Monday, Oct 18, 2021
BY: Justin Heard - Security Analytics Team
As any cybercriminal will tell you, the most vulnerable pieces of your company’s infrastructure are sitting at their desks right now. Employees are often easy to distract and fluster, making them vulnerable to social engineering attacks. One of the most common attacks is phishing.
Phishing isn’t a new phenomenon. Crooks and spammers have been sending fraudulent emails since the days of AOL and Compuserve in the late eighties. In the last two decades, though, this attack method has grown in volume, velocity, and villainy.
Low return ‘spray and pray’ phishing campaigns that harvest banking details from a handful of unwitting consumers have given way to more targeted approaches. Phishers have refined their techniques and tailored their campaigns to produce more focused outcomes. If they haven’t targeted your employees yet, have no doubt; they’re coming.
Smart companies will protect themselves by training workers to spot phishing emails before attackers strike. Here are a few phishing tricks to look for and best practices to help employees keep this online scourge at bay.
Devious domain names
Phishers register web domains for two reasons: to send phishing emails and host fraudulent sites to extract sensitive information. They want to fool a victim into thinking that a link will take them to a legitimate page on their company’s own web server, such as an HR support page.
Attackers can’t use a target’s real domain (say, anexamplecompany.com) because they don’t have access to it, so they’ll often spoof the links to their domains. Employees should hover their mouse over links in emails to see if the real domain in the hyperlink seems legitimate.
Criminals often fool victims by registering a domain that looks similar to the target. These include domains with misspellings (aneamplecompany.com) or punctuation (an-examplecompany.com). They sometimes use the victim’s domain as a subdomain of a site that they own (anexamplecompany.aphishingdomain.com).
Attackers will also play with top-level domains to fool victims. Would your employee spot anexample.company as a fake? How about anexamplecompany.biz or anexamplecompany.co?
More recently, phishers have started using legitimate domains. Setting up a phishing site on a cloud-based platform like Microsoft 365 enables them to send emails from a trusted domain and host their malicious sites on it.
Consider email content
It’s important for employees to look at email content critically. Emails with poor grammar and spelling are a giveaway, but emails are getting more sophisticated. Phishers often research their victims to understand more about their everyday routines, using this information to make them more convincing.
Train workers to look for subtler signals, such as unusual requests to visit websites or send personal information. Tell them to be suspicious of all unexpected attachments – even if they seem to come from a trusted colleague or appear related to their job.
Be extra careful of the most devious phishing attacks of all: business email compromise (BEC). These attacks target specific individuals with access to corporate accounts. The emails, often appearing to come from senior executives, will urge them to make seemingly legitimate payments to fraudulent accounts.
As these emails become more sophisticated, employees must learn to question everything. Have them double check with relevant departments when emails arrive urging them to log into corporate systems. Train them to check with executives personally when they get requests to make emergency payments. Even better, require multiple people to approve financial transfers.
Training is key
This kind of anti-phishing awareness requires training. Establish an education program for all employees regardless of seniority to make them aware of the dangers. Reinforce this with chains of command and mechanisms that support and empower employees to fight phishing. Refresh the training content over time to make it timely, engaging and effective.
What do these support mechanisms look like? Establish clear channels for employees to verify emails supposedly from departments such as HR, Finance, and IT.
Similarly, people need a simple reporting structure for phishing emails. Who do they warn when they receive one, and how? Enable them to report the incident digitally by sending the emails to well-publicized addresses.
It’s also crucial that employees have a way to warn IT if they fall victim to a phishing email. That requires a consistent, constantly monitored channel so that the security team can take immediate action. Time is of the essence here, as a fast response could prevent ransomware crooks from stealing and encrypting your data.
Employees will only report their mistakes if they don’t fear reprisals. This requires a measure that, for some, will be the most difficult of all: avoiding blame culture. The company must convince employees that it will not punish honest mistakes. Cultural changes are difficult to foster and measure, but this is a crucial part of any cybersecurity awareness program.
Test employee awareness
A blame-free culture doesn’t mean a lack of accountability. Testing is the key to enforcing phishing awareness measures. A testing campaign uses fake phishing emails to measure employees’ diligence, helping to keep them watchful.
An anti-phishing test shouldn’t be adversarial. Notify employees so that they’re aware of what’s coming. The test will provide metrics, identifying employees that caught and reported the phishing emails along with those that took the bait.
Repeat the testing program periodically using different parameters. Switch up the email content with different social engineering attacks. Try different senders and payloads. This will build resilience and keep workers alert.
These measures will all help your employees to defend your company’s systems and data from phishing attackers. But protection shouldn’t stop at awareness. Phishing attacks may still slip past employees, and it only takes a single, successful attack to endanger your entire operation.
This is why extra layers of protection are important to complement employee awareness. These can include the use of multi-factor authentication, email security scans, and clear messages that identify external emails to employees. Endpoint detection and response is another technology category that can catch phishing payloads and quarantine infected devices before they become a problem.
Working with a trusted third-party security provider to train employees, protect your infrastructure, and respond to incidents will help you to ward off one of the most consistent and pernicious cyberthreats facing modern organizations. Talk to Nuspire about how we can help you send phishers home empty-handed.