By now, most people know that 91% of cyberattacks start with a phishing email. In recognition of this, companies are now beginning to offer security awareness training. According to an article on the website Dark Reading, “45% of organizations provide employees mandatory, formal cybersecurity training; another 10% give optional training.”
The objective is simple: teach employees not to click on the links in suspicious emails. Given the sophisticated nature of some phishing exploits today, that’s easier said than done. With that in mind, we present five phishing tactics being used today that are sure to trick you into clicking, no matter how much awareness training you’ve received.
Imagine you’re partaking in a back-and-forth email thread with someone you trust. Would you think twice about clicking on a link in one of their emails? Probably not. And that’s what makes conversation hijacking so effective.
According to ZDNet, conversation hijacking occurs when “hackers infiltrate intimate email threads between people, and use highly-customized phishing techniques to make it look as if the victim is the one sending messages back and forth.“
The easiest way to get you to click on a link in an email is to include that link in an email from someone you already trust. In other words, what starts out as a safe email between trusted parties suddenly turns dangerous.
All the phishing awareness training in the world will not protect you from this kind of attack. If someone you trust sends you a link in a back-and-forth email thread, you’re going to click on it.
One of the first things they teach you in security awareness training is to always hover your mouse over a link in an email and check to see where it links to. This is sound advice. Unfortunately, it’s also something hackers can use to get you to click on a deceptive link.
A deceptive link is just a link that looks like a legitimate link at quick glance. Most people are in a hurry and so only look at the first part of the link and if it looks good, they assume it’s good.
Here is the URL displayed on a mouse over a link in a Stanford University email (from an article found on their website):
Does it look legitimate to you? The link is supposed to direct the user to Stanford’s Axess system. And if all you do is look at the first part of the URL, you’ll be deceived into thinking it’s the real thing and you’re going to click on it.
If you think it’s hard to avoid clicking on a deceptive link, try avoiding an invisible link.
One of the newest phishing techniques is a type of clickjacking, targeted at mobile devices, which incorporates an invisible link (using the opacity setting in CSS). The link is instead replaced by a “bothersome” graphic element that’s made to look like a small hair or a speck of dust. This tricks the user into wiping the hair or dust off the screen, which activates the link and launches a connection back to a rogue website. Or worse, releases some form of malware.
These “rouge wiping elements” are a form of social engineering which is almost impossible to prevent with education alone. Afterall, it’s human nature to want a touchscreen free of debris. The scary thing about invisible links is that you’ll click on them and not even know it.
Password Reset Email
Of all the simulated phishing templates used in awareness training, the most effective is the one that looks like it comes from your IT department and requests that you reset a password. That according to Wombat’s State of the Phish Report.
Wombat Security Technologies conducts tens of millions of simulated phishing attacks sent through their Security Education Platform each year. And what they found in their most recent report is that phishing templates that masqueraded as a password reset alert had a near 100% click rate.
When you get an email asking you to reset your password are you going to click on it? Probably.
Links in PDFs
PDFs have become ubiquitous in business as a way of sending documents over the web and unfortunately, hackers know that. According to SonicWall Capture Labs, “there has been a substantial increase in fraudulent PDF files. [The] fraud campaign takes advantage of recipients’ trust in PDF files as a ‘safe’ file format.”
What makes it so hard to defend is that in most cases, the PDF itself is harmless. It does not contain an executable file or active malware within the document. So, antivirus software meant to screen attached documents will see the PDF as safe. And once it gets past the antivirus, you inherently trust the PDF, and that makes it more likely that you’ll click on a link inside without giving it another thought.
Awareness training is good, but hackers are better. They create classes of exploits so refined that they get most of us to click on malicious links. And unfortunately, hackers keep evolving their techniques, so we’re likely to see more of these in the future.
If you haven’t already figured it out, sooner or later you’re going to get phished and all the awareness training in the world won’t change that. You’re going to need some help. You’re going to need technology that doesn’t get fooled as easily as you do. You’re going to need an anti-phishing solution. You’re going to need Phish Protection.
Phish Protection is a cloud-based email security solution that protects you from these five phishing techniques and more. With real-time link click protection, spoofing protection and malicious attachment blocking, it relieves you of the responsibility of having to figure out which links you can safely click.
Try Phish Protection free for 30 days. No contracts to sign. No credit card required. You’ll be up and running in 10 minutes.