Phishing has existed for almost two decades – and for very good reason. Everyone can be targeted by it. It’s still just as effective as ever. And there’s really no way for surefire way for security professionals to keep every phishing or spearphishing attempt from making its way to its target.
To stop phishing attempts from being successful, entire organizations need to be educated about the threat and how to avoid it. CrowdStrike Chief Information Security Officer, Jerry Dixon, recently shared the following information on the CrowdStrike blog defining phishing and providing five ways in which to identify and avoid phishing attempts, with the intention of it being used to educate employees. To read his original article in its entirety, click HERE.
Phishing is a social engineering technique that uses email to entice or trick unsuspecting people to click on web links or attachments that appear to be legitimate but are instead designed to compromise the recipient’s machine or trick the recipient into revealing credentials or other sensitive information.
Adversaries, whether an individual criminal or a nation-state, craft such messages to appear to be legitimate. A phishing email can appear to be from your bank, employer, or boss, or use techniques to coerce information out of you by pretending, for example, to be a government agency.
Whether an adversary is an individual criminal or a nation-state determines the motivation behind the phishing attempt. Motivations are many and varied; in a phishing email an adversary may attempt to:
- Steal account credentials to siphon funds from you or your company
- Steal your work account credentials to access your employer
- Deploy malicious software that will allow them to gain entry to your work or home computer or access your network to steal intellectual property
No matter the motivation, phishing presents adversaries with a low-risk attack method that offers a high potential for financial gain. And that’s why the phishing threat keeps us CISOs on our toes — adversaries use the tactic over and over because it works. People are often busy and distracted, prone to clicking on links without thinking when they quickly check their email between meetings or other activities. The data bears this out: organizations on average have a click rate of 10%, which represents a high chance of users clicking on an illegitimate link and giving up information or providing their account credentials to a phisher.
A typical phishing attack entails the mass sending of emails in hopes of getting anyone to click on malicious links. The intent could be to deploy ransomware, steal existing account credentials, acquire enough information to open a new fraudulent account, or simply compromise an endpoint. Because everyone has an email address, and because the tactic offers so many options for the adversary, phishing is a numbers game played in a target-rich environment in which only a relative few need be tricked in order for the adversary to profit.
A less typical attack is the spear-phishing attack, a more specialized tactic in which the adversary specifically targets senior leaders or other sensitive roles within an organization. To craft a spear-phishing email, the adversary typically collects information about their targets that’s readily available on corporate websites or social media such as LinkedIn, Facebook, and Twitter. The adversary uses such information to tailor highly personalized emails to entice the user to click on a link, aiming to pilfer sensitive information from their machine or network, or using the information to target other employees through business email compromise to steal money from the organization.
Phishing is challenging to fight with technology alone. While many solutions can help prevent such attacks, most are reactive rather than proactive, meaning that some phishing emails — upward of 20% with some solutions — will get through. And in some cases, such as when a company’s corporate email account is compromised and used to send phishing emails, anti-phishing technology won’t stop an email that’s sent from a legitimate source.
Stopping phishing, then, relies on more than just technology — it requires vigilance by everyone. People must be trained to recognize and constantly be on alert for the signs of a phishing attempt, and to report such attempts to the proper corporate security staff.
Here are five signs of a phishing attempt to watch for and report:
- An unexpected email that prompts you to take action such as changing a password, sending funds, buying gift cards or logging in to a website
- An email whose body appears to be legitimate, but was sent from a known free email site or an unfamiliar web domain (e.g., an email that appears to be from your local electricity provider but was actually sent from a @gmail account)
- An email with misspelled words, bad grammar or poor formatting
- An email that appears to contain suspicious file attachments
- An email containing web links that appear legitimate but are revealed to be from fake or unknown web domains when the cursor is hovered over them
Often, phishing emails are easy to spot and can readily be reported. Others, however, can be less obvious. Whenever you are unsure about the legitimacy of an email, report it anyway to your security team and await their guidance before acting in any way on it.
Remember, phishing — and social engineering in general — just works. Most everyone has an email address, and peoples’ trusting nature and willingness to help others often make them susceptible to manipulative phishing attacks. Protecting yourself and your organization from these cyberattacks is a team sport that requires vigilant people to keep an eye out for suspicious clues and report them to the appropriate staff.