http://www.digitaljournal.com/business/q-a-report-on-how-phishing-got-personal/article/543792

Q&A: Report on how phishing got personal Special

Posted Feb 22, 2019 by Tim Sandle
Q4 2018 proved to be one of the biggest influxes of phishing attacks on enterprises ever, displaying the ease with which criminals can access, acquire and execute attacks across platforms. A leading expert offers advice to businesses.
File photo: A man looks at his email on a Blackberry in Washington on November 23  2010.
File photo: A man looks at his email on a Blackberry in Washington on November 23, 2010.
Nicholas Kamm, AFP/File
On February 12, anti-phishing startup Inky released the company's 2018 Q4 Phishing Report, which reveals that successful phishing scams and attacks will be in the billions of dollars for 2018 as phishing attacks got personal through Corporate VIP Impersonation, Sender Forgery and Corporate Email Spoofing attacks.
Digital Journal caught up with Dave Baggett, CEO of Inky, to discuss the findings and what businesses can do to improve protection.
Digital Journal: How have criminals changed their phishing tactics recently?
Dave Baggett: Attackers are clearly scraping data from sites like LinkedIn to target specific VIPs; we can tell this is automated scraping of some sort because they'll sometimes target ex-employees by accident.
DJ: Why has there been with more comprehensive and personalized phishing attacks?
Baggett: We saw an increase in VIP impersonation scams. VIP impersonation detection is tricky because many VIPs use their personal mail accounts for work. So Inky has to figure out which non-company accounts are legitimate and which are scammers -- obviously anyone can create a new Gmail account with something that looks plausibly like the VIP's name. Our system has the ability to scan a company's past email so we can quickly identify real email addresses for VIPs (even if they're personal Gmail accounts, etc.) and therefore distinguish them from fake ones.
DJ: What types of attacks have occurred?
Baggett: We've seen an explosion of phishing emails generated by phishing kits traded on the dark web -- especially fake voicemail messages and bitcoin extortion scams. We believe scammers sell these kits to other scammers, who then use them to run phishing campaigns.
Malicious HTML attachments and JavaScript in email are both on the rise. Some JavaScript in email appears to be intended to track end users, which isn't malicious per se -- but Inky still strips it from customer email, because it can potentially leak confidential information.
DJ: What can consumers do to fend off these more sophisticated and customized phishing attacks?
Baggett: Consumers just have to be really paranoid; the mainstream consumer email systems don't do a great job identifying zero-day phishing, and there's no way we can integrate Inky into the consumer mail flow like we do for corporate mail systems like O365 or G Suite.
DJ: How about businesses? What tactics can they adopt?
Baggett: It's self-serving but it's true: companies should use inky; nothing else stops zero day brand forgeries like fake Microsoft emails, and no other system scans sites linked by emails for signs of brand forgery (e.g., fake O365 login pages). Nobody else is even pretending to do this stuff in their marketing; it's unique to Inky and it really works.
DJ: Given this new direction of attacks, what can we expect in the wave of innovation around phishing in 2019?
Baggett: Expect to see more zero font shenanigans. Broadly speaking these tricks involve attackers putting invisible (zero width, white-on-white) stuff between letters or words to confuse mail protection software and prevent it from matching indicative words or phrases like "Microsoft" or "Please pay this invoice." Inky has countermeasures against these, but other systems don't -- so expect to see attackers relying more heavily on them.
Plus, more use of shared infrastructure like O365/G Suite, Google Sites, etc. By using these attackers come in with a strong reputation signal — and reputation is a critical and necessary indicator for legacy mail protection systems.