Phishing is not a new type of cyber-attack, but it is an extremely effective way to gain access to a firm’s data. According to Microsoft’s latest security intelligence report, adversaries continue to use phishing as a preferred method of breaching businesses: detections rose 250% between January and December 2018.
Indeed, cyber-criminals are thinking of increasingly innovative ways to target employees, by looking at their social media profiles and sending bespoke emails based on what they find – known as spear-phishing. For example, an email appearing to be a Microsoft Office password reset request might instead lead to a malicious site where business credentials are entered by an employee and subsequently stolen by criminals.
Other phishing attempts see criminals posing as someone known to the user with the aim of convincing them to transfer cash. These so-called ‘business email compromise’ attacks have become a “persistent hazard”, says Tim Sadler, CEO and co-founder of Tessian.
An analysis of business email compromise attacks by Barracuda Networks found nearly 60% of messages contained 50 common subject lines. Among them were: ‘Request’ (36%); ‘follow up’ (14%); ‘urgent/important’ (12%); ‘are you at your desk/available?’ (10%); and ‘payment status’ (5%).
Attackers find out email addresses by searching social media sites such as LinkedIn, or simply stealing them from other breaches. “Every time we hear about a big breach, quite often a database full of users has been stolen,” says Oz Alashe, CEO of CybSafe. “That database of credentials – even if it’s just an email address – is worth something to a cyber-criminal.”
Spotting phishing emails
It’s a growing issue, so what does phishing look like? It can be really difficult to tell if an email is fake, says Tony Gee, associate partner at Pen Test Partners. However, he says one sign is urgency: “They require you to do things quickly, for example, ‘you need to make this payment today’.”
Fraudulent emails are increasingly tricky to spot, agrees Steve Malone, cyber resilience expert at Mimecast. “Registering a similar-looking domain name or even using foreign alphabet characters that look the same is an increasingly common and unfortunately very successful strategy. It could take as little as a well-known logo or image to gain employees’ trust in the validity of the sender.”
And today’s attacks can be stealthy: employees often have no idea they have fallen victim to phishing. Patrick Martin, cybersecurity analyst at RepKnight cites the example of a PA who clicked on an Office365 link. “They accessed the document and carried on their work. But it was a bogus website and criminals had harvested the employee’s credentials: the attackers set up email forwarding on the account and were harvesting around 6,000 emails including HR data. The company didn’t spot it for two days.”
It is a major concern, so it’s important firms implement a company-wide approach to tackling email phishing. There are steps organisations can take to help end users be aware of rogue emails, Gee says. For example: “Use an email gateway: just put a tag in the email that says, ‘this is from an external source’. Some firms don’t do this and it’s such a helpful thing.”
Asaf Cidon, VP content security at Barracuda Networks, warns companies not to rely solely on traditional security that uses blacklists or URL reputation analysis for spear-phishing defence: this doesn’t protect against attacks using ‘zero day’ links. “Implement DMARC email authentication and reporting; it can help stop domain spoofing and brand hijacking,” he advises.
At the same time, employee education is integral. “All staff need training on how to spot and handle phishing emails,” Martin says. “It needs to be tied into some kind of user policy for the system or network they are on. Stress the consequences for them and the company.”
“Regular staff awareness training is so important,” agrees Gee. “So many people do it once a year and it’s not enough. You need to encourage staff to be more aware.”
Gee says training should include: “What does phishing look like? How can they spot emails? What should people do when they do think an email is suspicious?”
Phishing emails often have typical traits that employees can spot. Martin advises: “If an email contains links, hover your mouse over it so you can see where it will take you.”
It’s also a good idea for firms to do additional checks, such as phoning and verifying the email sender when large payment requests are received. “Think twice before you click on a link on an email; always check who the sender is,” Alashe advises. “If you are not expecting a request to make a change, call the person who sent the email to verify who they are.”
At the same time, Gee advises firms to send fake phishing emails to staff to help prepare them for the real thing. “You can use something like the Gophish platform where you create your own training.”
In addition, says Gee, companies can use social media ‘honeypots’: fake profiles including an email address. “If someone is starting to send phishing emails to that inbox, you know you are under attack.”
This should all be built on a foundation of strong general security hygiene. Passwords are still the most common form of protection for employee accounts and need to be secured due to the rise of credential theft via phishing attacks, says Morey Haber, CTO, BeyondTrust.
Meanwhile, says Martin, companies should take some steps to quantify how much of their company emails, data and credentials are out on the web being shared, discussed and sold. They can do this by using a free tool such as Have I Been Pwned, which matches email addresses with known breaches. “In response, firms can take some preventative action – which could be as simple as enforcing password resets.”
Companies can also act preventatively by monitoring out of hours anomalous activity such as logins, data transfers, login failures and password resets, says Martin.
Phishing will continue to be prevalent, so it’s important that companies tackle the issue with a strong strategy and tools to back this up. And if employees do fall for phishing attempts, firms need to consider how they will react.
A more supportive approach is more successful if people are making mistakes, says Alashe. “Blame is something we need to avoid. It doesn’t help us truly address the issue and actually contributes to the problem.”
Also see: Ransomware is going nowhere