What is Phishing?
Phishing is the most popular and accessible method that attackers use to infiltrate a business to exfiltrate data, instigate wire fraud, and hold company data ransom. It involves sending thousands or millions of messages that ask victims to act on the sender’s behalf. While phishing is the term attributed to random email solicitations, spear phishing and whaling are forms of phishing that target specific individuals or groups within a company and are typically crafted with those targets in mind. Specifically, whaling seeks to elicit cooperation from C-level executives in an organization.
Current Mitigation Techniques
While email spam-filters attempt to detect these malicious messages, attackers can bypass even the most sophisticated technical solutions. Spam filtering tries to block illegitimate email while still allowing emails through so that business can be conducted. Attackers take advantage of this fact and continuously refine their phishing attempts so that they bypass these counter-measures.
Besides using signatures of known spam emails and anti-spoofing whitelist mechanisms such as SPF, spam filters have a difficult time judging whether an email is legitimate. Some heuristics engines attempt to add intelligence to this process, but nothing is perfect due to the infinite possibilities provided by human language a computer’s inability to extract meaning and intent. Therefore, every judgment is made using conditional criteria and pattern matching to figure out whether an email is spam or legitimate. To this extent, there isn’t a complete technical solution for the problem of phishing, unless you effectively disallowed emails from outside entities.
Common Phishing Techniques
Instead of relying solely on a technical solution, IT professionals should train users adequately and regularly so that they stay on guard. No matter the technical prowess of users, IT departments must develop educational programs to combat this growing threat. Phishers do not deploy too many technical tricks to fool their victims. Instead, they rely on many social engineering techniques that try to elicit an emotional reaction out of victims. These include:
- The Good Samaritan
- Promise of rewards
All these methods seek to inspire helpfulness or instill fear in the victim so that they perform actions that benefit the attacker. The Good Samaritan tactic can be best illustrated by phishing emails that seek charity. Often a reward is offered as an incentive for charitable contributions. The Nigerian Prince scam and lottery scams take advantage of gullible victims by promising a reward for their actions. Often attackers use threatening language that includes legal and financial measures against victims if they do not comply. Hoaxes are also another form of threatening language that implores a user to act even if there is no legitimate threat. Typically, this is seen using a fake virus email that asks the user to install a piece of software to mitigate the threat.
One common thread to both positive and negative social engineering tactics is the use of urgency to compel victim action. People like to be helpful, and often an attacker attempts to elicit sympathy from the victim and claim that they are on a tight schedule. The victim, wanting to be helpful, lets down his or her guard, most likely bypassing company procedure, and attempts to aid the attacker. In this way, the victim can feel like a hero for taking care of the person’s issue. Threats also incorporate urgency to fool victims into complying with the attacker’s wishes and is typically seen when requesting funds.
Impersonation is another way that attackers attempt to fool victims. If email services are correctly setup, this should be easy to spot by hovering over the from field to see the actual email address from which the message was sent. However, if email service best practices have not been followed attackers may be able to spoof an organization’s domain and appear to be sending legitimate email from within the company. In this case, hovering over the from field does not differentiate coworkers from attackers.
Often attackers pretend to be a victim’s superior while using spear-phishing tactics. Urgency and threats are a common tactic to get victims to provide information or transfer funds to the attackers. If spoofing is not an option for the attacker, they often utilize a free email account from Yahoo or Google and merely use the victim’s supervisor’s name. A quick hovering over the sender’s name reveals that the email was not sent from a company email address.
Lastly, if an attacker can compromise an employee’s email account, they can easily impersonate that employee and send emails that typically bypass the organization’s spam filter entirely. In this sense, the attack is now an insider threat and can go undetected for an extended period. Attackers even like to cover their tracks by creating mail rules that delete any sent messages used in subsequent attacks.
How to Defend against Phishing
Rather than falling for the previously mentioned tricks, follow these suggestions when you see an unusual email:
- Look for signs that the email sender is attempting to use social engineering to manipulate you to act. If something is too good to be true, it probably is. If you are being threatened with legal or financial action, it is likely a phishing attempt.
- If a sender asks for payment, you should be suspicious. Verify with other individuals that the request is legitimate. If it is a coworker asking for a transfer of funds, call that person and verify that they sent the email.
- Be suspicious of emails with spelling and grammatical errors, but don’t use this as your sole criteria in determining whether the email is illegitimate. Attackers are crafting more sophisticated messages targeting specific victims.
- Avoid following links to websites from individuals you do not know. Typically, malicious links initiate a drive-by download on a computer which allows further malware to be download and installed to infiltrate and attack a company’s network.
- Report suspicious emails to your IT department so that they can mark the message as spam manually and check for compromise. On Outlook, you’ll need to create a new message and drag the malicious message into the body of the message so it is added as an attachment. This allows the email administrator to check the email headers to get more details on the message. Simply forwarding a message to IT will not give them this ability.
- Enable multi-factor authentication (MFA) for email accounts to avoid compromise. MFA involves setting up an authenticator app on a mobile phone with a rotating 6-10-digit code that must be used in addition to a password. Alternatively, a user can opt to receive a one-time-code via SMS that is used in conjunction with the user’s password, although this method is less secure since phone numbers can also be compromised, however, it is better than nothing.
- Follow your intuitions if you sense something is out of order. Do not trust until you have verified!
The end goal of the attacker may be to get the user to initiate a wire transfer, disclose private information, or even download and install a malicious application that then attacks the network or exfiltrates data to a third party. Regardless of intent, it should be clear by now that much damage can be done with little effort on behalf of the attacker. It is our job, as IT professionals and end-users to be aware of these tactics and how we can avoid falling prey. As such, IT and end-users need to work together to communicate when they see suspicious activity to be sure that we remain ever vigilant to safeguard sensitive company and customer data.
Take some time to peruse the resources below and take the phishing quiz to see how well you do.
Security Tip (ST04-014): Avoiding Social Engineering and Phishing Attacks
The Nigerian Prince: Old Scam, New Twist
Unexpected prize & lottery scams