Most organizations that communicate by email should be aware of the risks from phishing and have anti-phishing best practices already in place. Failing to implement best practices for avoiding phishing scams can result in the theft of personal and corporate information, and the installation of malware on network devices.
However, phishing is an evolving strategy for cyber-criminals – a fact demonstrated by the increasing sophistication of phishing attacks. Therefore, organizations should constantly be reviewing and updating their anti-phishing best practices to mitigate the risks from infected email attachments, malicious links and the disclosure of login credentials.
The Nature of Phishing Attacks is Always Changing
Phishing is not a new phenomenon. It was first used against AOL subscribers in the 1990s to fraudulently obtain login credentials and has evolved considerably since. Phishing can be indiscriminate or targeted, but always has the same objectives – to obtain sensitive information that can be monetized, or to install malware on a computer network that encrypts data until a ransom is paid.
The nature of phishing attacks is always changing. Phishing emails – appearing to come from genuine sources – often instruct the recipient to visit a bogus web page where they are asked to disclose their log-in credentials. Alternatively they may be invited to open a malware-infested attachment, or click on a link to visit a genuine webpage that has had its vulnerabilities exploited and harbors malware.
A Phishing Attack is Practically Inevitable
A seven-fold increase in the number of phishing emails was identified during the first half of 2016, with a significant increase in the percentage of phishing attacks attempting to deliver ransomware – the easiest form of malware to monetize. The scale of the threat to industry is huge, as most phishing attacks are opportunistic, indiscriminate and automated.
Although there are many mechanisms organizations can implement to add extra layers of security to online defenses, the best protection against a phishing attack is effective employee education. Unfortunately too many organizations fail to implement a regular Training, Education and Awareness program – relying instead on induction training or annual briefing sessions.
Anti-Phishing Best Practices for Organizations
Most security professionals concur that anti-phishing best practices for organizations include regular and effective workforce training to identify phishing emails that evade detection by email filters and other detection technology.
Phishing emails – particularly social engineered phishing emails – are often highly sophisticated, and are designed to evade detection during an email filter´s front-end tests by having the right Sender Policy Frameworks and SMTP controls. They are rarely sent from blacklisted IP addresses, and therefore pass RBL checks before being delivered to the recipient´s inbox.
When a phishing email arrives in a recipient´s inbox, the only thing that will now stop the phishing attack from being successful is the vigilance of the employee. In order to ensure the vigilance of the employee, anti-phishing best practices for organizations should include sharing the following information:
Emails Insisting on Urgent Action
Emails insisting on urgent action do so to fluster the recipient. Usually this type of email threatens a negative consequence if the action is not taken, and recipients are so keen to avoid the negative consequences that they fail to study the email for inconsistencies or indications that it may be bogus.
Emails Containing Spelling Mistakes
Most companies now employ a spell-checking facility in the email client or web browser to ensure that communications maintain a professional appearance. Emails containing spelling mistakes or grammatical errors are likely indicators that the email is not genuine.
Emails with an Unfamiliar Greeting
Emails sent by work colleagues usually start with an informal salutation. Those addressed to “Dear XXXXX” when that greeting is not normally used, and those containing language not often used by work colleagues, are signs the emails could originate from an attacker and should be reported.
Inconsistencies in Email Addresses
Among other anti-phishing best practices to introduce is the random checking of email addresses -especially when one looks suspicious. By checking the sender´s address against previous emails received from the correspondent, it is possible to detect inconsistencies.
Inconsistencies in Links and Domain Names
Links to malicious websites can easily be disguised as genuine links. It is also advisable to hover a mouse pointer over a link in an email to see what `pops up´ as an address. If an email claims to be from (say) a business contact, but the pop up indicates an unfamiliar website, the email is likely a phishing email.
Be Wary of Suspicious Attachments
File sharing in the workplace now mostly takes place via file-sharing facilities such as Dropbox. Therefore emails from colleagues with attachments should be treated suspiciously – particularly if the attachment has an unfamiliar extension or one commonly used to deliver malware payloads (.zip, .exe, .scr, etc.).
Emails That Seem Too Good to Be True
Emails that seem too good to be true emails incentivize recipients to click a link or open an attachment with the promise that they will benefit by doing so. Typically recipients have not initiated contact and the sender of the email is unknown to them. These emails should be flagged as suspicious at once.
Emails Requesting Login Credentials, Payment Information or Other Sensitive Information
Phishing emails first started in the 1990s, when dial-up AOL subscribers ´phished´ for the login credentials of other AOL subscribers when their free trial was up so that they could continue using the Internet for free. Although the manner in which phishing attacks are conducted has evolved, the basic objective is still the same.
Emails requesting login credentials, payment information or other sensitive information should always be treated with caution. By adopting the anti-phishing best practices detailed above, recipients of these emails should be able to determine whether or not they represent a threat, and deal with them accordingly.
“If You See Something, Say Something”
Conditioning your workforce to use anti-phishing best practices should be a workforce-wide exercise. The likelihood is that if one member of a workforce receives a phishing email, others will too. “If you see something, say something” should be a permanent rule in the workplace, and it is essential that employers implement a supportive process so that phishing emails can be reported – even when opened.
A supportive process will prevent the scenario in which a member of the workforce is concerned about the consequences of opening a phishing email and avoids reporting it. Fast reporting enables security personnel to implement measures that will protect the network and the integrity of data, and limit the impact of infiltration by an attacker. Further anti-phishing good practices include identifying which of the workforce spots actual phishing emails in order to prioritize action when multiple reports are received.