Not long ago, phishing was primarily aimed at the consumer market, and malware was considered the biggest threat to businesses. Today, phishing is the top social attack on businesses, responsible for more than 90 percent of security breaches. Because no cybersecurity solution can block 100 percent of attacks, your employees need training to understand what to look for to protect themselves from phishing attacks.
Phishing is becoming more sophisticated, and although there are dozens of techniques phishers can use to trick your employees, there are a handful of methods they rely on most. Below are just eight things your employees should understand about phishing:
1. Phishing explained
Phishing is a type of fraud in which a hacker attempts to gather personal information or credentials by impersonating a legitimate brand and sending users to a malicious website. A common example of this is the Office 365 phishing attack: A hacker sends an email that appears to come from Microsoft asking the user to log in to their Office 365 account. When the user clicks on the link in the email, it takes them to a fake Office 365 login page, where their credentials are harvested. With Microsoft branding and logos both in the email and on the phishing page, an untrained user will not recognize the email as a phishing attempt.
2. Email addresses can be spoofed
Never trust an email based simply on the purported sender. Cybercriminals have many methods to disguise emails. They understand how to trick their victims into thinking a sender is legitimate, when the email is really coming from a malicious source. The most common types of spoofing are display name spoofing and cousin domains. With display name spoofing, the phisher uses a legitimate company name as the email sender, such as email@example.com, but the email underneath is a random address like firstname.lastname@example.org. Display name spoofing is most effective when a user views the email on a mobile device because the sender’s email address is hidden. Phishers are counting on the fact that most mobile users will not expand the sender’s name to view the email address.
A cousin domain looks identical to a legitimate email address, but it has been slightly altered. For example, to spoof an Apple.com email, the hacker might use Apple.co. In other cases, hackers will use extensions to trick users. Some examples include apple-support.org, apple-logins.net, and apple-securities.com. We’re also seeing an increase in lengthy, confusing subdomains, such as email@example.com.
3. Subject lines and text are often threatening or enticing
Cybercriminals may promise “free iPhones to the first 100 respondents” or threaten that “your credit card will be suspended without immediate action.” Evoking a sense of panic, urgency, or curiosity is a commonly used tactic. Users are typically quick to respond emails that indicate potential financial loss or that could result in personal or financial gain.
Emails that have an aggressive tone or claim that immediate action must be taken to avoid repercussions should be considered a potential scam. This technique is often used to scare people into giving up confidential information. Two examples of this are phishing emails telling users their critical accounts are locked or that an invoice must be paid to avoid services being suspended.
In some spear phishing attacks, personalized emails from purported colleagues are designed to evoke fear of consequences at work. A classic example of this is an urgent email from a CEO requesting gift cards or a wire transfer. Receiving such a request from a top executive creates pressure for the employee and makes them more likely to respond quickly—without thinking it through. Another example is the direct deposit spear phishing email, which is designed to pressure an HR employee into changing direct deposit information.
4. Attacks are becoming more targeted and personal
Many phishing attacks of the past were sent in bulk to a large group of users at once, resulting in impersonal greetings. The emails would often address a user with a generic term like “customer,” “employee,” or “patient.” Your employees should be cautious of these terms, because professional organizations commonly address users by their first name in email, but a personalized email is not a sure sign of a legitimate email. Today’s phishers are including the victim’s name in the subject line and prefilling the victim’s email address on the phishing webpage.
5. Phishing emails are getting more sophisticated
Employees need to read their emails carefully, not just skim them. Many phishing attacks and spear phishing attacks are launched from other countries, and although this can result in glaring grammar and stylistic issues, phishers have become more sophisticated. They have the resources to compose clean emails in their target language, and they make fewer mistakes.
Employees should read emails carefully for both glaring and subtle grammatical issues that might indicate that the sender is not reputable. In a recent Office 365 phishing page discovered by Vade Secure, there was only one discrepancy between the real Office 365 page and the phishing page: an extra space between “&” and “Cookies” in the “Privacy & Cookies” link in the footer of the phishing email.
6. Links aren’t always what they seem
Every phishing email includes a link, but phishing links are deceptive. While the link text might say “Go to Office 365 account,” the URL takes the user to a phishing page designed to look like Microsoft. Make sure your employees hover over all links before clicking them to see the pop-up that displays the link’s real destination. If it is not the website expected, it is probably a phishing attack.
It is most important to make sure that the core of the URL is correct. Be especially cautious of URLs that end in alternative domain names instead of .com or .org. Additionally, phishers use URL shorteners, such as Bitly, to bypass email filters and trick users, so be cautious of clicking on shortened URLs. IsItPhishing.AI can determine if a URL is legitimate or a phishing link. If you or your employees are in doubt of the legitimacy of a website, IsItPhishing can tell you.
7. Phishing links can be sent via attachment
All phishing emails contain a link, but it’s not always in the email. To avoid detection by email security filters, hackers will include a phishing link in an attachment, such as a PDF or Word doc, rather than the body of the email. And because sandboxing technology scans attachments for malware, not links, the email will look clean. The email itself will appear to be from a legitimate business, vendor, or colleague, asking you to open the attachment and click on the link to review or update information.
8. Hackers use real brand images and logos
Brand logos and trademarks are no guarantee that an email is real. These images are public and can be downloaded from the internet or easily replicated. Even antivirus badges can be inserted into emails to persuade victims into thinking an email is from a legitimate source. While most email filters can spot a known phishing URL, they cannot spot a counterfeit image unless they have machine learning and computer vision capabilities.
An employee received a phishing email. Now what?
Dealing with the repercussions of a phishing attack is not only time consuming but costly. One careless click has the potential to compromise your entire network, so it is important that everyone works as a team to protect the company. Make sure there is a system in place to report attacks, and make sure all of your employees understand how important it is to follow through in reporting it.
Deleting the offending email is not the solution—IT needs to know that your company is being targeted. Train your employees to contact your IT department immediately so that IT can take appropriate action, and create a feedback loop to help improve the email filter.
While structured annual or semiannual cybersecurity awareness training is recommended, employees should also receive on-the-fly phishing awareness training when an attack occurs. If an employee clicks on a phishing link, they should receive immediate feedback and additional training. Review the email with them, show them the red flags and indicators they missed, and provide additional training materials to help them avoid being phished in the future.
Vade Secure users receive a warning banner at the time-of-click if a URL has been identified as phishing. If the user clicks on a phishing link, IT receives a notification, along with a link to a phishing training handout. This ensures they are immediately aware of their mistake and connects the incident with the training.