IT Admin's Guide to Protecting Against Phishing Attacks

Cybersecurity is a major concern for businesses large and small across all industries. Yet, most individuals envision cyberattacks as the high-level attacks that make the news or are the plot for a suspenseful movie or TV drama. While it's true that the results of cyberattacks on various businesses are catastrophic, the initial beginning of such an attack often goes unnoticed in the form of phishing. Sophisticated cyberattacks occur in stages that begin by exploiting vulnerabilities. For most attackers, phishing offers the easiest and most effective way to gain access to a network.

As data breaches, ransomware, and other cyberattacks become more well-known as a threat to all businesses, organizations are strengthening their security posture to avoid such attacks. Recent legislation has also been passed to provide guidelines for businesses, organizations, and governmental departments to protect sensitive data from attacks. These efforts make it harder for threat actors to gain easy access to a network. For hackers, a successful phishing attack provides access to a network that is otherwise secure. By exploiting the actions of humans instead of seeking security gaps, bad actors can have a door opened for them that will allow them to get closer to their true objective.

It's likely that most people who use modern technology during their workday are aware that phishing exists. Unfortunately, that knowledge doesn't necessarily translate into the ability to recognize an attack. Even worse, falling for such an attack rarely stops with the initial breach. Phishing attacks may be used to introduce malware, export sensitive data, steal money, or allow a bad actor to move laterally through a network to gain more control.

According to Verizon's 2021 Data Breach Investigation Report, 85% of breaches involved a human element. In order to protect organizations from cyberattacks of all types, it's essential for business leaders to understand what phishing attacks are, why they're so effective, and how to prevent them. 

What is Phishing?

The term phishing is an analogy that relates to the act of fishing with a baited hook. Simply put, phishing describes a group of activities that prey on the trust of employees. These sophisticated attacks usually involve deception in which a bad actor assumes the identity of a trusted coworker or company leader through email, SMS, phone calls, or other non-visual correspondence. The correspondence serves as the bait and the employee is the fish. Unfortunately, there is nothing simple about the variety of techniques used by sophisticated attackers to gain access to a network. Even worse, when a phishing attack goes undetected, significant damage can occur during a short period of time. 

While phishing attacks are typically financially motivated, they are often just one stage in a larger attack, and the initial correspondence may not include clues that relate to financials. To effectively protect any organization against phishing attacks, it's essential to know the types of attacks that most frequently result in success.

Most Common Phishing Techniques

It's easy to assume that phishing comes in the form of easily identifiable emails from a stranger clearly making an effort to receive financial compensation. However, modern phishing techniques are rarely so transparent and most often assume the identity of a trusted organization or person within the targeted company. While the bulk of phishing attempts come in the form of an email, there are a variety of attacks that fall under the vast umbrella of phishing and more techniques that continue to evolve. These are some of the most common phishing techniques used to gain a victim's trust.

Email/Spam

Known as an easy target, attackers rely on email to launch the majority of phishing attacks. Phishing emails may seem to come from within the targeted company or from a trusted brand used by the employer. These emails are most convincing when the attacker masquerades as a trusted brand or individual and uses a subject of an urgent nature. Common attack techniques suggest the victim has a problem with an existing account or require the user to enter credentials to update account information.

Spear Phishing

A highly targeted form of phishing, spear phishing works to target a specific individual with personal knowledge obtained through research. Unlike mass email phishing attacks, a spear-phishing attack is more likely to address the victim by name and include requests that closely mirror the user's typical activities. These emails are much harder to detect and may appear to come from an executive within the company.

Brand Impersonation

By impersonating a brand that a victim already interacts with, attackers are more likely to entice an immediate reaction. An attacker may target your customers by impersonating your brand or your employees by pretending to be other brands you interact with as a business. Some of the most frequently impersonated brands include Microsoft, PayPal, Adobe, DHL Shipping, FedEx, and well-known banks. More targeted attacks may appear to come from third-party companies your organization does business with. Brand impersonators may use email, download recommendations, or account updates to get victims on the hook.

Business Email Compromise (BEC)

This advanced form of phishing takes place when an attacker has conducted research about critical business functions. The most common forms of BEC include business email takeover, user impersonation, invoice schemes, and data theft. Account takeover can be almost impossible to detect since the attacker is in control of a legitimate email account. By impersonating important officials in the company or someone related to company business (like an attorney) attackers can steal credentials, divert funds, or get paid for false invoices.  

Smishing (SMS Phishing)

Since company correspondence takes a variety of forms, a text might be used to coerce information from the victim of an attack. Smishing may target victims with an included link or more advanced smashing techniques may be used alongside other tactics to approve a transfer of funds or other action that may seem unusual.

Vishing (Voice Phishing)

Attackers can use phone calls to gain information or convince victims to take actions that compromise a network. Within a business, vishing is usually targeted and may be used alongside a phishing email. The attacker will likely address the victim by name and request sensitive information to tackle an unusual situation or immediate problem.

Trojans

Like the Trojan horse in Greek mythology, this attack is designed to mislead the victim into performing a seemingly legitimate action. Trojans often appear as a necessary download or update requirement to continue using an existing service. For example, an employee may assume they're updating Adobe software or a Microsoft platform, when instead, the download request is a convincing fake containing malware.

Evil Twin Wi-Fi

The use of public Wi-Fi for business use is on the rise due to an increase in remote workers. Hackers exploit this use by setting up their own Wi-Fi network to imitate that of guest service. When victims access the malicious network, hackers can intercept any information used during the session.

Malvertising

At first glance, it may seem like this technique would only be effective for devices designed for personal use. It is the act of using malicious advertising that contains active links or downloads to import malware or other unwanted content into a network. Common exploits include Adobe PDF and Flash.

Domain Spoofing

This technique is a spin on email phishing or website forgery that appears to use the domain of the company under attack. Domain spoofing usually uses false emails or websites that appear almost identical to the real thing. Commonly, a very close misspelling (like rn in place of m) combined with accurate visual designs like logos or email design can easily trick the eye into believing what the mind expects.

Session Hijacking

This type of attack occurs when a valid user is already logged into an account. Often, these attacks take advantage of public Wi-Fi use or lax website security. Session hijacking may be accomplished if the attacker can obtain the session cookie, convince users to click on a link during the session or intercept the session with an email link that directs the user to a malicious site.

Content Injection

This attack occurs when an attacker changes part of the content on a page of a legitimate website. Most often the change is used to mislead the user to go to a page outside of the website to complete actions already in process. When the victim is directed to the new page, login credentials will be required, so the attacker can steal them. This attack may be effectively used when employees are working with a trusted third party.

Why Phishing Attacks Are so Effective

It preys on human nature, modern technology, and the fact that all machines are ultimately run by humans. When hackers target individuals, they don't have to devise attacks that can outsmart the highest levels of technology. They simply have to find the right technique to get someone to open the door. Consider how difficult it might be for a thief attempting to get past an elaborate security system compared to one who can charm their way into a building to discreetly carry out a crime. These are just a few ways the very nature of phishing makes it effective.

• Attacks prey on shared human vulnerability. Spam phishing attacks hide among a deluge of unnecessary tasks to take advantage of weary, time-strapped employees. Spear phishing exploits urgency and fear. Hackers know what it feels like to be human and work to bring out the humanity in their victims.
• Phishing can continually evolve to fit changing times and technology. The sheer volume of different types of phishing attacks makes it nearly impossible for organizations to keep up with the possible risks. In 2020, 6.95 million new phishing and scam pages were created. The potential for different phishing attacks is only limited to the number of ways people can be deceived.
• Modern technology makes phishing attacks look legitimate. Early "Nigerian prince" phishing attempts were easy to dismiss. However, today's phishing attempts can convincingly masquerade as trusted brands, reliable financial institutions, and even your supervisor or company CEO.
• Phishing attempts are relatively inexpensive for hackers. Phishing attacks are easy to create and deploy at scale. This makes failed attacks worth the effort and successful ones easier to pull off. With both email lists and phishing kits available on the dark web, a specific type of attack can be used over and over. 
• Employees are often undereducated about the risks and methods of phishing. Many companies think they aren't a target for cyberattacks. Even more, they don't have the funds to invest in cybersecurity. When business leaders don't focus on the importance of cybersecurity, employees are never educated with information about the different types of attacks that exist or the potential dangers of a single click.

How to Avoid Being the Victim of a Phishing Attack

With all the benefits that phishing attacks provide hackers, it would seem that businesses don't have a chance. Luckily, the mere existence, or even the prevalence, of phishing attacks doesn't mean that every business will be doomed to lose millions to a cyberattack. However, you can rest assured that most businesses (regardless of size or industry) will eventually become the target of an efficient phishing attack. That's why it's important to be armed with the knowledge and tools that will make you ready for such an attack. 

To be truly prepared to prevent successful phishing attacks, your organization will need a layered approach to protection. A successful defensive front includes education, tools, and a commitment to diligence. These tips and techniques can help you develop a strong cybersecurity posture that provides a layered defense against phishing attacks. 

Develop and Enforce a Written Cybersecurity Policy

While large businesses and well-known corporations are at the center of media reports focused on cyberattacks, small and medium businesses are actually more likely to be attacked. Although the payoff might not have as much to offer, smaller businesses represent an easy target that is less likely to be effectively secured. That's why it's essential for every business to have a well-developed cybersecurity plan. Your organization's security plan should identify key assets and relevant threats, document cybersecurity practices and policies, and outline tests for vulnerabilities. 

Generating an effective cybersecurity policy isn't a task that will be completed with ease and might require assistance from cybersecurity professionals. Typically, you can expect to take the following steps to develop and document your organization's cybersecurity policy.

• Perform an assessment to consider the effectiveness of current procedures and tools.
• Document assets and sensitive data and identify the related risks.
• Identify all devices, cloud platforms, and remote devices used to send, store, and access sensitive data.
• Document rules for handling sensitive data, login credentials, passwords, email, and social media.
• Outline response actions to be taken in the event of a breach.
• Define how and when the policy will be tested and updated.
• Post the policy in areas where all employees can access it regularly.

Invest in Tools that Help Shoulder Cybersecurity Burdens

It's true that phishing attacks are designed to elicit actions from humans. However, the right tools can stop phishing attacks from ever getting to their intended target. To combat the many approaches to phishing attacks, it's essential to have a layered security stack that detects malicious correspondence and identifies attacks in progress. Additional tools can be used to automate alerts and incident response. Security tools can be used to add specific rules to email tasks and other business actions that phishing attacks are likely to target. These rules can be used to require users to set strong passwords, use two-factor authentication, ask for verification before performing certain actions, and limit privileged access.

The technology your company uses to provide effective cybersecurity protection against phishing attacks should address blocking attacks as well as assisting network users in avoiding mistakes. Email security begins with effective spam filters. These filters can take a big step in the right direction when custom filtering rules are applied. Other common elements of phishing can be addressed by cybersecurity tools as well. Efficient protection will include malicious file detection, malicious URL detection, and auto-blocking of links. Finally, it's essential to have phishing protection that integrates with your existing platforms, SIEM solution, and automated workflows.

Invest in Employee Education

Phishing attacks don't target machines. They target humans. This means your employees can be either the strongest or weakest links in your defense against phishing attacks. Every employee within an organization should have some knowledge about the most common phishing attacks and know company protocols surrounding emails, links, and downloads. Companies that accomplish this level of awareness build a healthy cybersecurity culture that prioritizes essential protection efforts in everyday tasks. Phishing training should include these steps.

• Educate network device users about discreet phishing attempts that target business email and other correspondence.
• Create policies that define rules for setting passwords, using business email accounts, sharing documents, and remote work.
• Utilize anti-phishing settings provided by email platforms.
• Develop a testing program to routinely test users' ability to recognize phishing attacks.
• Define specific processes for working with key tasks like making payments and ensure all staff members are familiar with these actions.
• Identify what qualifies as an important or unusual email request, and require an additional type of verification for these requests.
• Communicate your organization's normal procedures to third-party partners, so they will recognize unusual behavior.
• Define an effective process for reporting when phishing attempts may have succeeded, and encourage all staff members to report phishing.

Focus on Email Security 

94% of malware is delivered by email. It is the platform that most phishing attacks exploit. Although businesses and individuals have long been aware of the limited security provided by default email settings, the issue is often ignored. Platforms like Microsoft 365 offer email protection. However, without proper optimization, a security program alone won't provide the protection a business requires. Effective email security requires trusted email security software and email security best practices that include:

• Multi Factor Authentication
• Disable Auto Forwarding for all Emails
• Use of Trusted WiFi Networks
• Email Encryption

Understand the Value of Post-Breach Response

Cyberattacks evolve every day. Unfortunately, there is no guarantee that even the strongest defense will keep out sophisticated hackers with unknown attack methods and new vulnerabilities. While early cybersecurity efforts (like firewalls) focused solely on threats making their way into a network, modern tactics and tools work to detect and respond to discreet attacks already in progress.

A phishing attack is often the first stage in a larger attack. When your cybersecurity tools work to identify the actions threat actors take within your network during an attack, these attacks are more likely to be diverted before damage occurs. That's why the most effective cybersecurity solutions move beyond detection to identify when a breach has already occurred. Your SIEM system can generate automated alerts of suspicious behavior that occurs within your network. With this capability, organizations can detect successful phishing attacks and intercept them with incident response techniques before additional damage occurs.

Phishing is one of the most effective and lucrative attacks performed by threat actors. Modern sophisticated attacks are difficult to detect and easy to deploy at scale. Prepackaged phishing kits make it possible for inexperienced attackers to use the same types of attacks as experienced coding experts with similar levels of success. For businesses hoping to protect against all types of cybersecurity attacks, it's essential to understand the dangers of phishing attacks and their relationship to major malware attacks and expensive security breaches.

By taking preventative actions and improving your overall cybersecurity posture, you can help protect your organization against the dangers of phishing attacks. Working to protect your business against phishing attacks will never be an easy task. It's also not something you have to take care of on your own. If you struggle to unite the tools and professional skills you need to successfully prevent phishing attacks, get in touch with the cybersecurity experts at BitLyft to learn more about how we can help.