May 31, 2018
The 2017 Verizon Data Breach Investigations Report showed that 43% of all reported breaches began with a phishing scam of some kind.
A phishing scam attempts to get valuable information by posing as a legitimate institution, company or person in an email or text message. Typically, the message requires the recipient to update information, and there is usually a link or an attachment that must be used.
A 2018 KnowBe4 study showed that recipients of phishing scams are most likely to click on a link or attachment when there’s a promise of money or a threat regarding the loss of money.
In a July 2017 phishing scam, emails were sent out to more than 3,000 businesses with the subject line ‘Shipping Information’. The emails alerted recipients about a forthcoming delivery by United Parcel Service (UPS) and included a seemingly innocent package tracking link. Unfortunately, recipients who took the bait and clicked the link actually deployed malware that could release a virus, delete data, and send spam. Interestingly, in the KnowBe4 study, the top subject lines were ‘A Delivery Attempt Was Made’ with an 18% click rate, and ‘UPS Label Delivery 1ZBE312TNY00015011’ with a 16% click rate.
One ransomware attack in May 2017 started as a worldwide phishing expedition. The cyber attack was by a ransomware cryptoworm called WannaCry. It targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments. The attack hit 300,000 PCs around the world.
In a February 2017 phishing scam, a cyber-criminal group sent malware-laden emails to staff members of a global Mexican restaurant chain that has over 2,000 mostly U.S. locations. Opening the attachment though ended up compromising Point of Sale systems at most locations, and customer credit card data from millions of people was stolen. The stolen data included account numbers and internal verification codes.
In 2017, a Nigeria-based Business Email Compromise (BEC) scam targeted more than 500 businesses in over 50 countries. The phishing scam asked recipients, who were at mostly industrial companies, to download a file. The file was malicious and once it was downloaded, malware gained access to business data and networks.