New trend in social engineering and identity theft
A new trend in social engineering and identity theft is emerging: cybercriminals are taking advantage of users’ inability to properly recognize fake company logos in phishing attacks.
We all know the suspicious phishing emails, where you can immediately see that they are not from the provider they claim to be. And then there are the really good attack attempts, which look perfect and are also successful because of it. Most phishing attacks hide graphics so that copied logos and trademarks can be displayed to deceive the recipient.
However, security researchers from anti-phishing provider Inky have discovered an attack in which fraudsters who want to impersonate Verizon use icons representing the “check” part of the logo, so that the entire “logo” appears without the need to download images.
Verizon-freshphish-2 – Source: Inky
You might think, “That doesn’t look like the Verizon logo at all,” and you’re right. However, a new branding study looking at how well consumers can remember a company logo shows that while most people can remember a version of the logo, they don’t know exactly what the logo looks like. Based on ten of the most famous brands, it was found that at best 30% of people can draw an almost perfect version of the logo, with the average being only 16.6% of people.
This means that if a phishing scammer can trace a logo, they’re much more likely to get it right enough to believe it’s the company they’re trying to impersonate.
Security Awareness as a key defense against phishing campaigns
“The most effective measure to prevent such attacks is to offer and implement comprehensive security awareness training for employees.
Jelle Wieringa, Security Awareness Advocate at KnowBe4
Basically, this is an attempt to use simulated phishing emails to test how attentive the employees are. The aim of the training is to increase awareness of the dangers and the detection of such attacks. First, so-called baseline tests are carried out, which make it possible to determine the proportion of users susceptible to phishing. In addition, one should find out what kind of attacks they fall for and which ones they do not, in order to generate appropriate data to measure the incoming training success“ ” says Jelle Wieringa, Security Awareness Advocate at Knowbe4 .
Training users with interactive and engaging on-demand material is necessary so that the message is truly internalized and not just superficially treated and forgotten right away. Furthermore, the internal training should be repeated monthly and stored and analyzed on a platform in order to deepen the content and successfully continue the future learning process. The number of successful phishing attacks on the company can be greatly reduced by such training and in addition to the technical security options, the employees can thus be trained and used as a human firewall.
Users who undergo security training are far less likely to fall for phishing attacks, no matter how accurate the imitation is. By reinforcing the need to check unsolicited and unexpected emails for sender details, content, type of request and – yes – branding, it is possible to easily identify almost any phishing attack.