Duping people into handing over their personal information is out. The new trend for cyber criminals is to dupe them into giving up their employers' details instead.
That's according to PhishLabs, a Charleston-based startup that tracks what digital attackers are up to. In its annual report, the company says they're shifting their focus.
Phishing — the practice of imitating trustworthy institutions to collect sensitive passwords — has been in the Internet's lexicon for years. It's a common scam known for spoof emails and fake websites, for elaborate schemes put together to steal bank passwords.
Hackers, however, are changing tack. They're focusing on getting access to email inboxes and business software accounts, and they increasingly want to scam your employer, not you.
If they can weasel into the CEO's email, for instance, they might be able to initiate a money transfer, hold sensitive data hostage or sift for trade secrets.
And since most passwords are reset over email, the problem can multiply. That's part of why PhishLabs now now estimates that email accounts are more targeted than banks.
Crane Hassold, PhishLabs' director of threat intelligence, says he hasn't noticed any patterns in what types of companies are attacked, or how big. But he says users of the Microsoft email service Office365, the e-signature service DocuSign and Adobe creative software are among the most targeted.
Those companies have likewise indicated that they've seen an uptick in phishing campaigns mimicking their websites.
They are at once sophisticated and surprisingly simple. Researchers at the Japanese technology conglomerate Fujitsu wrote last year that attackers in west Africa were targeting Office365 to harvest information on people across the corporate world. They were using the principles of chain emails to do it.
Once they got one person's information, they sent spoof emails to their contacts. From there, it spread like wildfire.
"It's pretty much anyone who uses those platforms," Hassold said, referring to who's at risk.
But PhishLabs, which makes money by shutting down phishing schemes, says that email may not be the main means of digital manipulation in the future. Text messages and social platforms are defining the way most people communicate, and criminals are noticing.
So attacks are increasingly being run through texts and other messages online. Most people access the Internet on their phones, and criminals are trying to keep up, just like the rest of the business world.
Hassold says spoof text messages might prove to be especially effective. People aren't primed to be skeptical like they are on email, and smaller phone screens make it easier to spoof a Web address.
"We're just going to see more and more of it. I think it's going to become more public and people are going to recognize it as a primary threat," Hassold said.