On July 16, Twitter fell victim to a targeted social engineering attack that led to the compromise of 130 Twitter accounts, including Bill Gates, Joe Biden, and Elon Musk. Through a successful spear phishing attempt, a group led by 17-year-old “mastermind” Graham Ivan Clark was able to Tweet from these accounts, asking for Bitcoin donations that reportedly netted the scammers more than $180,000 in the short time the posts were live.

On July 30, Twitter confirmed (somewhat vaguely) that its staff members were targeted through their phones. Multiple reports suggest this was a phone phishing attack in which Clark convinced one of the company’s employees that he was a co-worker in the technology department who needed their credentials to access the customer service portal.

By obtaining employee credentials, the attackers were able to go unnoticed inside Twitter’s network and gain access to an internal system that allowed them to reset the passwords of Twitter users.

This is not a hack that requires a huge level of skill and equipment. Like all forms of phishing, this attack relied on a user voluntarily providing sensitive information. Spear phishing tends to be even more advanced in terms of design and messaging, and can be nearly impossible for the average employee to catch.

Learn more about the art of social engineering from ethical hacker Jamie Woodruff.

Modern-day phishing

Phishing attacks have evolved far beyond poorly worded emails offering ‘unclaimed lottery winnings.’ In 2020, phishing is not only pervasive, but it is also the most damaging high-profile cybersecurity threat facing organizations today.

Our data shows that 57% of organizations have experienced a phishing incident that occurred on a mobile device and, making matters worse, 87% of successful phishing attacks take place outside of email.

Not only are phishing attacks reaching users in more places, but they are now more personalized. Business email compromise (BEC) attacks are moving to other forms of communication, such as social media messengers, and mobile spear phishing is as easy as finding out someone’s phone number and sending them a text. 

Malicious actors are taking the time to research their targets’ behavior patterns and work environments to exploit any weaknesses. This is exactly what we’ve seen in the Twitter example. 

Hackers looking to extract information from specific individuals or organizations will create personalized, duplicitous links that appear to be from trusted sources. Sometimes spear phishing tactics will resemble other forms of mass phishing, such as a text message claiming to be from PayPal requesting that you update your account details. Sometimes it’s in the form of an email that appears to be from your CEO or a coworker but is actually a ‘spoofed’ message from a hacker.

How to protect your organization

When it comes to phishing, employee education needs to be factored into your defense plan. Ensuring that employees can identify suspicious messages, URLs, and page content is a great place to start. Many of our customers participate in regular phishing training sessions. You can even try our mobile phishing quiz with your peers to see how they fare. 

On top of training and education, security technology is a must for preventing phishing attacks — there are bound to be attacks that slip through even the most diligent employees’ radars, and blocking connections to malicious links that can compromise their credentials is the most reliable safeguard. Network-based phishing detection like Wandera’s will block the network connection if an employee happens to fall for a well-crafted phishing message and clicks a link that leads to a spoofed login or payment page. 

Wandera’s zero-day phishing detection doesn’t rely on static lists of known phishing domains. It uses pattern recognition to identify phishing pages within minutes of their being launched by looking for suspicious domains that use techniques such a Punycode or intentional “typos” in the domain name to masquerade as a legitimate brand’s domain. The below domains are just a few examples detected by our machine intelligence engine MI:RIAM in 2019.

In addition to world-class phishing protection, Wandera offers a secure access solution, Wandera Private Access to give customers the best chance at preventing unwanted access from a risky device or bad actor impersonating a real employee should credentials end up in the wrong hands.

If you’d like to know more about today’s most effective phishing techniques and how to protect your organization against them, please contact one of our experts. We’re here to help.