Third-party phishing is a relatively new attack vector that has become increasingly popular over the past year. In fact, BlueVoyant found that third-party phishing attacks have surged by 18% since 2022. Considering the sophistication of this attack method, and the fact that phishing attacks average $4.91 million in data breach costs, it is important to inform insureds about this method of attack.
What is third-party phishing?
The attack combines highly sophisticated and targeted forms of spear-phishing and spoofing to deceive victims. Spear-phishing is a social engineering attack where the attacker targets a specific victim or organization with malicious emails or other messages that appear to come from a legitimate source. Spoofing also a type of social engineering attack and refers to the deceptive practice of falsifying information or identities to appear legitimate or trusted.
How does third-party phishing work?
The following is an example of a third-party phishing timeline.
A malicious actor first uses intermediary sites or accounts to impersonate an entity that their victims would ordinarily trust. Occasionally, a threat actor will use a real, compromised account for greater realism.
With these spoofed accounts, the threat actor targets an individual or organization via email, SMS (also known as SMShing), or social media. In some third-party phishing attacks, threat actors have used multiple instances of “pre-texting” to establish credibility.
The victim is directed to open a website that appears to be legitimate. In contrast to a traditional phishing attack, the victim will not immediately be directed to input their sensitive, personal credentials. This way, threat actors avoid arousing suspicion and evade detection more skillfully.
The fraud occurs through the next action that the victim is directed to take – whether that is clicking on another page or submitting their personal credentials another way. This part of the timeline works like a traditional phishing attack.
Once the victim has entered their credentials, the bad actor can either sell their sensitive data or leverage it to execute further attacks.
Let’s look at an example of a real-life attack:
This example follows a similar attack path as the one outlined above. Here, the threat actor breaches the victim’s email account through legitimate recovery methods. This attack also exemplifies the inherent problem SMS messages. The origination of an SMS message cannot be easily authenticated within SMS itself, making it easy to threat actors to spoof trusted sources. To successfully execute this attack, the threat actor must have the victim’s email address and associated phone number.
What should insureds do about third-party phishing?
Here are some key pointers for cyber insurance professionals when directing insureds on tackling the growing issue if third-party phishing:
Risk Identification: Employees with elevated access to company finances, systems and data and C-level employees are at particular risk. Their training should be a priority.
Look for Malicious Email Rules and Forms: Specific training should be given on how to read URL domains to identify dubious URL links.
Education: Employee cyber security awareness training is often a minimum requirement for cyber insurance applications. Insureds should now make sure that their current curriculum incorporates teaching on third-party phishing. Employees must be taught to exercise caution if they receive unusual action requests or requests sent through new communication pathways, strange attachment names or file formats, action requests sent out of normal office hours, or messages that create an obvious sense of urgency.
Policy changes that support a security-aware culture: For example, employees should not be allowed to update banking or payment information without additional verification processes and/or voice confirmation.
In conclusion, promoting cybersecurity best practices fortifies an organization’s defense against third-party phishing threats. It also translates to reduced risks and potential losses. This ultimately fosters a more secure cyber insurance landscape for carriers and insureds alike.
Give Yourself The
Our CCIS certification is a mark of excellence that employers and recruiters want to see.