Phishing is fast becoming malware’s favourite vector, proving to be incredibly pervasive with 76 percent of businesses having reported to being a victim of a phishing attack in the last year. The scams are all-encompassing. Numerous instances, like the case of the hacking of Clinton’s campaign chair and tech giants Facebook and Google losing $100M to a supplier impersonator, show that even the most tech-savvy and sophisticated can be phished too. Phishing scams also “keep up with the times,” using popular baits such as the 2018 World Cup in Moscow and GDPR to exploit the “human factor.”
Phishing is a critical security issue that can trick even the most diligent, security-minded users. How do you protect your organization from being another phish in the sea? Let’s start by understanding how phishing works and then move on to practical pointers to avoiding biting the bait.
The Anatomy of the Phish
What is it?
Phishing “is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising as a trustworthy entity in an email or instant message.” Basically a very well-disguised email with a malware link or one that will extract personal information. “Phishing” first entered popular culture in 2004 with the first “phishing” lawsuit filed against a Californian teenager who extracted credit card information with a fake America Online website.
Since then it has been consistently widening its tentacles year after year. In 2018, the number of phishing attacks rose by 27.5% to reach over 137 million. As it has grown, it has spawned multiple variants such as smishing and vishing — phishing via SMS/text messaging and via phone calls respectively. Based on the target, phishing can be termed “spear-phishing,” which is an attempt to steal information from a specific victim and “whaling” where the target of the phishing attack is in the C-Suite.
How does it Work?
Just like fishing, phishing employs the same mechanism; leading with an irresistible bait that results in disastrous consequences for the victim. Hackers cleverly mimic emails of popular legitimate websites with attractive click baits that are hard to avoid. Intelligent social engineering is used to lure the smartest to make the fatal click. It could be your “CEO” emailing you a link to a “meeting invite,” a WhatsApp message from your “friend who just changed her number” asking you to check out photos from her vacation, Netflix saying ITunes has canceled your membership and asking you to “click to restart it,” an “IRS refund,” … the list goes on and gets more refined by the day.
No matter the type of phishing, it has two main aims:
1 – Steal Personal Information: The link in the well-disguised phishing email opens a malicious site that hides behind an impersonated trusted domain, like a banking/credit card site. It then asks you to urgently enter personal information. The information you provide can be used to immediately effect some damage (steal money from your account, spam others in your contact list, etc.) or it can be sold on the Dark Web causing more widespread devastating consequences such as pervasive identity theft.
2 – Trigger Malware: In this case, the phishing link opens an attachment carrying malware such as ransomware, cryptophishing, etc.. Phishing is, in fact, the most widely used vector for spreading other types of malware.
More importantly, it gives the attacker an open invitation to the organization’s network. The 2018 Phishing Trends & Intelligence Report states that there are “signs of threat actors switching from primarily targeting individuals to targeting organizations.” More than 90% of all malware is delivered to the enterprise via email.
But I would NEVER click it!? Phishing in Action
Consider this, you’re checking your email on the go, and you receive an email from a known contact that they’ve shared a Google Doc with you.
When you click the very realistic-looking “Google” button, it then takes you to the normal Google sign-in page to select your account. On selecting the account, once again you are taken to the standard page that asks you to allow “Google Docs” to access your account. Looks legitimate, correct?
The catch is this —“Google Docs” is a phishing app that takes advantage of the fact that you can name a non-Google web app any name you choose, including “Google Docs.” If you clicked on it, not only would the scammers have full access to your email, they would also send similar spam to everyone on your contact list. This scam was resolved by Google within an hour of being reported — an impressive turnaround that curtailed what could have been a full-blown issue.
However, it goes to highlight how intelligent phishing can be. The scam worked around all the quintessential phishing “red flags”— unknown sender, sketchy URL, unsecured website, and possibly two-factor authentication.
Pointers to Identify the Phish
As the earlier example showed, albeit it being one of the “cleverest” phishing scams, we could all very be the one clicking that phishing link. Even if you have the most secure anti-spam and anti-phishing software, one infamous phishing scam after another have demonstrated that it isn’t too hard to slip one past the goalie. And all it takes is one click. How do we protect ourselves and our organizations from being another hapless victim? By not biting the bait — identification is the best cure. Here are some pointers to better spot that phishing email:
Check the Sender’s Email: Typically, the sender’s name in a phishing email can be an authentic sounding one from a known contact or a bank/credit card agency. However, if you hover over the sender’s name, it will reveal an email address that screams phisher. In the example above, if you checked the email of the sender’s name “Google Docs” it would have probably been a variant of mmm[email protected] A dead giveaway.
Verify the URL: The same logic above applies to the URL. The link name may seem very legitimate (https://my.adp.com), but if you rollover the link and check the URL address (http://312.465.45/adp.html), it will read like a complete fake. While it is a given, that the URL should be a secure one, as the Phishing Trends Reports noted, in 2018 nearly one-third of all phishing sites were hosted on HTTPS, so don’t depend on the secure logo.
Question the Tone of the Email: Phishing emails usually have a typical tone — they use fear/scare tactics demanding an urgent response (“Salary Deposit Declined. Update Info Immediately!”), request personal information (“Update your Account Info”), and come with generic greetings (“Dear ADP User”). When in doubt, email the sender separately (not using the reply option), visit the company’s website in a new browser tab or call the company/individual directly.
At the organisational level, some measures include “sandboxing” email to check the veracity of each clicked link and regularly inspecting and analyzing web traffic. What can prove more effective though, is to have regular security awareness trainings, conduct phishing simulation exercises and email security newsletters to ensure that employees are aware of cyberattacks, and particularly about phishing.
A recent Spanning report on Trends in U.S. Worker Cyber Risk-Aversion and Threat Preparedness noted that only 36 percent of all employees polled correctly identified a suspicious link as being the key indicator of a phishing email. In addition 55 percent admitted to clicking on links they didn’t recognize and 49 percent have downloaded a web extension to their work device. One wrong click can infect the entire network — damaging both your valuable data and your organization’s reputation.
And that is all the more true for SaaS apps, as they have become phishing’s new favorite with attacks targeting SaaS applications growing at an exponential rate of 237% in 2018. The best safety net to the burgeoning threat of cybercrime is data protection. And, as Forrester affirms, nothing affords data protection like a reliable backup and restore solution. A recovery solution is your best defense and can get your data back in minutes.
Author: Brian Rutledge