In 2013, global volumes of phishing emails* dropped significantly compared with 2012. This is great news: users have become more savvy to the signs of mass phishing. Also, adoption of email authentication standards DKIM, SPF, and DMARC have begun to hamper spammers’ ability to pose as trusted brands.
The bad news is: even though mass phishing is down, spear phishing is not only on the rise, but is becoming more sophisticated. The APWG (Anti-Phishing Working Group) found that the number of brands targeted by spear phishing has risen.
While mass phishing uses spam email campaigns to lure as many people as possible into this digital trap, spear phishing focuses efforts on an individual or small group of people.
To target an individual, cybercriminals gather information about the person through social media or other public outlets and use that information to create personalized lures. Often, spear phishing targets people with access to highly secure data — such as government officials, tech leaders, or journalists.
In 2013, organized forces around the world executed highly sophisticated phishing scams to target a variety of organizations and leaders. Below, we have detailed the top 7 phishing scams from 2013:
- In August 2013, a few days before Iran’s national election to choose a successor to President Mahmoud Ahmadinejad, thousands of Gmail account users in Iran were targeted in phishing attack intended to influence the election.
- In April, an AP journalist journalist clicked on a spear phishing email disguised as a Twitter email. The phisher then hacked AP’s Twitter account. Stock markets plunged after a phony tweet about an explosion at the White House, erasing $136.5 billion of value from the S&P 500 index.
- In January 2013, a well-organized, sophisticated computer spy operation dubbed Red October was found to (still) be targeting high profile diplomats, governments and nuclear and energy research companies. The Red October operation used phishing emails purporting to be from companies’ HR departments. The attacked covered 69 countries.
- In March, a cyberattack wiped the hard drives of computers in banks and broadcasting companies in South Korea. The attack came from phishing emails mimicking a South Korean bank.
- Using spear phishing emails, a large and complex hacker group in China was said to have hacked more than 100 companies in the U.S. The hacker group is said to have stolen proprietary manufacturing processes, business plans, communications data, and much more.
- In December, 2013, a man was arrested for his part in a phishing scam targeting UK college students. The scam sent emails inviting students to update their student loan details on a malicious site that took large amounts of money from their accounts.
- Last but not least, in October, a cunning phishing scam warned against phishing scams!
Though these scams list only a fraction of those perpetrated, worldwide, they show the breadth of organizations and people targeted, the diversity of reasons for targeting individuals and companies, and the sophistication of the criminals.
In short, they show the even more urgent need for every organization to employ strong email security in 2014.
Be safe out there, email users! Protect yourself.
*Phishing email is email sent from a cybercriminal to lure someone to take an action that downloads software onto their machine. This software has been written to perform a malicious action, such as stealing account information or other valuable data.