Security researchers have uncovered a new kind of phishing campaign targeting the financial services industry. The malicious malware-based attacks are able to bypass malware-detection programs by utilizing a weaponized Excel file.
According to researchers, while the attack starts with a document attached to an email, it later uses a Google feedproxy URL with a SharePoint and OneDrive lure that poses as a file share request. Clicking the URL leads to a compromised SharePoint site or fake OneDrive site, which leads to the weaponized Excel document.
“If anything, the shift in the attack chain is a further indication that organizations can ill afford to take a defensive, reactive approach to their security,” researchers said in a post detailing the phishing campaign. “They must remain constantly vigilant, iterating on security procedures to ensure they are not caught off-guard when new [tactics, techniques and procedures] are deployed to breach their defenses.”
This campaign is just one in a group of increasingly sophisticated attacks targeting employee email accounts. Email remains a major entry point for cyber attacks with ransomware phishing attacks becoming increasingly common.
Let’s take a look at the rise of phishing attacks, how companies can guard against such attacks, and the role of a SaaS backup solution in effective cybersecurity strategy.
The Rise of Phishing
According to a recent report, 75% of organizations around the world experienced some kind of phishing attack in 2020. More importantly, 74% of organizations in the United States experienced a successful phishing attack last year.
In many cases, the COVID-19 pandemic has exacerbated email security challenges. One survey found that since the start of the pandemic, employees are clicking on three times as many malicious emails as they had before. The report indicates that email threats rose by 64% in 2020 and 70% of the companies interviewed expect their business to be harmed by an email-borne attack.
Many are concerned with the growing sophistication and frequency of phishing attacks. In the recent survey, 60% cited increasing sophistication as a major email security challenge and 52% cited the growing volume of attacks.
Guarding against attacks
In a phishing attack, cyber criminals send emails containing malicious attachments in hopes of infiltrating a company’s network. When the attachment is opened by the email user, the attachment delivers ransomware capable of compromising not only that user’s computer, but a company’s entire computer system.
Despite the risk, in a recent survey, 43% of participants globally said that employee naiveté about cybersecurity is one of their greatest vulnerabilities. Additionally, 13% of companies still don’t have an email security system; and 88% of Microsoft 365 users think their companies need additional email security.
In order to prevent users from clicking on links in malicious emails, companies should turn to cybersecurity training. The first line of defense is to train staff to recognize phishing emails and reduce the likelihood for human error. In one report looking at successful phishing attempts 43% of employees said the email looked legitimate and 41% said the phishing email appeared to come from a senior executive or a well-known brand.
In order to further prevent successful attacks, companies should also employ cybersecurity measures that prevent malicious emails from making their way to employee inboxes in the first place. This should include deploying a SPAM filter that detects viruses, blank senders, and other red flags for malicious emails.