Phishing Prevention Tips

How To Protect Yourself from Email Scams, Threats and Attacks Online

Phishing prevention refers to a comprehensive set of tools and techniques that can help identify and neutralize phishing attacks in advance. 

This includes extensive user education that is designed to spread phishing awareness, installing specialized anti-phishing tools and programs and introducing a number of other phishing security measures that are aimed at proactive phishing protection while providing mitigation techniques for attacks that do manage to breach security.  

Email phishing prevention is much more of an art than science.

Sure, all sorts of fancy technologies could be thrown in with the hope of blocking out phishing attempts.

The most effective approach, however, would be to create a customized strategy based on specific business context.

For example, large enterprises may benefit from enterprise-grade email security software in addition to formal email security training programs that combine user education and best-practices into formal, on-going training.

Small companies, on the other hand, may find it far more cost-effective to simply focus on employee education and best-practices while keeping their software investments low.

What is certain though is that without adequate mechanisms to stop phishing protection attacks – organizations will always remain at risk of incurring serious legal and financial losses.

What is Phishing? [Definition]

Phishing is a technique used by cybercriminals to steal sensitive information such as personal details, bank account data, credit card details etc. In many cases, phishing is used simply to spread malware rather than directly solicit user action.

Phishing is a type of cybercrime in which criminals use email, mobile, or social channels to send out communications that are designed to steal sensitive information such as personal details, bank account information, credit card details etc. This information is then used for a variety of purposes ranging from identity theft, fraudulently obtaining funds, crippling down computer systems through to securing trade secrets or even sensitive information pertaining to national security.

Phishing Attacks Explained

 

» 

Almost all phishing attacks can be broadly divided into two categories

1 – Directly tricking the user to pass on sensitive information via spoof sites This method creates compelling communication messages that entice the user into visiting third-party, data harvesting sites

 

2Getting the user to install malware by when a call-to-action is clicked in a communication

In this method, the fraudster entices the user to click on a download link that in turn installs malware

While there is no fool-proof method to prevent phishing, common approaches include user education that is designed to spread phishing awareness, installing anti phishing tools and programs and introducing a number of other phishing security measures that are aimed at proactive identification of phishing attacks while providing mitigation techniques for successful attacks.

 

How to Protect Against Phishing?

User education and deploying specialized software are the two main ways in which companies can develop an effective strategy to prevent email phishing. None of these is likely to work in isolation though and companies must develop a holistic approach that combines these components for a specific business context in order to best prevent phishing scams.

In terms of a framework, the best strategy to prevent phishing would be to organize the efforts into two main categories –

 

» 

Prevent phishing emails from reaching users

This is best done using specialized anti-phishing software. A number of options exist on the market with each offering its own unique set of capabilities such as handling zero-day vulnerabilities, identifying and neutralizing malware attachments, spotting man-in-the-middle attacks, detecting spear phishing emails, solutions that are specialized for handling cloud-based email communications vs. ones that can be installed with on-premise mail servers that operate behind firewalls. Such software is specifically designed to prevent suspect emails from reaching the target user inbox.

 

» 

Safely handle emails that do manage to reach users

This is best done by designing rigorous user education programs that help users not only identify fraudulent emails but also provide specific guidance on how to handle suspect communications.

In the sections below, we focus on safely handling emails that do manage to breach the security of the software layer. This includes guidelines on identifying suspect emails based on commonly observed historical patterns and also a set of best practices to avoid falling victim to emails that do manage to get through.

 

Phishing Prevention infographic

Infographic : Courtesy Stanford University Phishing Awareness Program

 

How Can You Identify a Phishing Email?

As outlined above, email phishing prevention requires both, the use of specialized anti-phishing software and also extensive user training about how to spot a phishing email.

Every software would implement its proprietary techniques to identify spam but the emails that do manage to slip through need to be tackled manually.

While the ever-evolving sophistication with which phishing scammers innovate, means that email even with phishing protection solutions – can never be 100% successful all the time, there are certain known patterns that can be observed in order to prevent phishing. These include…

 

» 

Suspect grammar and punctuation

Professional copywriters go to great lengths to create emails with well-tested content, subject line, call-to-action etc. It is very likely that any email that contains poor grammar, punctuation or shows an illogical flow of content is likely written by inexperienced scammers and are fraudulent.

 

» 

Asking for personal information

Established brands never ask you sensitive information via email. Any messages asking to enter or verify personal details or bank/credit card information should be treated as big red flags.

 

» 

Alarming content full of warnings and potential consequences

Hackers can send messages that cause alarm by telling you things like one of your accounts has been hacked, your account is expiring, and that you may lose some critical benefits immediately, or some other extreme condition that puts you in panic. Such content is typically formatted to create alarm and a sense of urgency with the intent of driving the user to take immediate action.

 

» 

Urgent deadlines

In this pattern, hackers send out an email about some pending deadline. For example, a hacker could send out a renewal email about an expiring insurance policy, or a limited validity discount on some deal that might be of interest to the target. Typically, such emails lead the users to data harvesting sites that end up stealing valuable personal or financial information.

 

» 

Offer of large financial rewards

This pattern includes emails claiming that you have won a lottery when you never purchase one, offer of a large cash discount on something that you never purchased, large prize money in a contest that you never enrolled for and so on. The actual intention is usually to direct you to a site where the scammers can get your personal or financial information.  

Obviously, these patterns are by no means all-inclusive and creative hackers are constantly investing in clever techniques to trump you. Effectively learning how to prevent phishing will require a similar commitment from your side.

 

Phishing Prevention Best Practices

The patterns presented above provide general guidelines for spotting phishing emails. In addition, there is a number of other best practices that users can use regardless of the presence of any specialized software in order to prevent phishing. These include…

 

» 

Avoid using public networks

Email communications over public networks are often not encrypted. Hackers could use this limitation to sniff out important information such as account username and passwords, saved passwords, and other financial details. Of course, rogue hackers may setup completely free hotspots and lure you into providing sensitive information even without sophisticated data sniffing technologies.  A best practice to prevent phishing when using public networks is to use your mobile’s tethering and hotspot capabilities to work with its 3G/4G data connection rather than relying on public networks.

 

» 

Watch out for shortened links

Shortened links do not show a website’s real name and hence, can be more easily used to trick the recipient into clicking. Hackers can use shortened links to redirect you to fake look alike sites and capture sensitive information. Always place your cursor on the shortened link to see target location before clicking on it.

 

» 

Verify the target site’s SSL credentials

SSL technology ensures safe, encrypted transmission of data over the internet. If you click on an email link and land on a site, then always verify its SSL credentials. A highly effective technique to prevent phishing is to never give out sensitive information (passwords, credit card details, security question answers etc.) on sites that do not have a valid SSL certificate installed.

 

» 

Beware of pop-ups

Using Iframe technology, popups can easily capture personal information and send to a different domain to the one showing up in the browser toolbar. Reputed, established sites rarely ask to enter sensitive information in popups and as a rule of thumb, no personal information should be entered in pop-ups even if they appear on domains with valid SSL and have passed all other phishing checks.

 

Spear Phishing Attacks

Spear phishing is a kind of a phishing attack that targets specific individuals for fraudulently seeking out sensitive information such as financial details, personal information, trade or military secrets.

The key thing to remember is  that the email is about social engineering. You are trying to convince someone to take an action, either because it is an expected part of their job function, or because they are motivated to take action based on the urgency of context of the message.

For spear phishing to work, the message needs to be sent out imitating someone already known to the target on a personal level or professional level and the message content must be timely, logical and contextual.

 

Spear Phishing vs Phishing

While regular phishing attacks can come from any source, spear phishing involves sending out emails from someone already known to the target. Attackers leverage a couple of important principles to make a convincing attempt at spoofing.

 

» 

The difference between phishing and spear phishing…

So, unlike mass phishing attacks that simply send out random emails to a large group of people, spear phishing attacks limit their focus to a highly targeted groups or even individuals. These attacks are not random and involve meticulous planning on part of scammers, typically through social engineering techniques, in identifying targets and preparing compelling messages that solicit action.

 

Spear Phishing Prevention

Given their highly personalized nature, spear phishing attacks are far more difficult to prevent as compared to regular phishing scams. There is no fixed script that can be followed to prevent spear phishing, but the following best practices almost always work.

 

» 

User education

Awareness, and vigil can help guard against even the most sophisticated attacks. Sketching out the anatomy of a typical spear phishing attack and outlining the perils of falling victim (personal identity fraud, financial loss to company, parting of important trade secrets etc.) can make the users more vigilant in dealing with emails involving links and calls to action.

 

» 

Investing in the right technology

Spear phishing involves attackers using emails, file sharing, and internet browsing of target users to gather information which then leads to a targeted attack. Effectively preventing these attacks would require monitoring all these activities and, in many cases, in real-time. This is why, users must invest in the right technology that is purpose-built for such multi-dimensional threat detection and management scenarios. This is very different to antivirus or other malware protection tools that look only at isolated instances of attack.  

 

Spear Phishing Examples

» 

U.S Department of Energy Employees Spear Phished…

One of the most glaring examples of spear phishing in public sector involves the case of Charles Harvey Eccleston who pleaded guilty to sending out emails to U.S Department of Energy employees. These emails carried a virus that could potentially compromise government computers and result in sending sensitive data about US nuclear weapon program to foreign governments.

 

» 

The infamous Epsilon Spear Phishing Attack…

In the corporate environment, one of the biggest spear phishing attacks was that on email marketing services company Epsilon back in 2011. The company maintained large databases of emails from multiple corporate clients and more importantly, some very rich behavioral data that could be a goldmine for sophisticated scammer. The attack involved an email with a link to a malicious site which resulted in downloading of Win32.BlkIC.IMG, which disabled anti-virus software, a Trojan keylogger called iStealer, that was used to steal passwords, and an administration tool called CyberGate, which was used to gain complete remote control of compromised systems.

We know of many attacks where the Payroll people were identified by their Linkedin Profiles and the attacker made it look like the email came from the CEO and CC’d the payroll manager in the message.