Don’t Get Hooked: How to Detect and Prevent Phishing Attacks
Protect Your Business Email from Compromise
What is Phishing?
Malicious actors across the internet love to bait their hooks, cast their line, and go phishing. And they’re hoping you’ll bite. Phishing is one of the oldest cyberattacks, dating back to the 1990s, where an internet user is lured onto a website that exists with the sole purpose of capturing user credentials. Even as cybersecurity techniques improve, phishing remains a successful attack vector since even an adept user can be fooled by an elaborate illusion. Learning how to recognize and detect this threat to you and your business is the first step to phishing attack prevention.
How to Prevent Phishing Attacks - 3 Tips to Protect Yourself From Phishing
1. Obtain Education & Security Protocols
Build Phishing Awareness: As a baseline, both businesses and the average internet user should familiarize themselves with security best practices and learn how to spot suspicious details within emails. In fact, whaling attacks are often successful because executives do not participate in security awareness training.
Use Anti-Phishing Software: Additionally, businesses should implement anti-phishing software and email filters. Every internet user should enable multi-factor authentication when it is available. These are preventative measures most organizations are already taking, yet nearly a third are failing to adequately protect their businesses.
Use Identity Threat Intelligence: Carefully crafted phishing attacks can slip past email filters, security software, and even an adequately trained employee. Mature organizations have begun implementing Identity Threat Intelligence solutions to better protect against phishing and other digital risks.
2. Identity Threat Intelligence
The best way to augment standard security practices is with identity threat intelligence. As we’ve discussed, the more information a hacker has about their target victim, the more credible their phishing attack appears and the more successful it is. Knowing how your organization is vulnerable is the best way to prevent business email compromise.
Leveraging an identity threat intelligence platform can help identify data exposures your organization’s employees and executives have suffered. This can include insights into compromised credentials that can be directly used in an account takeover attack, and exposed PII (personally identifiable information) that can be used in spear-phishing and whaling attacks. Knowledge of these exposures can be used to enhance email filters and educate and raise awareness among employees (potential victims).
Even when security best practices are observed and augmented with identity threat intelligence, phishing attacks can still succeed. But there remains hope. Once a threat actor has successfully phished or whaled a target organization, there is a short window of time before damage is done since there is a lag time between a hacker capturing an employee or executive’s credentials and putting it to use.
The right identity threat intelligence platform can not only give you insights into your organization’s exposures but also notify you when you’ve fallen victim to a phishing attack, giving you a fighting chance to change passwords and take preventative measures before the hacker can make use of the phished data.
3. Detect Data Harvested by Phishing Campaigns and Botnets
To help you respond faster to phishing campaigns and botnet attacks, we will be enhancing your ability to know when cybercriminals have harvested account credentials or personal data in the upcoming release of our market-leading Phishing and Botnet Protection. This new monitoring technology will act as an early warning system for stolen credentials and personal data.
Want to be the first to learn more details about our Phishing or Botnet Protection? Get in touch now.
What are phishing websites?
Phishing starts with a spoof website–– a page operated by the hacker but designed to look exactly like a legitimate website, hoping an unsuspecting user won’t be able to tell the difference. Once on the phishing site, the user will be prompted to log in, answer a security challenge question, or provide some form of private data.
Suppose you bank with ACME Bank and you log in to online banking at acmebank.com. Hackers may set up spoof websites with similar URLs or ones that look legitimate, such as: acmebank.onlinebanking.com, www-acmebank.com, or even acme-bank.com. The site will exactly copy the design of the legitimate website, bearing the ACME Bank logo, using the same fonts, same stock images, and an identical layout. The victim will land on a login screen and enter their login credentials. Unfortunately, once they click that “login” button, it’s too late. Whether the victim is given a login error, redirected to the legitimate bank website or something else, the hacker now has their credentials, which the hacker can use to login to the real ACME Bank site and potentially transfer money to their own account. Even worse, with the average user’s tendency to re-use passwords, the hacker can gain access to the victim’s accounts on other websites and do further damage.
How are phishing attack victims targeted?
Depending on the type of phishing attack, victims may be specifically targeted or simply get caught in a wide net cast by the malicious actor. When the internet boomed in the 1990s, phishing attacks went out via email. Malicious actors create large lists of email addresses and blast out a message en masse, containing a call to action (“click this link to…”) supported by the promise of something entertaining, lucrative, or urgent. Most recipients of this email won’t respond, but a few will, and that only motivates the hacker to keep phishing.
Today, malicious actors still use email as a delivery vehicle for phishing attacks but have expanded to use text messaging, phone calls, social media posts, and messenger applications. This growth in technology has given hackers new resources to exploit, increasing the response rate to phishing emails, messages, or posts. In the example above, we discussed an attack against members of ACME Bank–– recipients of this phishing attempt that do not bank with ACME Bank surely will dismiss the message. But if the hacker had one simple piece of information about you––where you bank––they could multiply their success rate.
The more information a hacker has about you, the more credible they can make their phishing attack seem. With just your name and the name of your bank, a hacker can add a few personal touches to their phishing attack, which in turn helps suppress any red flags that might otherwise come up. Given the prevalence of data breaches, it is frighteningly easy for a malicious actor to capture the same few attributes of the personal information of a large group of potential victims. It takes one data breach to provide a list of thousands of email addresses and associated names and banks to a hacker. Imagine the damage that could be done with even more information.
Types of Phishing
1. Deceptive Phishing
This is the most common type of phishing attack, the “spray and pray” method. This attack relies upon targeting a large group of would-be victims, hoping a few will fall for the deception. While email filters do a reasonably good job catching these phishing attempts, hackers have learned how to fly under the radar. This is a relatively low-skill attack vector that yields the best results for the hacker when sent out in high volumes.
2. Spear Phishing
As the name suggests, hackers focus their efforts on specific “phish”. While the endgame is the same, deceiving the victim into clicking a link or opening a malicious attachment, Spear Phishing attacks add a personal touch to appear more credible. Spear Phishing emails do away with generic greetings like “Dear sir or madam” and address the target victim by name–information easily captured from breached or leaked data, allowing hackers to maintain a high volume of phishing emails with a greater success rate.
Not all phishing attacks are attempted via email; some will come through text messages, or SMS, which lends to the name “smishing”. Smishing attacks incorporate the same methods as other phishing techniques, but perhaps with a more “mobile-centric” approach, asking a user to download a malicious app, for example.
Another phishing technique that doesn’t rely upon email is vishing––a phishing attack made via a voice call. Vishing combines traditional phishing methods with social engineering, where the scammer often claims to be a customer support representative, a tech support agent, or even a salesperson. Malicious actors can spoof their caller ID to make it appear they’re calling from a legitimate organization. Posing as tech support, the malicious actor can spew technical jargon, fooling the target into believing there is a need for technical help and ultimately providing sensitive details.
A slightly more technical variant of phishing, pharming exploits security vulnerabilities to redirect the user to the spoof website even if the address is the correct address of the legitimate website being spoofed. This is accomplished a couple of ways; either by deploying malicious code that modifies the victim’s computer’s host file or targeting a DNS server. In brief, a DNS server is the first step in any web request, where the domain name (i.e. example.com) is checked against a lookup table on the DNS server, which returns the IP address of the host of the requested site. If successfully exploited, a compromised DNS entry can redirect thousands of visitors of example.com to a malicious spoof site without the user’s knowledge. Similarly, your computer’s host file is also used to map a domain name to the server’s IP address, overriding the DNS server’s entry.
6. Whaling (Business Email Compromise)
Whaling is a form of phishing that falls under Business Email Compromise (BEC), where not only ordinary employees of a business can be targeted, but so can the executives or “whales”. BEC attacks start as spear phishing attacks against employees––many resources exist that provide employee details for legitimate (sales and marketing) purposes, including name, business email address and job title; unfortunately, this also gives malicious actors a leg up. With the wide availability of corporate email, name, and title data, hackers can easily spoof an executive’s email address, send a message to one of the exec’s subordinates authorizing a wire transfer to a “new vendor,” requesting an account to be created for a “new hire,” or a myriad of other actions that allow the hacker to plant seeds for a much larger exploit down the line. A similar style of exploit was used in the Colonial Pipeline ransomware attack.
A whaler’s ideal prize is an account takeover of a company’s CEO or other high-ranking executives. While spoofing the CEO’s email address can be successful, many email security suites can detect a spoofed email and prevent the malicious message from seeing its target’s inbox. However, if a hacker can capture an exec’s credentials and log in to the corporate network, they can send emails that come from within the corporate network and pass all security checks. Not to mention the multitude of exploits possible outside the realm of BEC when a hacker has direct access to a CEO’s corporate accounts.
As whalers get more sophisticated, they use their business email compromise techniques to capture details from suppliers or vendors the target company does business with. Phishing attacks are more successful when the message appears credible, and thus, a request to change a payment bank account number may not look suspicious if it appears to legitimately be sent by a known and trusted accounts receivable contact at a vendor. Moving up a target company’s supply chain is the latest trend in business email compromise.