Updated: Feb 9, 2022
The email looked legit. It came from our new CEO, after all. I mean, for crying out loud, his picture was beaming right there in Outlook, a corporately staccato smile peering right back at me.
"Hey, Justin – welcome to the team! I need you to take a look at some onboarding documents so we can get you started right away."
He used my name. It had to be him. I clicked on the attachment. Nothing happened. I clicked on the attachment a second time. Again—nada. Then it hit me.
"Daaaang it! I think I just got phished."
Phishing Isn't What it Used To Be
Even as I look back at this event—years ago at a company I no longer work for—it's embarrassing that I was so easily duped. But the truth is, phishing remains one of the top ways cyber adversaries evade your company's perimeter defenses.
In fact, according to the 2019 Verizon Data Breach Investigations Report, nearly one-third of all successful data breaches involve phishing in one way or another. And that represents a fraction of what it could be, considering ProofPoint's 2020 survey that indicated nearly 90% of all businesses experienced a phishing attack within the past year.
And the costs to businesses associated with phishing compromises are significant. The FBI's Internet Crime Complaint Center reported $1.7 billion in US business losses during 2019 alone—all the result from business email compromise instigated by phishing attacks.
The reason is simple. Employees are soft targets, and are often poorly trained. We humans are engineered to trust, and we become complacent—especially if we believe (or assume) our company already has strong security protocols in place.
Another problem is that attackers are growing more patient, sophisticated, and believable—particularly if they target a specific company or industry. These are not the type of guys sitting behind a keyboard launching emails on behalf of a "Nigerian Prince" looking to move tied up cash from a recent inheritance.
Indeed, while those scams are still working (if you can believe it), the type of attacker we are discussing is quite different. Today’s expert phishing attackers are often part of a very skilled and well-resourced international crime ring. They are diligent in their research and craft very believable campaigns to target your business. And if I could serve as any proof, they are very capable of duping a "relatively" smart person like myself.
OK. So Back to Me.
So, what happened? How did I—a decently trained person with hours of cyber awareness training—fall victim to this phishing attack?
Here's what I've been able to piece together since I joined Pathfynder and learned more about how these hackers operate. And once you look at it from this perspective, it is eye-opening how easily it can happen, but also how preventable it can be with the proper awareness and training.
TARGET SELECTION. These attackers had scouted out my former employer and identified them as a target worth pursuing. Seeing the roster of companies we consulted with, it makes sense. Gaining entry into our corporate infrastructure might not only be a win in itself, but also allow them to pivot to other, more lucrative targets.
PLAN THE ATTACK. The really good attackers conduct solid research to inform their campaigns. In this particular case, I believe they read the press release about the recent acquisition that brought my team and me into this company's corporate fold. The attackers then either visited my old company's website and scraped together a roster of names or enumerated this information through LinkedIn. In either case, they knew that we would be onboarding in the coming weeks and crafted their campaign to take advantage of this fact.
LAUNCH THE ATTACK. The semantics of how this is done are important, but outside the scope of this confession. In this particular case, these attackers slipped past corporate (and for that matter, Microsoft) defenses and fired off emails from our "CEO" to the members of the new team. If I was a little savvier or untrusting—which proper training and awareness can facilitate—I would have inspected the email and seen that it came from something other than our company domain. But I didn't. Score one for the bad guys. Eastern European Hacker, 1. Justin Jackson, 0.
DELIVER THE PAYLOAD. In most cases, clicking on an attachment or an embedded link installs malware, dependent on the adversary's objectives. In my particular case, I will never know. When I realized "nothing happened" after I clicked on the email attachment, I immediately realized what had occurred and notified IT.
SECURE THE OBJECTIVE. Again, the end state varies by attacker, but none of the outcomes are good if a successful phishing attack isn't contained ASAP. Whether it's losing a machine and important data to ransomware, having one of your team members fire off fake invoices to customers, or giving the attacker a secure foothold to move laterally through the network, your company stands to lose a lot. Thankfully, I shelved my pride, and all I lost was my work machine for a few hours while IT fixed my mistake. Of course, had I done nothing, the outcome may have been far worse.
We recently uncovered an emerging threat actively targeting industrial manufacturing, shipping, and logistics industries. While this example's sensitivity prevents us from publicly sharing more information at the moment, let's just say this attack is being conducted by a very motivated and talented hacker.
And this brings us to the part that is an unfortunate truth to admit. If a capable attacker has zeroed in on your business, they will likely find a way to breach your defenses. There is no such thing as impenetrable walls in today's cyber fight. Assuming everything is OK is a plan destined for failure.
That doesn't mean we concede, open up the gates, and let in the barbarians. We still need to invest in our perimeter defenses. But we MUST test those defenses routinely and train our employees as best we can.
Bottom line: Shifting to the "inevitability of a breach" mindset will force your company's security to become more active and less complacent, which is needed in today's cyber threat environment, particularly when it comes to phishing attacks.
After all, it happen to me, it can happen to anyone.