Phish of the Week: In Honor of Shark Week…

The Kind of Shark Attack You Should REALLY Worry About

Who doesn’t love Shark Week? Mike Tyson cage-diving with sharks, Michael Phelps in shark-infested waters, plus, the ‘shark’ of all…phishing breaches? Oh. Wait, we’re not just talking about TV’s annual Shark Week (which concludes this weekend).

While Phelps in shark infested waters is always a good spectacle, the real sharks you should care about are the ones that lie hiding in wait within your partner ‘waters’. These sharks perpetuate a “long con,” Business Email Compromise Type 3 phishing attack. A good example is the recent Virtu breach covered by the Wall Street Journal, that resulted in $10.8M in fraudulent wire transfers. In this campaign, a bad actor watched the organization’s (Virtu’s) emails for two weeks – then used “legitimate, ordinary-course business transactions” to phish for funds.

The BEC attack on Virtu (which – according to available public records – uses both a Secure Email Gateway and DMARC) shows why old approaches don’t work against new BEC attacks. To avoid falling prey to BEC Type 3, check out our Active Fraud Prevention solution brief here.

Task Force 7 Q&A: How to Preemptively Track Phishing Campaigns

Why doesn’t a reactive posture work when it comes to email threats? How can a company still protect itself when a supply chain partner gets phished? What’s happening in the world of election cybersecurity?

Hear Area 1’s Chief Security Officer Blake Darché cover these topics (and more) in his recent Q&A with Task Force 7 Radio’s co-founder (and Ciena’s CISO) Andy Bonillo, here.

DMARC Deployment Still isn’t the Problem…

ICMYI, Blake (along with our Principal Security Researcher Javier Castro) also recently demonstrated how bad actors build and successfully launch a DMARC-passing phishing attack in less than 60 minutes.

TL;DWatch? Despite what new “studies” say, properly enforcing DMARC policies won’t protect your inbox against BEC, credential harvesting, or any other targeted phishing attack.

Read about the good, bad and ugly of email authentication in a new blog, here.

Microsoft Office 365, Compromised

Like email authentication, Office 365 also won’t intercept Business Email Compromise attacks. Nor will it prevent other low-volume, sophisticated phishing campaigns. If you’re still using Office 365 without cloud-native email security (or plan to transition to Office 365), then join us Aug. 27th to learn:

  • How bad actors evade Office 365’s ATP, email authentication and other traditional defenses
  • Recent examples of BEC and other phishing campaigns that bypassed Office 365 defenses
  • How to boost Office 365’s native capabilities with six cloud-native security techniques

Tell Us (Well, Gartner) What You Really Think of Us

Help other security professionals catch phish. Share your experience as an Area 1 customer on Gartner Peer Insights and receive a $25 gift card.

Gartner will validate your identity through your business email or LinkedIn profile. Reviews are anonymous and Gartner will not share your information or market to you unless you actively opt in.

Want to keep up to date with the latest phishing trends? 

Subscribe to our newsletter here!

 

Shalabh

Shalabh Mohan

VP, Product at Area 1

With a career spanning 20 years fighting bad guys online, Shalabh leads all product and go-to-market functions at Area 1 Security, with extensive prior experience across security, enterprise, and cloud infrastructure companies such as Aspen Networks, IronPort Systems, Cisco and Bracket Computing. Shalabh and his teams have taken products from conception all the way to large scale businesses; and in the process have consistently helped make the Internet a safer place. An alumnus of Stanford University and the University of Texas at Austin, Shalabh holds five patents and can claim to know something about enterprise infrastructure and security.

Understanding the Four Business Email Compromise Attack Types

Business Email Compromise (BEC), also sometimes referred to as email account compromise (EAC) or vendor email compromise (VEC), is a type of phishing attack that takes advantage of an existing relationship between a victim and organization.

Area 1 Security Announces the Most Spoofed Brand of 2021

Dear America’s sports-loving, company-securing fans: Before you find yourself glued this weekend to (what some call) THE biggest game in college basketball history, we are here to crown the 2022 March Hackness winner!

2022 March Hackness: The Return of the Phishing Bracket

Area 1 Security’s Sixth Annual March Hackness: The Perfect Phishing Bracket is here! Learn who made the list of the top brands that attackers use in phishing lures.