Everything you need to know about phishing

null

Phishing attacks are on the rise, and they’re increasingly costly for businesses. The most recent State of the Phish Report indicates that 76 percent of information security professionals experienced a phishing attack in 2017, and Verizon reports that 90 percent of all cyber attacks (which increasingly include ransomware) begin with phishing emails.

That means malicious email should be top of mind for businesses. However, many companies still don’t quite understand the breadth and scope of the phishing problem, the potential risks, or even what phishing truly is. 

What counts as phishing?

Any attempt to obtain information or money using a fraudulent email counts as phishing. Phishing emails spoof the look and feel of an actual email message from a trusted source — a person or, more often, a company such as Amazon, Google or PayPal.  These emails create a sense of urgency for users to follow a link to a page where they will enter their personal passwords to prevent some type of adverse event — like their email account being shut down or a fraudulent charge being processed — or to double-check an account balance.

Once they log in, their information may be stolen, or their computer could be infected with malware or ransomware. In some cases, cyber criminals use the data to hack into accounts and steal money or make fraudulent purchases.

Phishing scams usually include link manipulation — using misspelled URLs that are similar to legitimate ones. Often phishers are using images embedded in emails instead of text to help evade filters. More sophisticated approaches may involve a covert redirect that uses a login popup on a legitimate website.

There are a few common approaches:

  • Spear phishing is an increasingly common attack that is directed at a specific individual or company. These attacks usually involve gathering information about the target or targets ahead of time in order to better craft phishing emails to manipulate potential victims.
  • Clone phishing uses a legitimate and previously delivered email with at attachment or link that has its content and address cloned. The link/attachment is then replaced with a malicious site or attachment.
  • Whaling attacks are directed at senior executives or other high-profile targets. These scams usually take the form of important business or legal emails and have even included forged subpoenas.
  • SMS phishing, or smishing, uses cell phone text messages to skim personal information from recipients.

(Image: © Pixelcreatures/Pixabay)

Low-tech security strategies

While email filters and other security technologies can help block phishing emails from getting to your customers’ inboxes, the criminals behind these scams are constantly updating their techniques to avoid detection. Phishing relies heavily on psychological manipulation, and end users are the weakest link in the chain.

Even basic, low-tech strategies can help you protect your business and your customers  from the costs and consequences of a phishing attack. Those include:

Training

Provide end-user awareness training to help staff recognise the tell-tale signs of phishing – misspelled website names, oddly named attachments, etc. Employees should “hover” over sender names in emails and embedded links to make sure they match the origin account or a legitimate website.

Make sure they also know best practices, like never logging into a website they reached via an email link.

Designated Email Addresses

If the business regularly receives legitimate emails for financial transactions, for example, they could set up specific email addresses just for those requests. Limit the exposure of these addresses on public sites, which can help reduce their target footprint when it comes to phishing.

Code Names/Code Words

Code names aren’t just for spies. Employees or clients could establish specific email formats or code words to use for correspondence that would let the recipient know the email was legitimate.

Enforce Email Policies

Set up policies to minimise the number of sensitive transactions that occur via email. If employees know that financial authorisations should only be made in person or over the phone, for example, it’s unlikely they’ll fall for a phishing attempt to get them to do so via email.

Phishing is a growing and constantly evolving threat, so it is important to stay up to date on the latest threats and what steps your organisation can take to mitigate these attacks.

Jason Howells, EMEA Sales Director at Barracuda MSP