Phishing

What Is Phishing?

Phishing is a cybercrime in which criminals use social engineering tactics to trick people into giving cyberattackers their sensitive information (e.g., login credentials, credit card information, social security numbers), to click malicious links, or to download documents that spread malware or ransomware. Disguised as trustworthy sources (e.g., reputable companies, colleagues, friends), phishing attackers use all communications platforms to reach victims, including email, voice mail, and text messages.

Some phishing content contains poor grammar or includes links with suspicious URLs. Other content is well-written and well-formatted, with sophisticated messages that exploit emotions, such as sympathy, curiosity, outrage, or support.

Phishing attacks are a volume-based cybercrime. Messages are sent to large numbers of people. Success only requires a fraction of those targets to respond.

Train Employees to Recognize Phishing

Since most phishing attacks come through email, the following section will focus on that vector as it relates to organizations.

Training Techniques

Create Awareness
Understanding potential threats from phishing helps employees in all organizations to become part of the defense against phishing attacks. Phishing awareness training should focus on the following key points to ensure that organizational users are able to identify and respond to a phishing attack effectively:

• What exactly phishing is
• How phishing happens
• What risks phishing poses on a personal and organizational level
• The different methods of phishing attacks
• What kinds of information phishing attacks target
• How cybercriminals use information that’s obtained in a phishing attack

Share Examples of Phishing Attacks
Real examples of how phishing attacks were perpetrated and the resulting damage go a long way to engaging employees. Scare tactics are not necessary. The simple stories of real-world phishing attacks, in terms of money lost, people affected, damage done, and other specific details, are enough to make a powerful impression and to increase willingness to actively participate in anti-phishing training.

Conduct Phishing Email Training
Phishing email training teaches employees how to recognize signs of phishing attacks. A few indicators of a phishing email are:

• No domain email—a reputable company will own their domain email (e.g., name@company.com), whereas a cybercriminal will alter the address (e.g., name@company123.com)
• Poor formatting
• Typos
• Unsolicited attachments or information requests
• Time-sensitive appeals that are outside of traditional business practices (e.g. “Complete this expense report today, or you won’t be paid for it.”)

Use Quizzes
Short quizzes before and throughout training can help employees to understand what they do not know about phishing and prod them to pay attention. This can be gamified by showing examples of emails and asking employees to identify which are phishing and which are legitimate. Periodic follow-up quizzes also help reinforce phishing training.

Use Simulation
Phishing simulation helps keep prevention on employee’s minds as well as identifies gaps in awareness. With simulation training, “real” phishing attacks are created and sent to employees. These simulated attacks clarify vulnerabilities, so ongoing training can be customized for specific employees or weak areas of awareness of the various types of phishing. 

Tips for Training Materials

Videos
Use learning modules with interactive videos to keep employees engaged and focused on the lessons.

PowerPoint Presentations
Five tips for the best results:

1. 1. Add visual elements that complement and add value to the text content.
2. 2. Include supporting information, such as quotes, definitions, and statistics.
3. 3. Keep bullet points short, concise, and active.
4. 4. Share a copy of the presentation with its speaker notes.
5. 5. Use a theme that is visually engaging, but that does not distract from the content.

Lesson Timing
Break phishing lessons down into short, manageable segments. Spread lessons out over time rather than conducting them all at once—plan on having ongoing training updates for employees who have already completed the core training.

Types of Phishing

Following are several of the more common types of phishing.

Clone Phishing

An email that has been received is replicated, but it includes a malicious attachment or link. Because this type of phishing attack uses a nearly identical version of an email that victims have already received, it is difficult to identify and often goes unnoticed.

Internal Phishing

To send internal phishing emails, an attacker takes control of a legitimate email account using compromised credentials. Internal phishing attacks use the internal email of one trusted user and send a phishing email to others in the same organization. Since the email comes from a trusted user, recipients are more likely to click on a link, open an attachment, or respond with requested information. 

Pharming

Pharming attacks exploit the lack of security often found on websites. Since it is fairly easy to alter a website’s HTML text, attackers change it to download information when someone visits the site or completes a form.

With pharming, attackers can steal login credentials that can be used to login to the site or for credential stuffing.

Search Engine Phishing

With search engine phishing, also known as SEO poisoning or SEO trojans, cybercriminals use SEO optimization techniques to reach the top of organic search for keywords in Google or other search engines. Then, they lure people into clicking their link, which goes to a malicious site instead of legitimate content.

Smishing

Smishing exploits mobile devices by sending text messages, or short message service (SMS), with malicious links. Sometimes, if users do not fall for the text message, cybercriminals will go a step further. They call the number and say something like, “Your account has been compromised. We need you to confirm your account details to clear this matter up.” If the hackers dial enough numbers, someone will talk to them. This is called vishing.

Social Media Phishing

Phishing attacks can also be perpetrated on social media. A common Facebook-based attack is to share posts about a great sale on a popular item, which links to a malicious site.

Spear Phishing

Spear phishing targets specific individuals instead of a wide group of people. Communications are customized to appear more authentic.

Spear phishing is often the first step in a data breach. According to the SANS Institute, 95 percent of all attacks on enterprise networks are the result of successful spear phishing.

Voice Phishing or Vishing

With voice phishing, or vishing, cybercriminals call targets on a landline or mobile phone and try to trick them into sharing sensitive information. They use approaches such as pretending that there is a problem with an account and confirming credentials or validating a social security number. This approach is sometimes combined with smishing, as discussed above.

Whaling

Phishing attacks targeting a high-value executive, such as a corporate executive, are called whaling—as in hunting the big fish.

Whaling attacks are sophisticated, well-planned, and researched attacks. Cybercriminals spend time profiling the target and getting to know their online habits. Because these targets have access to considerable amounts of sensitive information, whaling attacks are very dangerous.

Phishing Techniques

Five key steps of a phishing attack that are utilized by cyberattackers :

1. 1. Identify the target individual or target list, then collect data that can be used to support the attack.
2. 2. Determine how to run the attack—most attacks leverage one of the types of phishing attacks noted above.
3. 3. Begin the attack by sending messages.
4. 4. Monitor responses and collect the data that victims provide.
5. 5. Put ill-gotten data to work—e.g., use credit card data to make purchases, withdraw money from bank accounts, or gain unauthorized access to networks.

A Few Details About Phishing Attacks

The link or attachment in a phishing message will usually do one of two things, or both:

1. 1. Take the user to a website that looks legitimate at a glance, but is malicious—e.g., www.paypals.com vs. the real www.paypal.com.
2. 2. Download malware onto the user’s computer.

Examples of Ploys Used in Phishing Attacks

• Using legitimate links to evade detection by email filters.
• Mixing legitimate and malicious code to make emails look unique to the filter by encoding characters at random, adding invisible text, inserting white spaces, or assigning random values to HTML attributes.
• Abusing redirections to a legitimate website, then using a time bomb to redirect to a malicious website. 
• Using URL shorteners, such as TinyURL or Bitly, to create aliases that hide the legitimate URL and send users to a phishing site.
• Manipulating brand logos with very subtle changes that allow the message to slip past email filters.
• Confusing filters with excess content (also known as Bayesian poisoning) that has no meaning, but disrupts statistical-based filters (e.g., Bayesian filters) with large blocks of text (e.g., song lyrics).
• Replace text with images that the filters cannot read. 

How to Protect Your Organization from Phishing Attacks

Beyond training, there are a number of other ways to protect an organization from phishing attacks. Each solution has its benefits, but none offers a complete solution.

Following are several of the solutions that make up an effective defense against phishing attacks.

Domain-based Message Authentication, Reporting and Conformance (DMARC)

DMARC is a standards-based mechanism that is used to determine whether an email message is coming from a particular sender or not. It protects email domains from being used for email phishing scams, spoofing, and other malware.

DMARC leverages the existing email authentication technique’s SPF (Sender Policy Framework), which acts as an email whitelist, and DKIM (Domain Keys Identified Mail), which acts as a gatekeeper that validates the authenticity of an email. 

To use it, a DMARC record is entered into the email domain’s DNS record. The DMARC record shares the email domain’s policy after checking SPF and DKIM status. DMARC authenticates if either SPF, DKIM, or both are cleared. It serves as an added layer of protection from phishing and other email scams, because it is possible that SPF and DKIM pass, but DMARC fails.

Gateway Spam Filter

Gateway spam filters are usually installed as a virtual appliance behind the network firewall and used on the inbound mail transfer agent (MTA), also referred to as the gateway. Before an email is accepted into the network, it is run through the gateway spam filter for further filtering and processing.

Gateway spam filters scan all email communications, including attachments and URLs, for signs of malicious or harmful content or links. Gateway spam filters protect on-site and remote employees. 

Identity and Access Management (IAM)

By using IAM, access to information and systems can be centrally controlled and managed according to users’ roles and access required by devices. (Note: Users include customers, partners, and employees; devices include computers, smartphones, routers, servers, controllers, and sensors.) 

This access control helps with the enforcement of the Principle of Least Privilege. Another key objective of IAM systems is to establish and maintain one digital identity per individual or device. 

Multi-factor Authentication (MFA)

A powerful deterrent against phishing attacks is multifactor authentication. It goes beyond username / password authentication to include additional verification, such as recognized geographic location (geofencing), biometrics, time-of-access monitoring, and one-time passwords (OTP), which are difficult to fake or be stolen by cybercriminals.

Secure Web Gateway

A secure web gateway is installed as a software component or as a hardware device on the edge of the network or at user endpoints. It helps to prevent malware from entering an organization’s network.

The gateway stands between all incoming and outgoing data to prevent malicious website traffic, viruses, and malware from infecting systems or accessing data. The web gateway only allows users to access approved, secure websites—all other sites are blocked.

Software Updates

Simply updating software with patches and new versions can decrease phishing attacks. Cybercriminals take advantage of known vulnerabilities that can be easily addressed with regular software updates. Be sure to regularly update:

• Internet browsers and apps
• Operating system software
• Security software

Strong Passwords (Updated Regularly)

Policies that enforce the use of strong passwords, coupled with frequent updates, mitigate the efficacy of phishing, since even if credentials are stolen, the password will change and not be guessable. Characteristics of a strong password include:

• At least 12 characters long
• Uses uppercase and lowercase letters, numbers, and special symbols 
• Does not contain memorable keyboard paths (e.g., adfg, 1234, !@#$)
• Not based on personal information, including users’ names

Virtual Private Networks (VPN)

While they do not provide protection from phishing and malware, VPNs protect communications and internet traffic by encrypting them. Emails are encrypted, so they cannot be seen by would-be phishing attackers. With some VPNs, connections are secured with military-grade encryption.

What Should Employees Do If They Suspect a Phishing Attack?

If an employee suspects that an online message is a phishing attack, they should take the following actions:

• Do not open it.  
• Delete it immediately (permanently).
• Do not download any attachments that accompany the message.
• Never click links that appear in the message.  
• Do not reply to the sender.  
• Report it to the IT team immediately.

What to Do If an Employee Responds to a Phishing Email

Obtain a copy of the email with full headers and any original attachments.
Look at the message’s Properties in order to see all of the email routing information. Be sure to document the sender’s IP address.

Search for related threat intelligence.
Use any information from the message, including IP address, URLs, and attachments. Be careful not to go to malicious sites accidentally. Put the IP address in quotes to ensure that the browser knows it is just a search, since pasting an IP address into a browser will change it to a URL.

Interview employees that responded to the phishing email.
This can provide additional information about the attack as well as an opportunity to review anti-phishing protocols and improve training.

Use gateway spam filters to block similar messages.
Add attributes from the message to stop more of the messages from being delivered.

Scan for suspicious activities.
Conduct a thorough scan of all systems and log files to identify anything out of the ordinary. Remember to save copies of all log files for any follow-up or future investigations. This should include:

• DHCP logs 
• DNS logs
• Firewall logs
• Mail server logs
• Outbound web logs
• Proxy logs

Reset the passwords of impacted employees.
After changing passwords, monitor their accounts for suspicious activities.

Report Phishing Attacks to Help Stop Cybercriminals

Phishing is one of the major contributors to data breaches. While many of the cybercriminals behind phishing attacks are elusive, reporting phishing attacks can help track them down by adding to threat intelligence databases.

Phishing attempts or attacks can be reported to the Federal Trade Commission at its Complaint Assistant page. The attack can also be reported to the Anti-Phishing Working Group or the phishing email can be forwarded to reportphishing@apwg.org. Forward phishing text messages to SPAM (7726).

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 15th October, 2021

Get started with Egnyte.

Request Demo