As technology continues to advance, cybercriminals discover more creative modes and means of attacking businesses and individuals.
In recent years, sophisticated attack vectors such as spear phishing have gained prominence. With victims such as Jeff Bezos, this targeted, precise form of phishing generates great headlines. Meanwhile, older forms of phishing – less targeted and cruder – can be a little less interesting.
However, as the famous saying goes: “There’s no school like the old school.” Unfortunately, this goes for cybercrime. Old-fashioned phishing attack methods are still a threat to businesses today. The blast emails and spammy text of the past remain a threat vector, with the potential to do harm.
Let’s take a look at how traditional phishing continues to wreak havoc, and what organizations – both SMBs and their service providers – can do to secure themselves.
What is “Old-Fashioned” Phishing?
Phishing as a practice originated in 1995, but it wasn’t until about 10 years later that it became widely and publicly known.
The first time the term was coined and used was in 1996, in the Usenet newsgroup/hacking tool AOHell. It was initially associated with hackers stealing passwords and creating algorithms to generate randomized card numbers to hack into American Online (AOL) accounts.
Eventually, phishers discovered the approach that they will be using for years to come: email phishing. Emails pretending to come from a trusted party would point people to fake websites where they could steal login credentials or extract money.
Between May 2004 to May 2005, there was a 28% increase in email phishing victims. That’s a total of about 1.2M users in the US alone, with losses that reached approximately $929M.
Ten years later, old-fashioned phishing attack methods still managed to wreak havoc. A 2014 study from Google and the University of California in San Diego saw 45% of phishing site visitors falling for the scam. What’s worse, even the fakest looking sites still managed to deceive 3% of their victims.
Phishing attack methods took on many different forms as the years went by, including (but not limited to) the following:
- Voice phishing – also known as ‘vishing’. The phisher calls various phone numbers and plays recorded messages claiming ‘fraudulent activity’ within the victim’s credit cards and bank accounts. The phisher then asks for identifying information and bank details to ‘resolve the problem’, with the intent to steal the data to either sell it to the black market or for personal gain.
- SMS phishing – also known as ‘smishing’. It has a similar approach to email phishing, but instead of using emails, the phisher uses SMS and texts to entice users to click on links that will take them to phishing sites.
- Clone phishing – phishers take an existing, legitimate email, ‘clone’ it, and replace the original links with spoofed ones.
These approaches tend to use the same modus as email phishing – casting a wide net of phishing messages/emails to see who gets caught in the phisher’s trap.
Here’s the crux: Phishing attacks rely on a numbers game. They aren’t as curated and specific as more modern forms of phishing – but they don’t need to be. If 1% of recipients of a large blast click a malicious link, the attacker has succeeded.
What is Modern Phishing?
Phishing began to enter a new era in 2010, when the first cases of spear phishing were discovered
Spear phishing is a highly targeted off-shoot of traditional phishing. While old-school phishing aims to catch many victims through multitudes of email blasts, spear phishers target one big ‘fish’ with one sharp, well-aimed digital spear.
During this time, hackers found fewer but more targeted emails were more effective: Spear phishing emails had a 70% success rate vs 3% average of spam emails, and they generated 10x the ROI of regular phishing campaigns.
Old-Fashioned Phishing Still a Threat: The Numbers
Though spear phishing steals the headlines and is the most prominent of the modern phishing attack vectors, old-school phishing is still a threat.
2021’s threat landscape was more active than the previous year. About 86% of organizations globally faced phishing attacks, a 12% YoY increase from the previous year. 15% of these companies reported getting phishing attempts more than 50 times in 2021 alone.
Researchers have also identified about 15 million phishing messages containing malicious payload that are directly linked to ransomware incidents.
With phishing attacks on the rise, 2021 research from Tessian revealed that employees receive 14 malicious emails on average annually. Verizon’s 2021 Data Breach Investigations Report supports this, indicating 96% of phishing attacks use email as an entry point. Moreover, phishing email click-through rates can go up to 50%.
And these emails remain harmful: “In a sample of 1,148 people who received real and simulated phishes, none of them clicked the simulated phish, but 2.5% clicked the real phishing email.”
For most of these attacks, bad actors cashed in on the paranoia that came with the COVID-19 pandemic. COVID-themed messages were rampant, especially in the latter half of 2021, with new reports about organizational policies and vaccine mandates.
Forbes also reveals that one of the top targets of these attacks were MSPs and ISPs, and incidents were up by 67% from the previous year. For small businesses, social engineering and phishing attack vectors are still the most common at 57%.
Telltale Signs of Old-Fashioned Phishing
How can MSPs and individuals protect against classic phishing methods?
To the untrained eye – especially someone in a hurry, or who is less cybersecurity-savvy – old-fashioned phishing emails can be convincing enough to make someone click on a bad link, or wire money recklessly.
But there are indications that a phisher has sent his lure out for you. Here are some signs of old-fashioned phishing attack methods within an email:
- Sloppy grammar, spelling, and layout – Most common indicator of a phishing scam. Poorly constructed messages are often linked to phishing.
Something to consider: Legitimate organizations and institutions most often have dedicated staff that produce and proofread the emails or customer messages they send out.
- Suspicious addresses – Phishers often emulate real business addresses, with some letters and characters omitted.
- Generic greetings and addresses – Legitimate businesses would address you by your name, as well as provide their contact info. Greetings like ‘Dear Valued Customer,’ or ‘Sir/Ma’am’ are often signs that a phisher is targeting you.
- Suspicious attachments – A noteworthy feature of most phishing attack vectors, often accompanied by a false sense of urgency to convince you to “download this important document ASAP.”
- Spoofed links – Hover your cursor over any of the links in the body of the email. If those links don’t match the text that appears, chances are, you’re talking to a phisher.
- Secondary destinations – A tricky one: this is often a link to a malicious site that hosts infected files or skims credentials, but embedded or attached into legitimate documents or files.
- Missing ‘To’ email addresses – Legitimate emails usually indicate that they were sent to your email address. An empty ‘To’ field is often a sign of phishing.
- Requests for personal information– The message either requests or threatens you to reply with your sensitive info (credit card details, ID numbers, social security details).
Protecting Yourself from Old-Fashioned Phishing
Awareness is always key. Now that you know what to look out for, creating a detailed Data Loss Prevention (DLP) plan should be next. Here are some ways to prevent data loss and avoid falling hook, line, and sinker with these phishing attack methods.
- Create backups of your data. Deploy a backup and/or archiving system that will act as a ‘safety net’ in case of a successful breach. As much as possible, choose a solution that automates this process, backing up your data in a secure place in the cloud, with a set interval.
- Never give out personal information online. This is a general rule that everyone in your business should abide by. As much as possible, avoid oversharing on social media and other online platforms.
- Keep yourself and your team up to date with phishing techniques. Ongoing security awareness training and simulated phishing for all users is highly recommended to keep security top of mind throughout the business.
- Add an anti-phishing toolbar into your browser. This tool runs checks on the sites you visit and alerts you when you run into a malicious site.
- Verify the security of the website you’re visiting. Make sure the site’s URL starts with ‘https’. If you can, check its security certificate as well.
- Check your accounts regularly. Hackers and phishers can have a field day with unchecked accounts. Get into the habit of changing your password as often as every three months.
- Constantly update your browsers. Patches close gaps and loopholes in your browser’s security, so updating them regularly is a must.
- Deploy firewalls and anti-virus software. These will act as buffers against phishing attacks.
- Be wary of pop-ups; more often than not, they are phishing attack vectors. If you can, enable pop-up blockers on your browser.
- Think before you click. Always.
Laying Out the Safety Net for Your Business
There are various precautions that you can take to avoid these phishing attacks on the rise. Unfortunately, there is no approach or practice that can guarantee 100% security.
That’s why it’s important to have a “safety net,” a backup plan, in the unfortunate event that you do fall victim to these phishing attack methods, traditional or not.
Dropsuite can help:
- Microsoft 365 Backup and Archiving automatically protects your most important M365 data in the cloud and restores any file on demand.
- Google Workspace Backup and Archiving protects your data where Google does not, and ensures your data is backed up to meet most regulatory specifications.
With proper backup, information that gets stolen is not lost forever. It is backed up and doesn’t need to be liberated via a ransom.
To learn more about how Dropsuite can help you lay on the safety net for your business, contact us here.