Email is now the primary entry method for cybercriminals seeking to access organizations, according to a recent report from Symantec.
Email malware rates are also on the rise, according to the cyber security company’s April 2017 Internet Security Threat Report, with email malware rising year-over-year from 1 in 220 emails to 1 in 131 emails.
Phil Richards, chief security officer at Ivanti, says email-based phishing scams are highly successful because they portray a sense of urgency.
Phishing plays with the psychology of the victim, often urging email users to take immediate action. For example, a victim may receive an email claiming to be from their network administrator that alerts the end user that their password is about to expire. The victim may feel that they must immediately address this issue, or their access will be cut off.
“If it’s urgent, I may feel like I have to handle it right away otherwise I’ll forget,” says Richards. “Phishers play on that urgency because it changes your focus so you decide you have to handle it right away. It lowers your guard a little bit because now you’re focused on this particular task. Your filters for sniffing out malicious behavior drop.”
Richards says phishing emails are so appealing because they combine two psychological motivators, appealing to a victim’s desire for money or to help others.
Richards says that people “really are” getting tricked by social engineering in phishing scams, where hackers “trick end users into thinking they’re someone that they’re not.”
Unlike a marketer who can only promote their own products or services, a cybercriminal “could be anything,” says Richards. “They could pretend to be a Nigerian King or a network administrator. “
Headquartered in Salt Lake City, Ivanti provides end-point IT management for enterprise companies. Although Ivanti cannot prevent malware, it can protect and respond to malicious incidents. The company’s technology can identify when a machine is infected and then take it off the network so the malware doesn’t affect the rest of the effected company’s computers.
“Since we can detect it, we can put in place pretty strong countermeasures to make sure that ransomware doesn’t cross over the machine boundary,” says Richards.
There are four different types of phishing emails that people should be on the lookout for, says Richards -- corporate emails, commercial emails, consumer emails, and cloud emails.
Corporate email scams generally require hackers to have a considerable amount of knowledge about the internal workings of a company.
“That level of research changes it from traditional phishing to spear phishing,” says Richards, noting how business email compromise scams are a good example.
Commercial emails are still business-related phishing scams, but do not target a specific organization. Instead, targeted individuals may get an email from Visa-impersonators claiming that their credit card is about to expire.
Consumer email phishing scams are the “batch-and-blast” campaigns of hackers, and target the general public. For example, a mass email that assumes every end-user has Verizon.
Richards says that Ivanti has lately seen a rise in cloud email scams, or an “email that says you have storage on a cloud service and it is about to expire unless you immediately update your credentials."