Early studies on the causes of data breaches found many occurred after laptops, flash drives or other mobile devices were lost or stolen. But in recent years, data breaches have largely resulted from organized online-targeted phishing, scanning or skimming attacks against individuals and companies. The attackers sought personal and financial data to use or sell for identity and credit card theft, but also sought proprietary information or illicit or embarrassing personal data to steal, to use for blackmail or to publicly shame the individuals involved. Whether the attackers seek social security or credit card information, salaries and internal emails of Hollywood executives, or individuals seeking sexual partners, or intellectual property or negotiating strategies, in 2016, many predict we will see more of these targeted online attacks against companies and their employees.
In particular, we expect to see more “spear-phishing” attacks on employee email accounts rather than home accounts. Spear-phishing is when the attacker sends targeted emails to recipients, inviting them to click on a domain name link to verify their login credentials, to check their account or obtain an important new document. Once clicked, the malware is deployed, allowing hackers to collect login names and passwords. If sent to an employee’s email, a hacker can often remotely access the employer’s IT system with these credentials, where they rummage around, gather and export sensitive customer and employee data for weeks or months before being detected. Even then, detection is often accidental, such as when an employee notices an unknown query being run with her credentials. Using a practice known as “typosquatting” or “spoofing”, the domain names used in the links, while bogus, are frequently confusingly similar to legitimate domain names known to the employees. For example, they may be service providers used by the company for HR, benefits, office services or IT support. In other cases, they may be similar to the prior name of the company or to the company’s virtual private network (VPN) or other remote server access. In what also seems to be a trend predicted to increase in 2016, once hackers are successful at a target, they repeat the same style of attack on companies and employees within the same particular industry until they are detected.
These types of breaches are very damaging to a company because the hacker is usually in a company’s IT system undetected for an extended period of time and can export massive amounts of records, which increases their value on the dark web. Second, there are reportedly at least two cases since 2000 where these types of attacks have caused physical damage, first when an Iranian centrifuge was reportedly damaged and more recently, when a German steel mill furnace failed to shut down. Additionally, these attacks are damaging because the attackers are often foreign, in some cases state-sponsored and frequently not accountable. In 2016, expect to see the U.S. government take more public and potentially forceful positions regarding state sponsored attacks. Also expect to see the U.S. charge more foreign individuals for attacks on U.S. based companies.
Perhaps with increased awareness of phishing attacks and avoidance training for employees, coupled with anti-phishing software and stronger enforcement efforts, online phishing attacks will begin to peak in 2016.