Impersonation, sender forgery and corporate email spoofing top the charts

This Q4 of 2018 was a busy period for phishing scammers. INKY researchers saw a spike in email volume this time of year as people use email to gather their receipts from online shopping, shipping notifications, returns, and virtual holiday greetings.

For its 2018 Q4 email security report, the company pulled out the highest volume attack types and broke down each one. The majority of attacks that were analyzed showed an increase in target personalization, making them considerably more difficult to detect.

Key findings:

• 12% of phishing attacks took the form of VIP impersonations.
• 10% of assessed phishing attacks are sender forgery.
• 6% of phishing attacks were via corporate email spoofing.

Corporate VIP impersonation

This type of attack is usually fairly involved and often delivered in real-time. A typical scheme can involve a scenario where the CEO (or perhaps someone from finance) is in a meeting or is in a limited cellphone reception area where a confirmation call is not possible. The victim then becomes engaged with a request for help which eventually leads to handing over sensitive data without verification to the scammer on the other end.

Sender forgery

An email that presents itself as having come from a known contact is a classic in terms of phishing attacks. This type of attack perseveres as contacts maintain personal and professional emails. Often contacts cycle through Gmail, Yahoo and other popular mail providers, making it difficult to discern a legitimate message from a phishing attack.

Corporate email spoofing

This attack blends the elements of VIP impression with sender forgery. This type of attack is sophisticated in that it deliberately targets a specific corporate entity. It often occurs after a major announcement. The nature of the announcement has no bearing on the frequency of attacks. Both positive and negative news can be leveraged to provide cover for the phishing attacker’s true intentions. In the past (and for those remaining unprotected) corporate spoofing has resulted in the loss of corporate intellectual property, private information, financials and even protected healthcare information.

“Phishing attacks remain one of the largest threat vectors as cybercriminals have increasing access to sophisticated toolkits through the Dark Web and the human element remains the most porous aspect of cybersecurity,” said Dave Baggett, CEO of INKY. “Even the most informed and vigilant members of an organization that take extra measures to practice proper cybersecurity posture can fall prey to phishing attacks that are becoming indistinguishable from legitimate channels of communication.”