Phishing campaigns are big business, and with 89% of the attacks being carried out by organized crime, there is no reason to believe it’s just the game of bored “geeks” working out of their parent’s basement.
This business is sophisticated and keeps evolving. Not giving it the credence it deserves puts your organization right where they want you, trusting and vulnerable.
These organizations are investing time and money into these campaigns and achieving a 30% open rate, where marketing firms consider a 4% open rate a raving success for a legitimate email campaign. They achieve these astronomical success rates by using familiarity. These days there are far fewer emails from Nigerian princes, though as long as those will pay out they will continue to exist. Today you and your employees are more likely to get an email from a company you trust, like Paypal, or a large enterprise vendor like Microsoft. Or at least it will seem to come from these organizations.
There has been an increase in investment by these crime organizations as we can see that they have gone on to hire designers and programmers who can pull of the equivalent of the famous face swap scene from the movie Face/Off. With almost surgical precision they manage to lift the entire look of the company they are attempting to impersonate and create emails that would easily pass the first glance test. And should the call to action button be clicked, the page the victim is taken to is also a masterful replica of the company you thought you were trusting. But if you look carefully, you will see that you are not in fact on microsoft.com but on microsfot.com, or instead of paypal.com you find yourself on a Chinese jewelry company sub-page like http//asianjewelrystore.com/paypal.
The reason these are the most successful types of campaigns is because they are the most difficult to filter out. It is not uncommon for a company to email from a different domain than their website, or to have links that lead to sites other than their own. So, what is the best way protection from these scams that can cause debilitating breaches? Training. Make sure your employees know what to look for and how to ban those emails from their box. Because if you don’t, and just one person unwittingly enters their credentials into microsfot.com, it not inconceivable to find yourself in a ransomware situation shortly thereafter.