IN JANUARY last year, malicious hackers compromised the systems of Pepsi Bottling Ventures, the USA’s largest privately-owned Pepsi-Cola bottler. For nearly a month, malware secretly siphoned personally identifiable information (PII) from the company’s network. The breach remained undetected and it took Pepsi Bottling Ventures a further nine days to fully neutralize the threat.
The retail company disclosed that the sophisticated attack on its Hungarian subsidiary led to a loss of approximately €15.5M ($16.6M) in cash, aside from exposing employees personal data. The source of the attack was a phishing email. This incident highlights the escalating threat and the need for organizations to enhance their cyber defenses.
Phishing attacks continue to be one of the most effective tactics used by cybercriminals to target businesses, and corporate email systems are a prime target. These attacks aim to deceive employees into disclosing sensitive information by posing as legitimate sources.
Kaspersky, a leading cybersecurity firm, reveals the anatomy of a phishing attack to help businesses bolster their defenses. Citing Mimecast’s ‘The State of Email Security 2023’ report, Kaspersky highlights email as the primary source of cyberattacks (83 percent of surveyed CISOs agree).
“In today’s dynamic threat landscape, businesses face an ever-growing array of cyber risks, with email-based attacks posing a particularly insidious threat,” Timofey Titkov, Head of Cloud & Network Security Product Line at Kaspersky stressed.
Cybercriminals behind phishing attacks have various motivations, including financial gain, political agendas, espionage, or simple disruption of operations. Attacks begin with fraudulent emails mirroring legitimate communications — colleagues, brands, or business partners. Attackers use sender address spoofing and replicated corporate branding for credibility. AI-powered phishing amplifies effectiveness by crafting highly personal and convincing lures.
Cybercriminals prey on human vulnerabilities using various “appeals.” Using false pretenses like urgent emails induce impulsive actions to avoid consequences or seize opportunities.
Social engineering is particularly successful as tailored content aligning with the victim’s job, interests, or concerns increases success. Malicious links and attachments, even the most sophisticated ones need a human to confirm or click of it. Doins so lead to credential-stealing websites; attachments install malware or trigger fraudulent transactions.
To evade detection, attackers continuously evolve techniques, using obfuscation, encryption, or URL redirection.
Successful phishing attacks can lead to unauthorized access to sensitive corporate data, significant financial losses, damaged reputations, and regulatory penalties. Compromised accounts can further enable other attacks like Business Email Compromise (BEC) or data theft.
To protect corporate email systems, organizations must adopt a multi-pronged approach involving security measures and employee education. According to Kasparksy mitigation is the key. Some effective strategies include:
1. Employee Training: Build awareness of phishing tactics and best practices.
2. Multi-Factor Authentication: Adds an extra security layer to prevent unauthorized access.
3. Incident Response: Create a plan for swift action in the event of a breach.
4. Advanced Security Solutions: Employ email filtering and machine learning-based security to detect and block evolving threats.
“At Kaspersky, we recognize the critical importance of equipping organizations with robust cybersecurity solutions. Our Kaspersky Security for Mail Server, provides unparalleled protection for corporate mail systems even against evolving AI-powered phishing attacks.
By leveraging our solutions, businesses can proactively defend themselves against phishing attacks and other malicious threats, ensuring the security and integrity of their sensitive data,” Titkov concludes.
