Why are phishing scams still so successful?

Phishing scams have been around for decades. By now, you’d assume most people should be wise to them and their success rate should be increasingly small. Yet they continue to succeed, and several high-profile phishing failures have recently made the headlines.

On March 1, Seagate Technology gave up the 2015 W-2 forms of all its current and former U.S.-based employees in a phishing scam, according to a report from KrebsOnSecurity. The W-2 forms included Social Security numbers, salaries and personal information. The week before, Snapchat revealed it was also the victim of a phishing scam when an employee released company payroll information to an attacker pretending to be CEO Evan Spiegel. The payroll specialist that received the email did not realize it was a scam and dutifully responded with the requested data.

A more sophisticated approach
Why are businesses still falling for these scams? Part of the reason is because cyber criminals have become more shrewd.

“Phishing schemes are growing increasingly sophisticated, as cybercriminals use new tools and tactics to create authentic-looking emails,” said Shahryar Shaghaghi, leader of BDO’s Technology Advisory Practice.

The most common type of attack today involves a criminal posing as a high-level executive in an email message to an employee with access to the desired system or information. In December, anti-phishing company PhishMe said phishing emails pretending to be regular office communications are the most effective, with an average clickthrough rate of 22%.

“Whether the criminal seeks a wire transfer, such as what occurred at Mattel and Ubiquity Networks, or employee tax details in the case of Snapchat and Seagate, the ruse is essentially the same: pose as an executive and leverage trust and human desire to please our superiors to achieve the nefarious goal,” said John Wilson, CTO of Agari Field. Wilson has been combating email-based fraud since 2006, when he developed an authentication-based anti-phishing solution as CTO of Brandmail Solutions.

The perpetrators of a phishing scam are generally after one thing: money. The CEO-to-CFO wire request takes a very direct approach, while the criminals targeting Snapchat and Seagate are playing the long game. With the employee tax details in hand, the criminals can now use identity fraud to file phony tax returns, open new lines of credit, and even buy real estate using the stolen identities, explained Wilson.

As KrebsOnSecurity recently noted, phishing scams are an easy way for criminals to get all the necessary information to commit tax fraud. Tax refund fraud accounted for almost 50% of all identity theft complaints last year, according to the Federal Trade Commission.