As we say a not so fond farewell to 2020, it’s a good time to take a reflective look on what this past year brought to the world of email security. Verizon told us last May that 70% of all phishing attacks now lack a malicious payload, such as a link or attachment. Instead, these social engineering attacks preyed upon gaps in traditional secure email gateways (SEGs) to worm their way through inboxes in the form of CEO impersonations and more. They tricked unsuspecting users into responding, entering credentials into fake login pages, sending compromising information or otherwise exposing sensitive personal and company financial information.
While these are not ranked in any particular order, IRONSCALES took a look at prominent examples of successful phishing attacks last year from various industries including healthcare, education and more so that businesses can take away some lessons learned and best (or worst) practices heading into the New Year.
1. When the world went remote, Zoom, Skype and other conferencing apps took hold as the lifeline to keep us all connected and keep many of our jobs moving (mostly) seamlessly. Hackers took notice. There have been numerous reports of phishing emails inviting employees to fake Zoom meetings or sending users to fake login pages to enter their usernames and passwords. In fact, the Better Business Bureau recently released a report showing more than 2,449 Zoom-related domains were registered from April to May - meaning that hackers were primed to jump on the opportunity to spoof the popular platform.
2. Combined with the rise in COVID-related phishing attacks, it’s no surprise that we saw a high-profile attack in 2020 that snuck past defenses of a major health insurer. In April, Fortune 500 company Magellan Health discovered it had fallen victim to a ransomware attack. Hackers first gained access to the company’s network through a social engineering phishing scheme that impersonated a Magellan client. The exposed data included names, contact information, employee ID numbers and tax forms, including Social Security numbers or taxpayer identification numbers. The hackers also leveraged malware to steal login credentials and passwords to a number of Magellan employees.
3. The education industry was also left especially vulnerable last year with teachers and administrators conducting remote learning without the safeguards of in-network IT. In November, the Manor Independent School District, in Manor, Texas, lost $2.3 million dollars from three separate transactions after an employee fell for a phishing email using business email compromise (BEC) techniques. The FBI is now involved, but this attack shows how quickly phishing emails can lead to significant loss of revenue. It’s especially detrimental in the already cash-strapped world of public education.
4. 2020 was the year healthcare industries across the world were put to the greatest public health crisis of our lifetimes, but it was also the year that cybercriminals stepped up their attacks on the industry. In May, three employees at Missouri-based BJC Healthcare were duped by a phishing scam, exposing the personal data of 287,876 patients from 19 of its affiliated hospitals. Some of the compromised information included patient health records and Social Security numbers. Interestingly, the hackers only had access to this treasure trove of data for one day, but BJC Healthcare doesn’t know (or hasn’t said) what was actually taken. Of course, the criminals could have easily scraped, downloaded and misused this information in whatever way they pleased.
5. Perhaps the biggest thread underpinning several phishing attacks in 2020 was that they exposed a common weakness: Microsoft Defender for Office 365 (formerly known as Microsoft Advanced Threat Protection), which is the built-in protection that many organizations default to using. As we’ve mentioned before, O365 Defender, along with other built-in email security tools, are generally not capable of discovering, analyzing and immediately responding to the majority of social engineering emails. Our research shows that Microsoft is one of the top impersonated brands for fake login pages, and attack data we’ve recently uncovered shows the platform is unable to even stop emails from the microsoft.com domain. It’s clear the 200 million global users of this platform need an extra security layer to protect their employees, as well as their proprietary and customer data.
Now, I’m sure you’re wondering why this blog isn’t talking about the biggest cybersecurity story of 2020 and, now, into the New Year: SolarWinds, which is the system that was hacked, likely by the Russian government, resulting in breaches of several governmental institutions, as well as in healthcare, the tech industry and universities. The reason is this was one of the most complex and sophisticated cyber attacks ever. It’s far too early for IRONSCALES to speculate on the cause of the attack or the weaknesses that hackers exposed to gain access to these databases. All we can say for sure is that the United States’ security posture is lacking somewhere - and there’s much work to be done in 2021 and beyond to correct this.
For more information on how IRONSCALES acts as an invaluable layer of security on top of your SEG, schedule a free demo to better understand where your organization’s email infrastructure vulnerabilities are: https://ironscales.com/demo