Email is now the primary entry method for cybercriminals seeking to access organizations, according to a recent report from Symantec.
Email malware rates are also on the rise,
according to the cyber security company’s April 2017
Internet Security Threat Report, with email malware rising year-over-year from 1 in 220 emails to 1 in 131 emails.
Phil Richards, chief security officer at Ivanti, says email-based
phishing scams are highly successful because they portray a sense of urgency.
Phishing plays with the psychology of the victim, often urging email users to take immediate action. For
example, a victim may receive an email claiming to be from their network administrator that alerts the end user that their password is about to expire. The victim may feel that they must immediately
address this issue, or their access will be cut off.
“If it’s urgent, I may feel like I have to handle it right away otherwise I’ll forget,” says Richards.
“Phishers play on that urgency because it changes your focus so you decide you have to handle it right away. It lowers your guard a little bit because now you’re focused on this particular
task. Your filters for sniffing out malicious behavior drop.”
Richards says phishing emails are so appealing because they combine two psychological motivators, appealing to a
victim’s desire for money or to help others.
Richards says that people “really are” getting tricked by social engineering in phishing scams, where hackers “trick end
users into thinking they’re someone that they’re not.”
Unlike a marketer who can only promote their own products or services, a cybercriminal “could be anything,”
says Richards. “They could pretend to be a Nigerian King or a network administrator. “
Headquartered in Salt Lake City, Ivanti provides end-point IT management for enterprise
companies. Although Ivanti cannot prevent malware, it can protect and respond to malicious incidents. The company’s technology can identify when a machine is infected and then take it off the
network so the malware doesn’t affect the rest of the effected company’s computers.
“Since we can detect it, we can put in place pretty strong countermeasures to make
sure that ransomware doesn’t cross over the machine boundary,” says Richards.
There are four different types of phishing emails that people should be on the lookout for, says
Richards -- corporate emails, commercial emails, consumer emails, and cloud emails.
Corporate email scams generally require hackers to have a considerable amount of knowledge about the
internal workings of a company.
“That level of research changes it from traditional phishing to spear phishing,” says Richards, noting how business email compromise scams are a
good example.
Commercial emails are still business-related phishing scams, but do not target a specific organization. Instead, targeted individuals may get an email from Visa-impersonators
claiming that their credit card is about to expire.
Consumer email phishing scams are the “batch-and-blast” campaigns of hackers, and target the general public. For example, a mass
email that assumes every end-user has Verizon.
Richards says that Ivanti has lately seen a rise in cloud email scams, or an “email that says you have storage on a cloud service and it is
about to expire unless you immediately update your credentials."