The rising trend of personalized phishing attacks

“Attackers are clearly scraping data from sites like LinkedIn to target specific VIPs."
13 February 2019

VIP impersonations are on the rise. Source: Shutterstock

The fourth-quarter holiday shopping period is a peak time of the year for opportunistic phishing activity, not just targeting spendy-happy consumers, but businesses as well.

According to a newly-released report by email protection startup Inky Technology Corporation, last year’s wave of cyber attacks on the unwitting showed a worrying trend of personalization, making them considerably more difficult to detect.

In fact, 12 percent of corporate phishing attacks took the form of VIP impersonations, a “fairly involved” attack, according to Inky, that will typically follow the scenario of a CEO (or someone from the finance team) being tied up in a meeting or with limited cell phone reception, where a call is not possible.

The victim— generally a more junior member of staff— will be engaged with a request for help, which eventually leads to handing over sensitive data to the scammer without verifying the request.

“Attackers are clearly scraping data from sites like LinkedIn to target specific VIPs; we can tell this is automated scraping of some sort because they’ll sometimes target ex-employees by accident,” said Dave Baggett, founder and CEO of Inky. An increase in these automated campaigns could be attributed to a rise in ‘phishing kits’ on the dark web.

Detection is made more difficult, added Baggett, because many organizations’ senior management staff use their personal accounts for work; “obviously anyone can create a new Gmail account with something that looks plausibly like the VIP’s name,” he said.

Other email phishing scams on the rise included sender forgery (10 percent), which sees an email present itself as having come from a known contact, and corporate email spoofing (6 percent), a method which blends the two approaches.

Email spoofing is sophisticated, in that it deliberately targets a specific corporate identity. It can often occur after a major news announcement, regardless of whether it’s positive or negative, urging recipients to take a certain action which, if successful, would ultimately result in data being compromised.  

In light of the report’s findings, Baggett suggests that as phishing scams become more sophisticated than existing spam filters, companies “just have to be really paranoid”.

It would also be wise for organizations to establish internal communications protocol and to educate members about threats and preventative measures. Not using personal email accounts for business correspondence could be a start.

“Phishing attacks remain one of the largest threat vectors as cybercriminals have increasing access to sophisticated toolkits through the Dark Web and the human element remains the most porous aspect of cybersecurity,” said Baggett.

“Even the most informed and vigilant members of an organization that take extra measures to practice proper cybersecurity posture can fall prey to phishing attacks that are becoming indistinguishable from legitimate channels of communication.”

On his predictions for how email phishing scams could develop in the coming year, Baggett warned of an increase in “zero font shenanigans”. Such attacks can comprise putting ‘invisible’ (zero width, white-on-white) characters between letters or words to confuse mail protection software and prevent it from matching indicative words or phrases like “Microsoft” or “Please pay this invoice”.

Meanwhile, corporations should brace for increased use of scams posing as shared infrastructure, such as Office 365 or G Suite, which leverage a strong reputational signal among legacy mail protection systems.