Spotlight on Phishing; Who are Cybercriminals Targeting and Why

Anyone can be a victim of phishing—from you at your personal computer, to the largest corporations and organizations in the world. Knowing that 90% of successful hacks or data breaches are due to phishing scams proves that they can reach any user, regardless of their position in their company or their expertise in their field.

Scammers hit a wide range of industries in a variety of ways. Online payment services, internet-based financial services businesses, and retail sites are among the most targeted sectors according to Statista, an online statistics company. The targets of these attacks are not necessarily key employees in their company; it can be anybody. Even the most random targets can give phishers the information they need to gain critical knowledge of the actual target victim and their associates. One successful phishing attack often gives the phisher the information needed to craft a more precise and convincing follow-up attack.

It might disturb you to hear that higher executives can actually be easier targets than their employees. This is mostly due to how much of their information is more widely available to the public—even more free information for the hacker to craft a targeted scam. According to a Cloudmark survey, 27% (of the 300 surveyed) revealed that their CEOs were targeted (CFO’s made up another 17%). These attacks usually have a more unique appearance and function than standard email blast phishing; the messages contain extremely convincing and detailed legal documents that are carriers for some kind of malware or ransomware. When the worried-but-unsuspecting executive opens this file, the malicious software is let loose on their computer.

So we know that these cybercriminals will target anyone, but they might be more inclined to target executives because they’re often easier targets. So why do these cybercriminals do this at all?

There are a variety of reasons, the most basic of which being money. Phishing scams can easily develop into ransomware attacks that hold company data hostage until a ridiculous sum of money is paid out. Another potential incentive could be the acquisition of trade secrets to be sold to competitors or to be used on their own. Social and political motivations are also possible, and are often the motivations for more unusual targets. Whether intentional or not, the news of a successful phishing attack on a company will do devastating damage to that company’s reputation; Equifax was hacked due to successful phishing scams, and lost faith and goodwill from its client base.

So what can you do to prevent your company or organization from being targeted by phishing attacks?

Absolutely nothing. There is nothing you can do that will prevent you from being a potential target. However, there are a lot of ways to prevent yourself from falling victim to an attack when it happens. Enabling multi-factor authentication is one easy way to add an extra layer of security that phishing will struggle to get past—especially if you use a biometric scan such as a fingerprint or facial recognition.

You could also acquire the assistance of a reliable IT resource that can help you implement not only defensive IT security measures, but a disaster recovery plan for if the worst happens. We at Attentus would like to be that resource for you. Give us a call!