says Linda Musthaler in a Network World post on “IT Best Practices” that helps support an innovative approach to user education to raise specific awareness of phishing threats. Tools like InfoSec Institute’s “PhishSim," a phishing simulations that provides user awareness training simply by enrolling learners into SecurityIQ, can help in this task. Interested company security managers can schedule campaigns to send users phishing tests and computer-based training learning modules, and gain access to customized phishing templates, through one common interface. Can user awareness prevent phishing completely? Probably not; yet knowledge can help diminish its likelihood. The Cloudmark survey showed how testing employees’ response to spear-phishing attacks is already part of the security strategies of 79 percent of the 300 surveyed companies. On the average, tests are conducted 4 times per month, and the failure rate is around 16 percent.

Involving C-level personnel, then, is important for enterprise security for many reasons. Not only are they primary targets and, therefore, can only benefit from mastering the security awareness principles discussed in training, but their buy-in can ensure the right effort (and often financial resources) are placed in the implementation of training and all related initiatives. Participating in training can also give other employees the sense of how important what they are learning is, even at the higher level, and can give them the sense that the knowledge they are gaining through trainings and procedures is valuable.

Conclusion

Why do phishing attacks that are targeted at personnel and human vulnerabilities continue to succeed? Too often scams are successful because of people's lack of security awareness training. Everybody is a target, regardless of role or industry. We live in a digital age where gathering of information has become much easier; phishing is a method that exploits this ease. It is often difficult to detect and prevent, and phishing and malware protection (in addition to using a firewall and anti-virus application) to guard against these scams, might be easily bypassed by savvy phishers. Security awareness training can equip enterprise employees with the knowledge and tools necessary for resilience against such attacks, if coupled with clear endorsement by management and a company culture that supports empowerment of employees. 

Check out more articles about phishing:

Spam vs. Phishing: Definitions, Overview & Examples

10 Most Common Phishing Attacks

References

Agent Patrick B. (2014, February 28). Phished In! (How to Avoid Being Hooked By a Phishing Scam). Retrieved from http://www.geeksquad.com/intelligence/blog/phished-in-how-to-avoid-being-hooked-by-a-phishing-scam/

APWG. (2015, December 23). Phishing Activity Trends Report, 1st – 3rd Quarters 2015. Retrieved from https://docs.apwg.org/reports/apwg_trends_report_q1-q3_2015.pdf

Cloudmark Security Blog. (2016, January 13). Survey Reveals Spear-phishing as a Top Security Concern to Enterprises. Retrieved from https://blog.cloudmark.com/2016/01/13/survey-spear-phishing-a-top-security-concern-to-enterprises/

Gréaux, S. (2013, Mar 13). Is training key to preventing spear-phishing attacks? Retrieved from http://www.hrzone.com/perform/business/is-training-key-to-preventing-spear-phishing-attacks

Inspired eLearning. (2014, September 26). Phishing Infographic: Phishing Threats Are Real And Everyone Is A Target. Retrieved from http://blog.inspiredelearning.com/phishing-infographic-phishing-threats-are-real-and-everyone-is-a-target/

Markoff, J. (2008, April 16). Larger Prey Are Targets of Phishing. Retrieved from http://www.nytimes.com/2008/04/16/technology/16whale.html?_r=2

Murdock, J. (2015, July 08). UK online banking users hit with Dyre malware phishing attacks. Retrieved from http://www.v3.co.uk/v3-uk/news/2416828/uk-online-banking-users-hit-with-dyre-malware-phishing-attacks

Musthaler, L. (2013, April 12). Should you simulate a phishing attack on your own colleagues to raise security awareness? Retrieved from http://www.networkworld.com/article/2165305/security/should-you-simulate-a-phishing-attack-on-your-own-colleagues-to-raise-security-awareness.html

Ragan, S. (2016, March 24). Phishing attacks targeting W-2 data hit 41 organizations in Q1 2016. Retrieved from http://www.csoonline.com/article/3048263/security/phishing-attacks-targeting-w-2-data-hit-41-organizations-in-q1-2016.html

Ramesh, R. (2015, April 9). Gone Phishing: How to Prevent Sophisticated Attacks. Retrieved from https://securityintelligence.com/gone-phishing-how-to-prevent-sophisticated-attacks/

Scannell, K. & Chon, G. (2015, July 28). Cyber insecurity: When 95% isn’t good enough. Retrieved from http://www.ft.com/cms/s/2/251a40ea-2fcf-11e5-91ac-a5e17d9b4cff.html#axzz46GVRUsJC

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.

Symantec Internet Security Threat Report. (2015, April). Analysis of Phishing Activity by Geography, Industry Sector, and Company Size. Retrieved from https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347931_GA-internet-security-threat-report-volume-20-2015-appendices.pdf

Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.