Early studies on the causes of data breaches found many occurred after laptops, flash drives or other mobile devices were lost or stolen. But in recent years, data breaches have largely resulted from organized online-targeted phishing, scanning or skimming attacks against individuals and companies.  The attackers sought personal and financial data to use or sell for identity and credit card theft, but also sought proprietary information or illicit or embarrassing personal data to steal, to use for blackmail or to publicly shame the individuals involved. Whether the attackers seek social security or credit card information, salaries and internal emails of Hollywood executives, or individuals seeking sexual partners, or intellectual property or negotiating strategies, in 2016, many predict we will see more of these targeted online attacks against companies and their employees.

In particular, we expect to see more “spear-phishing” attacks on employee email accounts rather than home accounts. Spear-phishing is when the attacker sends targeted emails to recipients, inviting them to click on a domain name link to verify their login credentials, to check their account or obtain an important new document. Once clicked, the malware is deployed, allowing hackers to collect login names and passwords. If sent to an employee’s email, a hacker can often remotely access the employer’s IT system with these credentials, where they rummage around, gather and export sensitive customer and employee data for weeks or months before being detected.   Even then, detection is often accidental, such as when an employee notices an unknown query being run with her credentials. Using a practice known as “typosquatting” or “spoofing”, the domain names used in the links, while bogus, are frequently confusingly similar to legitimate domain names known to the employees. For example, they may be service providers used by the company for HR, benefits, office services or IT support. In other cases, they may be similar to the prior name of the company or to the company’s virtual private network (VPN) or other remote server access.   In what also seems to be a trend predicted to increase in 2016, once hackers are successful at a target, they repeat the same style of attack on companies and employees within the same particular industry until they are detected.

These types of breaches are very damaging to a company because the hacker is usually in a company’s IT system undetected for an extended period of time and can export massive amounts of records, which increases their value on the dark web.   Second, there are reportedly at least two cases since 2000 where these types of  attacks have caused physical damage, first when an Iranian centrifuge was reportedly damaged and more recently, when a German steel mill furnace failed to shut down. Additionally, these attacks are damaging because the attackers are often foreign, in some cases state-sponsored and frequently not accountable.  In 2016, expect to see the U.S. government take more public and potentially forceful positions regarding state sponsored attacks. Also expect to see the U.S. charge more foreign individuals for attacks on U.S. based companies.

Perhaps with increased awareness of phishing attacks and avoidance training for employees, coupled with  anti-phishing software and stronger enforcement efforts, online phishing attacks will begin to peak in 2016.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kathleen Porter Kathleen Porter

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and…

Kathy Porter’s practice straddles the areas of intellectual property, business transactions, trade regulation, and Internet law and includes import/export control issues, such as compliance and enforcement, competition, privacy, and data security. She counsels businesses on the development and implementation of data security and privacy practices to comply with the patchwork of laws and rules applicable to the collection, use, safeguarding, sharing, and transfer of protected or personal data. She regularly structures arrangements with promoters, marketers, website exchanges, and other third parties for the purchase, sale, sharing, and safeguarding of personal data. Kathy prepares and negotiates representations, warranties, and indemnities regarding personal or protected data and privacy and data practices. She also assists clients with privacy audits and works with third-party certification organizations to obtain certification of companies’ privacy practices. She guides clients through internal investigations to assess and address notice and other obligations regarding privacy breaches. Kathy often works closely with our litigation attorneys to manage external investigations such as those by federal or state regulators. Read her rc.com bio here.