Most organizations that communicate by email should be aware of the risks from phishing and have anti-phishing best practices already in place. Failing to implement best practices for avoiding phishing scams can result in the theft of personal and corporate information, and the installation of malware on network devices.
However, phishing is an evolving strategy for cyber-criminals – a fact demonstrated by the increasing sophistication of phishing attacks. Therefore, organizations should constantly be reviewing and updating their anti-phishing best practices to mitigate the risks from infected email attachments, malicious links and the disclosure of login credentials.
The Nature of Phishing Attacks is Always Changing
Phishing is not a new phenomenon. It was first used against AOL subscribers in the 1990s to fraudulently obtain login credentials and has evolved considerably since. Phishing can be indiscriminate or targeted, but always has the same objective – to obtain sensitive information that can be monetized, either directly or by installing malware onto a computer or computer network
Despite the objective of phishing remaining constant, the nature of phishing attacks is always changing. Phishing emails – appearing to come from genuine sources – typically often instruct the target to open a malware-infested attachment, click on a link to a fake website or visit a genuine webpage that has vulnerabilities exploited and harbors malware. Phishing emails can appear to have come from a variety of genuine sources, including:
- From a government department or law enforcement agency.
- From a hijacked account belonging to somebody you know.
- From a financial institution claiming something is wrong with your account.
- From a business with which you have an online account.
- From an organization informing you of a lottery win/inheritance/other prize.
- From a medical agency familiar to you advising you of a health problem.
The Psychology of Phishing never Changes
The reason why phishing attacks are so successful is because of the psychology behind them. Usually phishing emails are constructed to convey a primal emotion – fear, curiosity, sympathy, greed, etc. – and always demand an action requiring urgency. Commonly added to this combination in targeting phishing attacks is social engineering – a scenario in which the phisher has researched their intended target.
By researching a target, phishers can make their attacks more creditable. If the phisher knows which banks, businesses and online accounts you use, or which lottery games you play, or which health center you attend, or which school your child attends, you are more likely to open a phishing email. Most of this information is freely available on the Internet if you know where to look. Phishing emails are even harder to ignore when they originate from the hacked account of a friend or colleague.
A Phishing Attack is Practically Inevitable
Since Ransomware-as-a-Service has been available on the Dark Web, and it has become easier for victims to buy Bitcoin in order to pay ransom demands, there has been a seven-fold increase in phishing emails reported to the Anti-Phishing Working Group (APWG) – a global data exchange, research and public awareness organization with more than 1,800 members.
Although there are many mechanisms organizations can implement to add extra layers of security to online defenses, the best protection against a phishing attack is effective employee education. Unfortunately too many organizations fail to implement a regular Training, Education and Awareness program – relying instead on induction training or annual briefing sessions.
Anti-Phishing Best Practices for Organizations
Most security professionals concur that anti-phishing best practices for organizations include regular and effective workforce training to identify phishing emails that evade detection by email filters and other detection technology. It is also important to have a mitigation strategy in place in order to limit the consequences of a phishing email that avoids identification and is acted on.
Phishing emails – particularly social engineered phishing emails – are often highly sophisticated, and are designed to evade detection during an email filter´s front-end tests by having the right Sender Policy Frameworks and SMTP controls. They are rarely sent from blacklisted IP addresses, and therefore pass RBL checks before being delivered to the recipient´s inbox.
When a phishing email evades detection by all the technological solutions available and arrives in a target´s inbox, the only thing that will now stop the phishing attack from being successful is the vigilance of the intended target. In order to ensure employees remain vigilant, anti-phishing best practices for organizations should include sharing the following information:
Emails Insisting on Urgent Action
Emails insisting on urgent action do so to fluster or distract the target. Usually this type of email threatens a negative consequence if the action is not taken, and targets are so keen to avoid the negative consequences that they fail to study the email for inconsistencies or indications it may be bogus.
Emails Containing Spelling Mistakes
Most companies now use spell-checking features in email clients or web browsers to ensure their corporate communications maintain a professional appearance. Emails purporting to come from a professional source that contain spelling mistakes or grammatical errors should be treated with suspicion.
Emails with an Unfamiliar Greeting
Emails sent by friends and work colleagues usually start with an informal salutation. Those addressed to “Dear XXXXX” when that greeting is not normally used, and those containing language not often used by friends and work colleagues, likely originate from an attacker and should not be actioned or replied to. Instead they should be reported to the organization’s IT security team.
Inconsistencies in Email Addresses
Among other anti-phishing best practices to introduce is the random checking of senders’ email addresses – especially when an email address belonging to a regular contact is unfamiliar. By checking the sender email address against previous emails received from the same person, it is possible to detect inconsistencies.
Inconsistencies in Links and Domain Names
Links to malicious websites can easily be disguised as genuine links. Therefore, it is also advisable to encourage employees to hover a mouse pointer over a link in an email to see what `pops up´ as an address. If an email claims to be from (say) a business contact, but the pop up indicates an unfamiliar website, the email is likely a phishing email.
Be Wary of Suspicious Attachments
File sharing in the workplace now mostly takes place via collaboration tools such as Dropbox, OneDrive or SharePoint. Therefore emails from colleagues with file attachments should be treated suspiciously – particularly if the attached file has an unfamiliar extension or one commonly used to deliver malware payloads (.zip, .exe, .scr, etc.).
Emails That Seem Too Good to Be True
Emails that seem too good to be true incentivize targets to click a link or open an attachment with the promise that they will benefit by doing so. Even when phishers use social engineering to appeal to the target´s curiosity or greed, the intended targets has not usually initiated contact. These emails should be flagged as suspicious at once.
Emails Requesting Login Credentials, Payment Information or Other Sensitive Information
Emails requesting login credentials, payment information or other sensitive information should always be treated with caution. By adopting the anti-phishing best practices detailed above, recipients of these emails should be able to determine whether or not they represent a threat, and deal with them accordingly.
“If You See Something, Say Something”
Conditioning your workforce to use anti-phishing best practices should be an organization-wide exercise. The likelihood is that if one member of your workforce receives a phishing email, others will too. “If you see something, say something” should be a permanent rule in the workplace, and it is essential that employers implement a supportive process so that phishing emails can be reported – even when attachments are opened or login credentials are revealed.
By encouraging employees to “say something,” your IT security team can gather, organize and analyze user reports of suspicious emails that may indicate the early stages of a more target cyberattack. In order for this rule to work effectively, organizations must provide a simple and responsive method for reporting suspicious emails and also one that is supportive to users who may have opened an attachment or visited a fake website.
Fast reporting enables your IT security team to implement measures that will protect the network, mitigate risks to the integrity of data, and limit the impact of infiltration by an attacker. To support the IT security team´s efforts, it is recommended organizations connect with a real-time attack intelligence service to prevent time being wasted investigating false positives and to identify actual phishing attacks faster.
In this respect, we invite you to get in touch and discuss your current anti-phishing best practices with our team of security experts. Our team will be happy to explain the mechanisms within the Cofense solution that reduce employee susceptibility to phishing emails by 95%, that encourage the reporting of suspicious emails, and that provide the data your IT security team needs to act quickly and effectively on genuine phishing attacks.