The practice of phishing isn’t gone. It’s just evolving.
If you received an email from a Nigerian prince offering you half his kingdom if you would just wire him $50 to support recapturing his throne, you likely wouldn’t click the link. Or claim your reward.
But what if it was an email that looked like it was from Gmail saying that someone had tried to log in to your account and you needed to immediately change your password?
What is Phishing?
Phishing traditionally refers to the practice of sending out fraudulent emails in order to get an individual to reveal personal information, such as passwords or credit card information.
Yet, as the Internet has evolved, so have attack vectors.
Now, phishing can be done through phone, text, or even social media.
Think you’re immune?
Even John Podesta & Colin Powell fell victim to it. I’d imagine those are two pretty careful guys with pretty careful staff.
How Does it Work? Social Engineering & Exploitation.
Modern attackers have come a long way since the Nigerian prince scam.
Now, phishing emails (or calls or texts) come as messages purporting to be from your bank. Or Apple. Or a colleague who desperately needs you to open an attachment.
Phishers take advantage of the trust garnered between people and institutions and exploit it. It’s social engineering and exploitation.
Attackers mirror relationships you have in your life, then exploit them.
Phishing traditionally refers to the practice of sending out fraudulent emails in order to get an individual to reveal personal information, such as passwords or credit card information.
Really savvy attackers will even go so far as to spoof a landing page that looks like the genuine thing in order to reinforce trust. For example, you click a link to reset your compromised Gmail password and are taken to a page that looks like Gmail. (In fact, this kind of congruent attack is getting even easier, with the prevalence of phishing kits.)
Depending on your browser and device, the actual URL may be hidden once the page loads.
Even so, they often use ‘similar sounding’ URLs so that they overcome any skepticism the user might have.
Of course, there’s always a form on the page and, as the user enters their information, keystrokes are recorded, information is recorded, and/or malware is loaded onto the user’s system. Perhaps for later use in a DDoS attack.
Casting Wide Nets
Phishing works in large part by the law of averages.
Cast large nets, get some people to respond. According to Phishing.org, there are over 100 Billion (yes, with a “B”!) phishing emails sent every day.
Users who fall prey to phishing attacks are not only at risk of having malware loaded onto their machine, but also compromising their friends and contacts whose information might also be on the machine.
Attackers can then use this more specific information to carry out more targeted attacks. With more specific information and more targeted attacks, phishers can make emails, texts, and messages seem that much more authentic, raising the trust quotient that much more, and thus, the vicious cycle compounds.
Yes, You are At Risk
In 2017, Keepnet Labs published a report on phishing (download required). In their report, they ascertained that 91% of system breaches in business are caused by a phishing attack.
Moreover, the same report found that most employees in departments that handle large scale data have trouble recognizing phishing emails.
That means your customer service reps who receive – and respond to – customer, vendor, and partner emails all day are among the most vulnerable attack vectors in your organization.
The success of phishing makes it imminently worth it to attackers; the average attack on a business nets ~$1.6M (ibid.).
What’s more, there is evidence that cybercrime is on the rise, buoyed in part by the success of social engineering and the desire of some foreign actors to influence political outcomes. In fact, Microsoft thwarted a phishing attack linked to Russian agents just ahead of the 2018 midterm elections.
How to Protect Your Organization
Naturally, you want to make sure you have your bases covered; use spam filters, set up user’s browsers to prevent fraudulent websites from opening, and force users to change passwords frequently. Have a firewall.
As with so many potential threats, one of the largest liabilities is your people. You have to make sure that you have a good user education program that helps individuals to recognize what phishing emails look like and how to discern legitimate emails/texts/calls from illegitimate ones. At the very least, circulate phishing.org’s list of 10 ways to avoid phishing scams.
(As an aside, you may even want to check isitphishing.ai’s database of phishing attempts to see what brands are most frequently represented in phishing attacks. You can also see, in real time, examples of phishing attack the software is catching.)
What if a User is Compromised?
While preventative software can take you part of the way towards preventing against phishing attacks, the reality is that users are often your most vulnerable attack vector.
In order to mitigate any potential liability, you want to make sure you’ve not only got preventive software, but good backend software to recognize if a threat has taken place. For example, a good SIEM can mine your logs to find aberrations in behavior, browser activity, or other indicators that a phishing attack may be underway or have occurred. If backed by a good security operations team, the appropriate measures can be taken quickly to prevent any real harm – or loss – from occurring to your organization, your employees, or your stakeholders.