Employees who have been trained to look out for phishing emails know not to click on links in suspicious emails. But what if the email tricks them into clicking on a link they didn’t intend to click on because it’s invisible?
According to a presentation by the security education firm KnowBe4, one of the newest forms of email compromise is a type of clickjacking which incorporates an invisible link (using the opacity setting in CSS). The link is instead replaced by a “bothersome” graphic element that’s made to look like a small hair or a speck of dust just like this:
This tricks the user into wiping the hair or dust off the screen, ostensibly on a mobile phone, which activates the link and launches a connection back to a rogue website. Or worse, releases some form of malware.
These “rouge wiping elements” are a form of social engineering which is almost impossible to prevent with education alone. Afterall, it’s human nature to want a touchscreen free of debris. The only way to protect users from these sophisticated phishing techniques is to use technology. Technology that doesn’t get fooled so easily.
To protect against this clever form of phishing actually requires two technologies.
The first is real-time link scanning.
Unlike humans, link scanners aren’t fooled by see-through links and graphical elements.
Link Scanner – All they see is the underlying HTML, and there’s no way to hide that from link scanning.
When a user attempts to wipe away the hair thereby clicking on the malicious link, the link scanner intervenes to check both the link itself and the web page being linked to.
That leads to the second technology required: cloud-based.
A cloud-based email protection solution is required for two reasons. First, it must be cloud-based to be able to sit between the email client (on the user’s phone) and the malicious website. That gives it a chance to check the website before directing the client there.
The other advantage of cloud-based email protection is that it works seamlessly for all devices, including mobile phones. Since this attack is primarily targeted at mobile devices, only a solution that can accommodate them will provide the necessary protection.
Phishing attacks are getting extremely sophisticated. More and more they’re going after mobile devices. If you’re a small business, on a limited budget, but you’d still like to be protected from advanced phishing techniques like these, there’s good news. You can now get advanced phishing technology at prices that fit your budget.
To learn more about how PhishProtection can protect your small or mid-size business from phishing attacks.