Data: The new face of phishing

February 7, 2019 11:07 AM

Today phishing scams have become so elaborate that they can take a variety of forms, including a phony job interview.

In December, hackers from the Lazarus Group posted a fake developer job on LinkedIn to lure unsuspecting bank IT professionals for a sophisticated scam. An IT staffer working for the Chilean interbank ATM network, Redbanc, unwittingly responded. Once the confidence had been gained, the hackers (who have ties to the North Korean dictatorship) convinced the bank staffer to download a job application program containing malware onto his work computer. Redbanc claims it had identified the threat in time and took appropriate security measures, however, the true extent of the damage may still yet be unfolding.

According to the FBI’s Internet Crime Complaint Center (also known as IC3) one of the more popular phishing scams is business email compromise, where fraudsters target businesses that work with foreign suppliers and/or regularly perform wire transfers. By imitating a company’s senior executive, such as the CEO or CFO, fraudsters will send an email to an accounting clerk attempting to get them to wire funds to a new supplier in order to pay a fake overdue bill. Another common ruse is called tech support fraud in which criminals claim to provide updated security or technical support in an effort to gain access to an individual’s devices.

The value of information is only as good as the ability for a fraudster to be able to turn it into money. So it’s no surprise that the top area being targeted is the payments industry.

According to the Anti-Phishing Working Group (APWG), more than 38 percent of phishing attacks in the third quarter of 2018 involved fraudsters attempting to obtain payment information. While that is down from almost 42 percent in Q3 2017, it continues to be the most lucrative area for thieves.

One easy way for fraudsters to obtain payment information from consumers or even businesses is to play on the latest data breaches in the news, such as Marriott or Nordstrom. “They will work on a data breach and take advantage of the fear and urgency on the part of consumers,” stated Mike Gross, head of global fraud and ID product innovation at Experian. “Automation has definitely made it easier to phish. Add in machine learning and fraudsters can put things in a more specific context to that consumer.”

The very attempts to use machine learning and artificial intelligence by companies such as FICO, ThreatMetrix and ACI Worldwide to identify suspected fraud are also being studied by fraudsters themselves using similar tools to learn how to avoid detection. As long as there is money to made in phishing, fraudsters will continue to scam consumers and businesses.

The Golden State leads the nation with the most internet crime victims, according to the FBI Internet Crimes Report, which compiled 2017 data. While the California is the most populous state with almost 12 percent of the U.S. population based on the U.S. Census, it counts 15 percent of the total victims. Similarly, Florida, which is the third most populous state at 6.5 percent of the country’s people, had 8 percent of the victims.

Texas, the second most populous state has a lower number of victims relative to its population numbers — 8 percent of victims vs. 8.8 percent of the U.S. population. The number of victims in New York and Pennsylvania falls in line with their population statistics.

So are Californians and Floridians easier victims for phishers? Or is it the case that certain age or other demographics come to play such as Florida’s large retiree population and California’s large millennial workforce. Perhaps it may also be that Californians and Floridians are more reliant on technology or social media, making them more susceptible.

For phishers, it’s all about adjusting the message to lure their targets into the trap. “Seniors have more to lose financially so an email about validation of a bank account may work well. Fooling millennials, on the other hand, will be more successful with a cool viral video with malware attached,” noted Gross.

When it comes to losses from internet crimes, the elderly suffer the most, according to the FBI Internet Crimes Report. Almost one-third (31 percent) of financial losses reported in 2017 were to consumers aged 60 and older where ages were included in the complaints (not all complaints have a victim’s age). In comparison, less than one percent of financial losses occurred to consumers under the age of 20 and just 6 percent of losses occurred to consumers between the ages of 20 and 29.

Based on the number of victim complaints, seniors 60 and older suffered only a slightly higher number of attacks than most other groups, however, each attack was much more costly. The sole exception is the under-20 age cohort, which suffered the fewest attacks but at a cost of over $8,600 in losses when an attack succeeded. The 60+ group had the second highest loss per attack at approximately $6,900, followed by the 50 to 59 group which suffered almost $6,300 per attack. The lowest loss per attack was the 20 to 29 group, suffering just $1,650 per attack.

Are seniors more vulnerable or are the fraudsters just targeting older people? “Fraudsters will target consumers who have dual homes [primary and a vacation home] often in the Northeast and Florida with messages about their second home,” said Gross. By having two homes it can create an additional avenue of attack for fraudsters since a phishing email can be crafted around that second home.

A major change has occurred in the last two years about the type of website phishers are using, and it’s working against the very thing consumers have learned to trust – the advent of secure HTTPS domains. In the third quarter of 2016, only three percent of phishing websites were protected by HTTPS protocols. This has rapidly grown to 23.5 percent in 2017 to almost half of all phishing websites (49.4 percent in 2018), according to Phishlabs.

HTTPS is used to secure communications by encrypting the data exchanged between a person’s browser and the website they are visiting. An SSL certificate is issued for a website that is secured and can be viewed by clicking on the padlock symbol in the website’s URL address. Consumers have been taught to look for the padlock and HTTPS in the URL so they know they are on a secured website. Since fraudsters are aware that consumers are looking for these clues they have merely secured their websites to appear legitimate.

Also, given the ease with which consumers and business can purchase domains and quickly put up legitimate websites, fraudsters have taken notice and are leveraging those same tools. The company GoDaddy.com, which is known for its ability to quickly and cheaply host websites, was the top registrar of phishing domains in the first quarter of 2018, according to the Anti-Phishing Working Group (APWG).

When it comes to getting a consumer to click on a phishing email, some topics are better than others, with security themes bubbling to the top.

In a 3,000 person multi-country survey conducted by Wombat Security, where simulated phishing templates were sent to participants, the updated building evacuation plan email, along with the database password reset alert, both scored nearly 100 percent click rates.

The phishing email templates that were tested in the survey were chosen from real emails that garnered the most attention from its clients in 2017. In the survey the overall average click rate was only nine percent. Consumer-themed phishing emails were clicked on at a nine percent rate, down from a 10 percent rate when the survey was conducted in 2016. Corporate-themed emails had a 10 percent click rate, down from the 2016 survey rate of 15 percent.