Strategies for Recognizing and Avoiding Phishing Attacks
To understand how to best recognize and avoid phishing attacks, it’s helpful to first understand exactly what phishing is and why it’s a serious threat. We’ve all heard the term before, but it can be more involved than a spam email. Phishing is more of a blanket term to describe someone utilizing social engineering techniques to either trick someone into providing data which could be used to steal their information, compromise an account, or deploy malware.
The crazy thing is, in just the first quarter of this year, over 1 million successful phishing attacks occurred and that’s why it’s so important to understand how to protect yourself against these types of threats.
This article is adapted from the Security Awareness Training: How to Identify and Prevent Phishing Attacks, hosted by Dillon Fornaro, Security Engineer at Kite Technology. You can view the entire webinar here.
Why Phishing is a Serious Threat to You and Your Business
- Email accounts are commonly used to reset passwords for other websites – Many times when you’re signing up for something, be it a website or service, they require an email address, right? This is usually used to log in or reset your password in the event you forgot it or wanted to change it. If that email is compromised, anyone with access to it can reset passwords for any of your accounts and services that are using that email address.
- Single sign-on allows for one account to authenticate to multiple other services – With the adoption of what we call single-sign on, certain identity providers can be used to log into multiple other services. For example, you’ve probably used your gmail account or microsoft account to sign up for wesbites such as facebook or a line of business application. If that account gets compromised, than those other services are at risk
- Non-public information may be stored in a user’s mailbox, opening the organization to hefty fines – Employee email accounts may contain non-public information or sensitive data such as social security numbers, credit card numbers, and a number of other non-public information. If that data is stolen, it could open up your organization to fines and potential lawsuits. This can cost a company thousands to millions of dollars depending on the types of data they handle.
- An account compromise can cost a business hundreds of thousands of even millions of dollars – If a business is handling regulatory data, a notification of breach to their customers may be required based on state and federal law. This can put companies out of business and is extremely damaging to their reputation which is hard to recover from.
- Threat actors can spread malware across your system and networking resources, causing further damage than just an account compromise – Phishing is also used to push Malware across a companies’ network and systems, completely halting their everyday business which further increases the damage done.
While the list could continue as to why phishing is a serious threat, these few examples should give you a good idea on why it’s so important to take phishing seriously.
The Different Types of Phishing Attacks
The most common type of phishing is through email. More than likely, you’ve received a email phishing attempt more than once in your lifetime. These emails are created to trick a user into clicking a link, opening an attachment, or some other nefarious goal to compromise the end user. The threat actor may spoof the from address to look like the email is coming from a legitimate domain when it’s actually not legitimate. These threat actors also may utilize what we call cybersquatting. A common form of cybersquatting is called typosquatting. An example of this is when someone registers a domain that looks very similar to a legitimate one to trick the user to thinking it’s safe. Think facebook.com but with an extra o in book. However, since most phishing attempts through email are sent out en masse, they usually contain grammatical errors and are easy to catch if you know what you’re looking for.
While common email phishing attacks are usually sent out to thousands of people at once based on a wide variety of services, there are other types of phishing attacks that take a more targeted approach which allows for a better chance of compromise. One of them is called Spear phishing. Spear phishing takes a more meticulous approach and attempts to compromise a ‘specific’ user. The key word here being specific. The threat actor usually has some information on the employee that they’re targeting, be it their name, job titles, phone numbers, etc. All of this information is used with the goal to build legitimacy for their request, making compromise more likely. These emails usually are well-crafted from a grammatical standpoint and use words to provide a sense of urgency. These attempted attacks usually have a goal in mind rather than just compromising an account. The threat actors are usually after something specific and they can be tricky to catch.
Another more targeted approach to phishing is what we call Whaling. Whaling is type of spear phishing attack as it also takes a targeted approach with previous reconnaissance being done beforehand. However, with Whaling, the threat actor is determined to compromise a high-level executive in the company rather than just any specific employee. The targeted executives usually have access to sensitive information that most employees from the organization do not. If this type of attack is successful, the percentage that there will be additional internal compromises drastically increases. The damages from this type of compromise can be detrimental to the entire organization.
Smishing is any sort of phishing attempt sent over a text message or an SMS service. Smishing has actually become increasingly more common over the last few years. Most of you have probably received some sort of smishing attempt show up in your text messages. Common ones are messages that say your bank account has been locked out or that you need to approve a charge on your credit card. These messages usually contain links that will attempt to steal your credentials by sending you to a malicious website or stealing browser cookies to hijack an already authenticated session.
Vishing is similar to smishing but it’s conducted over the phone. Vishing attempts will usually have someone call you and pretend to be from a legitimate company like Microsoft or your bank and attempt to trick you into downloading something or giving them information. We are actually starting to see a decrease in overall vishing attempts thanks to some initiatives by the FCC. There are also new technologies being developed by phone manufacturers and wireless carriers to help catch and prevent these types of calls before they reach your phone.
Red Flags to Help You Identify and Avoid Phishing Attempts
- Spelling and Grammatical Errors – One of the biggest things to look out for is spelling and grammatical errors. We’ve all been there and accidently spelled something wrong or used a word out of context. But, you will usually be able to tell the difference between a small mistake and a completely botched email from a grammatical standpoint.
- Sense of Urgency – “I need this done right now or the payment isn’t going to go through!” “Please hurry because I have an appointment that I need to get to!” These are just a few examples of how someone may try and get you to move quickly before thinking about the request. This is why verification processes are so important, even if they make the workflow a little inefficient. All of us are busy people and it’s common for us to want to get the work done as soon as we can. This is why a sense of urgency is such a common tactic used to try and trick the end user. If something seems a bit too urgent, take a step back and think before you continue on with the conversation.
- Infrequent Contact – If we aren’t in the role of onboarding a new client or user, most of the time the people we talk with on a day-to-day basis or our contacts at a specific company usually won’t change very frequently. And if they do, we are usually made aware of that role change ahead of time. There are even controls in the back-end of email protection that can notify you if you haven’t spoken to a contact before.
That’s why it’s important to question any time you receive an email from someone who you haven’t heard from before, especially if their request seems unordinary.
- Unusual Requests – I’m sure we’ve all heard of the scam where someone poses as the CEO or President of a company and asks an employee to buy gift cards. While we all love to be rewarded for our hard work, this is usually considered an unusual request. Any requests for confidential information in general should raise an alert. If your company deals with payments or wire transfers, a newer approach is to request payments using cryptocurrency or asking to use a third-party payment platform such as Venmo or Paypal. These types of strange requests can be common and it’s always best to reach out to the person in question directly over the phone before moving forward.
- A Generic Initial Greeting – The companies that you deal with will know your name. If an email starts off with a generic sounding greeting such as dear sir or madam, that should raise a red flag. While it’s not hard to get someone’s name to use in a phishing attempt as a lot of the time, it’s right in their email address. But, a generic greeting should make you think before moving forward or at least provide you with a sense that you need to verify further.
- The From Address doesn’t match the company’s domain – This method of detecting a fraudulent email isn’t foolproof anymore because some of the spoofing technologies that are available. However, it’s a good first step if you feel a little uneasy about an email possibly being a phishing attempt and can help rule out a lot of the less sophisticated phishing attacks. If it’s coming from a domain that uses the company name, but isn’t the normal email you’re used to seeing them contact you from (think microsofttechsupport.com rather that microsoft.com or possibly a gmail account rather than a companies registered domain), it’s probably malicious.
Do’s and Don’ts to Help You Defend Against Phishing Attacks
- Slow Down – Take your time when responding to an email, a phone call, or a text message. Think to yourself about the red flags BEFORE you respond, especially if your gut is telling your something is off. The faster we perform tasks, the higher chance of making a mistake.
- Validate the request by calling the sender directly – It never hurts to be too cautious. If you’re communicating with someone and something feels off, give them a call. If someone is attempting to impersonate another person, I’m sure they would want to be made aware. This will also give the person being impersonated a goal to notify their own company and clients to be on the look out.
- Keep your information locked down: Purge your social media accounts of non public information and personally identifiable information (PII). The more data you have one someone, the easier it is to deceive them. So, go ahead and remove all of the NPI and PII that’s available on any of your social media accounts. After that, lock down your social media presence by changing your profiles to private so only accepted requests can view your account.
Keep your computer and applications up-to-date – Keeping your applications and software up-to-date is a huge deterrent for common attacks. Many phishing attempts will utilize exploits in out of date software that will only require you to click on a link or open an attachment to compromise your account. Making sure you are turning on auto-updates is crucial to protecting yourself from the latest exploits threat actors may attempt through phishing.
Don’t click directly on links – If you are concerned about a link, especially a shortened URL, hover over it with your mouse to see a pop up of where it’s actually taking you. If you have a link in an email to a web page that doesn’t seem right, bring up your browser and go to the website directly. You can also copy and paste the link on the website virustotal.com which will scan it against a database of malicious URLs.
- Don’t blindly open attachments – If an attachment was sent to you, download the attachment first and scan it with your anti-virus software before opening it. You can also forward and submit suspicious email attachments to Microsoft or websites like virustotal.com to scan on your behalf. Or if you can, reach out to your IT provider and have them verify the attachment’s integrity.
- Don’t send sensitive information over email or text message – It’s always best to exchange non public information over the phone. But, we do understand that sometimes, emailing this type of information is necessary. If you must send data such as credit cards or social security numbers, be sure that it is at least encrypted and deleted afterwards just in case your account or device is compromised later on.
- Don’t use the same password across different websites and services – This one is crucial. We all know that it’s hard to remember all of your passwords for every single website or service out there. Try adopting a password manager into your workflow to help create strong passphrases without the need to remember them all in your head. If an account uses the same credentials as a compromised one, it’s essentially compromised as well. This would be a good time to also implement some sort of darkweb scanning to see which credentials you’ve used have been compromised. Some password managers actually have this feature built in.
Best Practices for Safeguarding Your Business From Phishing Attacks
- Implement Multi-Factor Authentication – I’m sure you’ve all heard of this and are currently using it in some way shape or form. A lot of times, an end user who falls for a phishing attack will usually realize they messed up once they’ve handed over their password. That’s why implementing a form of multi-factor authentication on your accounts is crucial to protecting that password compromise from moving to an entire account compromise.
Enable Conditional Access/Geo-IP Filtering for Logins – Conditional access policies use logic to determine whether an account should be allowed to log in based on certain parameters. Those parameters can be set to things such as allowed devices, security control requirements, and even geographical locations. If you have the ability to implement conditional access policies or something similar, it will greatly help prevent an account compromise as it enforces these controls across the entire business.
- Purge Your Company’s Social Presence of NPI – Remove any non-public information on company websites: It’s nice to have contact information on your website. It allows for your clients to easily find and reach out to the appropriate person for their needs. Things like email addresses, direct phone number extensions, etc. While this may be convenient from the standpoint of client communication, it also provide threat actors with easily accessible intelligence on your company and employees that can be used for a targeted approach. It’s best to have a department wide email for client contact and forward them internally to the appropriate person.
- Refrain From Keeping Emails Past Regulatory Retention Requirements – Do not use mailboxes as storage – purge emails that contain non-public information: A lot of us are dealing with NPI through email communication on a daily basis. Whether it’s a users’ SSN, drivers license, credit cards, etc, mailboxes were never meant to be used as a storage account for this type of information. It’s important to implement proper retention, archiving, and purging policies to either move this information into a more secure database, or remove it altogether.
- Deploy a Spam Filtering Service – It’s best to utilize some sort of spam filtering policies through a third-party or your email provider. These policies are the first line of defense at catching phishing attempts sent to your employees and should be configured to a proper standard, even if it may delay some emails in the process.
- Enroll Employees in Security Awareness Training and Simulated Phishing exercises – Spam filters aren’t perfect. If your spam filter fails (which at some point, it will), your next line of defense is the recipient of that phishing email, the end user. That is why it’s crucial to keep up to date on the latest threats by enrolling users in security awareness training and simulated phishing exercises in your environment. These solutions teach strategies for avoiding phishing attacks and will teach employees how to identify and protect themselves from not just phishing, but all types of threats.
- Utilize DKIM/DMARC/SPF Records – This is a more technical concept and you don’t necessarily need to understand how these technologies work. From a basic standpoint, they’re used in the back end to authenticate an email and its sender which then determines what should be done in the event it can’t be validated. Like I said, the technology behind how this works isn’t relevant. The most important aspect that I want you to take away from this concept is to make sure you’re utilizing these solutions by contacting those who are managing your email.
- Purchase Cyber Liability Insurance – Last but not least, cyber liability insurance. Compromised accounts can lead to an entire disruption of a business. You can be infected with malware such as ransomware which will completely lock down your organization and cost a company millions of dollars. It’s best to have the peace of mind that you are financially covered in the event this happens to you as these events can put a company out of business.
While protecting yourself and your organization from phishing attacks is challenging, education and awareness are key. Implementing the strategies we’ve mentioned here, can go a long way in helping you recognize and therefore avoid phishing attacks. You can also check out the recorded webinar to watch the complete security awareness training.
Kite Technology is committed to helping businesses across the country with their IT and security needs. Contact us to learn more about what we do and how we can help you leverage technology for greater security and business success.