Phishing is possibly the single most dangerous form of cyber attack facing individuals and corporations in today’s world because it exploits people rather than systems. At a very high level, phishing is any form of attack that trades on the trust of a person or corporation to reveal some information they wouldn’t normally reveal.
Telemarketing scams that attempt to get someone on the phone to reveal their social security number or credit card information are technically phishing attempts, they call it Vishing (Voice Phishing) but it is the same thing. In this article, we’re concerned with spam email messages or email phishing. To understand more about this exploit and what can be done to mitigate the risks associated with it, it first helps to understand what phishing actually is, and the three basic forms it can take.
What is Email Phishing?
Email phishing can be defined as any email attack that purports to be from a reputable company or person that fraudulently attempts to get the recipient to reveal information that they would not normally reveal. Such information may include
- credit card numbers,
- login credentials,
- corporate secrets…
anything that should remain undisclosed.
There are three basic forms of phishing attack: phishing, spear-phishing, and whaling.
In a phishing attack, the hacker sends out an email designed to trick the recipient, and it works because of the recipient’s trust in the brand sending the email. These types of Phishing attacks are broad based and are sent to tens of thousands of people at the same time. They rely on volume rather than specifically targeting their recipients.
In the body of the email the recipient may be invited to click on a link that leads to a login page, for example or to download a PDF with an “invoice”. In the case where there is a link clicked, the Phish relies on the victim having an account on the real site, from there the hacker can gain access to that account by spoofing the login page and collecting the victim’s username and password. These types of Phishing attempts typically come from senders pretending to be Banks, Payment processors like PayPal, sites like Gmail or Office 365 because of their broad customer bases.
Straight phishing attacks most often target individuals, but are also used to target corporations as well. A hacker might gain access to corporate data by sending an email representing itself as being from a vendor, asking for information that will compromise the victim’s company. But more often, the technique used to hack corporate data is spear phishing.
A spear phishing attack takes things one step further by purporting to be from a trusted person, usually inside the victim’s company or a vendor that the company has done business with in the past. The recipient’s skepticism is allayed because the sender “is a co-worker” and is “already privy” to the information they are asking for. The email might say “I don’t have the information handy, and I’m headed into a meeting,” for example.
Every day, millions of dollars worth of corporate information is attacked via a phishing attempt.
In 2017, there were more than 2,200 confirmed successful data breaches, over 90% of which began as phishing or spear phishing attempts. As the level of corporate and employee awareness increases, hackers are finding increasingly subtle methods of attack.
In a domain spoofing attack, the hacker will replace the correct domain name in a link) with a fraudulent one. For example, if the correct domain name is “PayPal,” the attacker might replace it with “paypaI,” replacing the lowercase L in the first example with an uppercase I in the second. This is obviously very difficult for an employee to spot without the aid of an anti-phishing software.
“Sender” or “from address” spoofing is another form of attack that is difficult to spot. From address spoofing takes advantage of the user’s knowledge that the source of the email is trusted, by replacing the true sender address of the email with one pulled from the recipient’s contact list. This is possible because by default, core email protocols don’t have any mechanism for authentication. Domain authentication systems such as DKIM and DMARC can be used to assure recipients that the sender is authentic, but by some estimates, nearly half of all email sent is unauthenticated.
Phishing and spear phishing represent serious threats to an organization’s information, and can potentially cost millions in lost revenue, media exposure, and ruined reputations. But a successful whaling attack can directly affect the finances of a corporation by siphoning funds off into a fraudulent account.
In a Whaling attack, the target is a C-level executive: the CEO or CFO, for example. The email purports to come from another high-ranking executive, perhaps someone in the financial or legal department, or even a board member, and directs the recipient to transfer money to a bogus account.
Such emails are very thoroughly researched by the attacker, and contain information from a variety of sources gleaned over a long period of time that “could not possibly be faked.” The victim falls for the scam precisely because it is highly credible.
In one recent successful whaling attack, over $90,000 was stolen from a corporation and transferred into a fictitious account. This was a “long con,” taking months to set up. In the first phase, the attacker (posing as the CEO) directed accounting to create a new vendor account for a nominal amount, with 90-day terms. Banking details and all other pertinent information was provided to create the account. Using social media to get contact information and the date of birth of the accountant, the “CEO” called the accountant on her birthday to establish credibility and rapport with her. At this point, she also knew what the CEO “sounded like,” so that it would be easier for the attacker to continue the exploit.
A few weeks later, the “CEO” emailed the accountant from the airport. He told her he was getting on a plane, but authorized the release of funds to the vendor, and also updated the payment amount. He then followed up with a phone call “from the plane,” reminding the accountant that the last time they spoke was on her birthday, and relying on the fact that she would recognize his voice as being that of the CEO. She felt that it was a bit odd to get a request in this form, but since they had established a relationship of trust, he knew the due date of the invoice, and she knew the CEO’s voice and had written authorization, she released the funds and approved the $81,000 increase he had requested.
Attackers Are Smart – And Getting Smarter
Today’s phishing, spear phishing, and whaling attacks are extremely sophisticated. Phishing is a psychological attack – one which can only succeed if the victim fails to recognize the threat. There is a measure of gamesmanship at play: the hacker is attempting to out-smart the recipient. As employees read and become more educated about threats and scams, success becomes more difficult for the hacker. But this has not slowed the increase of corporate data breaches year after year.
On the contrary, that trend continues to be on the rise. From 2016 to 2017, a six percent increase in data loss was reported, along with a whopping 21% increase in compromised accounts and an equally sobering jump in malware infection. The reported increases come from phishing attacks alone. When taken together with other forms of vulnerability, it’s clear that organizations are under a well-planned and well-thought-out attack.
Ransomware is Often Delivered by Emails
Ransomware is a form of malware that usually operates by encrypting files or locking computer screens until some form of ransom is paid. The amount of the ransom is typically quite small, to ensure that corporations will comply with the ransom demand on the one hand, but not risk bad press or other ramifications on the other. Simply paying the ransom doesn’t necessarily mean that the locks will be removed, however. Employees and the organizations in which they work can be held to ransom through endless cycles of payment and escalation. Ransomware places your employees firmly on the front line of cyber security, fighting an often losing war against escalating attacks of ever-increasing sophistication.
Many corporations turn to a policy of educating their employees in an attempt to teach them to spot and avoid bogus emails altogether.
Some success has been achieved on this front, but current research suggests that more can be done. Costs of training programs are high, considering also that while they are being trained, employees are prevented from doing the work they were hired to do. Also, when employees are constantly filtering every piece of email through the lens of skepticism, there may be a productivity drop.
Education is not Enough
In today’s heated battle against phishing attack and email exploits, education is certainly required, but it is clearly not enough. Many online training providers will state that their training programs will lower the risk of your users opening a suspicious email, clicking a bogus link, or allowing a malicious attachment onto your corporate network.
There are, in fact, many factors that drive employees to open phishing emails. The most obvious reason is that the email is “from” someone the user trusts. Coupled with the sense of urgency present in the text of such emails, the employee may simply act before thinking. Other users cannot resist clicking links, even when they know better, or suspect the genuinity of the source. Keeping in mind that a phishing attack is a surreptitious attempt to persuade a person to do something they otherwise wouldn’t want to do. In other words, phishing attackers are running a confidence game against the organization by trading on the good nature of your employees. Training them can therefore only go so far.
One idea that is currently gaining traction is that of punishing employees for succumbing to phishing attempts. Such forms of discipline might see the employee sent back to endure further training in the program that didn’t work in the first place. In its most extreme form, an employee might be formally disciplined for repeat-clicking, even in cases where the clicks were on widely separated occasions and in phishing attempts of two or more entirely differing types.
Such forms of discipline do not work. Employees are not to blame (nor should they be held to blame) for an organization’s failure to protect itself from the threat of phishing attack. There are simple, effective, and affordable tools and solutions available to deter employees from exposing your company to risk: tools that don’t rely on the savvy of your employees to recognize inbound threats. Maximum productivity can only be achieved when employees are not primarily concerned with policing your infrastructure and performing housekeeping duties.
Education does have its place in preventing phishing attacks, but it must be done properly, and in a culture of helpfulness, not blame. Phishing attacks are targeted at a single employee. A successful phishing attack is a failure in process for the company being exploited. The vulnerability will always be the individual employees, placing the burden on them to solve the problem is not the best solution. Instead, organizations must put validation process in place for releasing information and funds. The more the company can protect its employees with processes, systems, or software, the less successful phishing attempts are likely to be.
Phish Protection’s Advanced Threat Defense makes applying a custom branded redirection name quick and easy, which in turn allows your end users to easily identify phishing attempts and suspicious messages.
Phish Protection Stops Link-Based Phishing Attacks
Phishing scheme authors use many techniques. One of the most effective is to send an email from a trusted domain or a URL. When the emails are delivered to your mail server the site appears clean, but within a few hours the safe content of the site is swapped for content with a harmful payload. In this way, the first line of defense is penetrated: by the time the attack commences, your spam and virus filters have already “cleared” the site, which can then try to infect your organization’s network.
Ransomware can encrypt an entire network and shut down corporations in seconds by locking users’ devices. It’s an extremely effective way to infect a corporate network.
Phish Protection’s real-time scans the most up-to-date phishing protection feeds to provide click protection for users. When a user clicks an unsafe link, they are prompted with a warning. Phish Protection checks and validates every link clicked against multiple separate online URL reputation databases.
We check multiple URL reputation databases on each click for real-time link checking and validation:
- Every URL is scanned in both incoming and delivered email. Potential risks are identified before they are opened in the user’s browser.
- Incoming email is scanned to identify potential impersonation and social engineering based attacks that might lead employees to make wire transfers or inadvertently leak information.
With Phish Protection’s Office 365 Phishing Protection, your organization will:
- Mitigate against the risk of phishing attacks without requiring any additional outlay of IT infrastructure or overhead money.
- Instantly and seamlessly protect users against attacks on any device anywhere, without any interruption of service.
- Control the service easily through a single unified web-based console as a part of Phish Protection’s Advanced Threat Defense.
Phish Protection’s Advanced Threat Defense detects and defends against threats in real-time