The Thing About Phishing – Issue #3
By now, pretty much everyone knows about phishing. It has been behind some of the biggest breaches in history and has been flooding our inboxes with humorously bad requests for our credit card numbers and bank account logins. We make jokes about the hilariously bad grammar ex.: “Your account has compromised, please login!”, the people who fall for Nigerian money scams, and the people who try every username and password they’ve ever used attempting to log into the PayPal account they don’t actually have. This whole phishing thing can be quite entertaining. The thing about phishing, though, is that it has become far more serious. Many of the most significant breaches over the past decade originated through phishing, and in excess of 75 percent of all breaches start with a phish. Phishing even may have helped sway a U.S. presidential election (we’re looking at you, Mr. Podesta).
This issue will explore the different types of phishing attacks, look at some of the impact phishing has had, and talk about strategies to defend yourself and your company.
The Thing About Phishing
The best phish attempts will not only look legit in your inbox and browser but make what they said would happen actually happen. Attackers want your bank account login. What better way than to give you the exact page you use every day to log into your bank account and then actually log you into your bank account as a result. While the run-of-the-mill phish emails stand out like a sore thumb in your inbox, good phish attempts blend right in as part of the hundreds of emails you process a day, usually in between more important tasks. A good phish will tell you that your UPS package has been delayed right when you were expecting it to show up, remind you of a bill that needs to be paid from a vendor you do business with or come as a request from your boss and even reference a recent transaction. Attackers know a little bit about you — just enough to lower your guard. Their emails look every bit as real as any other email. Of course, there’s a bit of luck involved. Even with a little bit of research on LinkedIn or Facebook, it’s still difficult to know exactly when someone was expecting that UPS package. But if they send an email to every employee in the company, the odds are they’ll find someone who was expecting a package. And if they don’t, they can just keep trying. Most people recognize a phish, most days. Persistence pays off.
Phishing is hard, at least when done well. You have to research your target. You have to put together a compelling replica of the real thing. You have to make sure it does what it was supposed to do if you don’t want your target to be tipped off. There are phishing toolkits for sale — yes, you read that right — that take some of the effort out, but it is still a time-consuming game. It’s just so effective, though. If phishing is a symptom, companies putting all their security eggs in the perimeter defense basket is the disease. Strong perimeter defense is the digital equivalent of building a great fence. Fences are intended to be a deterrent, but most people know they are not a credible defense against an adversary who knows there is something of value on the other side. Cameras, sensors, guards, keys and/or badges, and other measures are necessary. Active measures must be mixed with passive measures. Just as in the real world, this is equally true in the digital world. Unfortunately, companies were too overwhelmed by this new field, with little practical guidance on what they actually should do. This was great news for network security vendors, who promised a complete security solution but then sold their customers a fence.
It didn’t take attackers long to pounce. As companies were focused on making as much of their data as possible electronic — and even acquiring new data from their customers to hang onto — attackers were getting good at phishing. Initially, the results were benign enough. Attackers would get on someone’s PC and grab what was there before they got caught. But they eventually realized they weren’t getting caught. Not only could they persist, but they could move around freely once inside, moving to increasingly higher-value targets and often finding the company’s Crown Jewels. From the now-routine stories of ransomware to the devastating stories of massive breaches — Sony, anyone? — it is clear phishing is a winning strategy.
It’s Not Just Nigerian Princes Emailing Your Grandma
In 2017, 76 percent of organizations said they experienced phishing attacks. In February 2017, the Anti-Phishing Working Group (APWG) reported that 2016 had an average of 92,564 phishing attacks per month, an increase of 5,753 percent over 12 years. In February 2018, they reported, “The number of unique phishing reports submitted to APWG during Q3 2017 was 296,208, nearly 23,000 more than the 273,395 reported in Q2 2017.”
As phishing has evolved, it has moved beyond spam emails sent to personal accounts and has grown to sophisticated attacks on big targets. According to a 2016 report fromCoFense, more than 91 percent of cyberattacks and resulting breaches stemmed from a spear-phishing email. Some larger-than-life examples of this include, the Italian soccer team that paid 2 million euros in a player trade deal, the tech firm that lost $46.7 millionand the two US tech companies that paid more than $100 million to a man in Lithuania.
The 2017 IBM Threat Intelligence Index showed that up to half of all spam emails contained malicious attachments, and a November 2017 Symantec report stated that 54 percent of all email was spam. All of these industry statistics simply enforce what we already know: Spam isn’t just a time-consuming annoyance; it is a delivery mechanism for attacks.
While there are many phishing variants (soft-targeted phishing, spear-phishing, business email compromise, etc.) the motivation is the same: find a person willing to click/open/disclose to gain credit cards, personally identifiable information, financial records or even medical records.
After a seemingly never-ending barrage of different data breaches, it’s clear that now, more than ever, all of us are targets for complex phishing attacks. If you have a credit card or bank (Equifax, JP Morgan, Heartland), pay for a health care plan (Anthem), have booked travel (Orbitz), worked for the federal government (OPM), subscribe to a video-streaming service (Netflix) or maintain a social media account (Facebook), etc., chances are someone somewhere has pieces of your personally identifiable information. That means cyber criminals are well-positioned for a profitable future. They know everything about you and haven’t even begun to take advantage of the data they have yet.
Top Five Most Common Types of Phishing
Phishing emails appear to come from someone you trust, such as an online provider, bank, credit card company or popular website. These emails typically try to trick you into giving away sensitive information such as your username, password or credit card details.
They also may try to install malware onto your computer by getting you to click on a malicious link or open an infected attachment.
Spear phishing – Email spoofing fraud specifically targeting a company or individual.
Why Are We All Still Falling For it?
Human nature. It’s the simplest explanation and the most difficult thing to change. There have been many studies done to tackle the questions of how and why we are still falling victim to these attacks, even though everyone today is aware of the fraud. All of these studies agree, the most successful phishing attacks share a few characteristics: They rely on “knee-jerk” reactions and use fear tactics to urge action. It also doesn’t help that phishing is becoming more convincing than ever. Attackers continue to evolve and use technology to their advantage, whether it’s registering cheap domains, spoofing phone numbers or luring you through social media. In the grand scheme of things, attackers can put in relatively low effort and reap their rewards.
Who is likely to fall victim?
Everyone. It’s easy to blame certain demographics for security breaches — “older users” or “entry-level employees” — but the truth is 34 percent of executives/owners and 25 percent of IT workers reported being the victim of a phishing email — more often than any other group of office workers. And a 2016 survey showed that millennials were more likely than baby boomers to be victims of tech support phishing scams.
What are we likely to click?
Anything that urges a quick response and/or piques your interest. Phishing attacks often use messages such as “missed delivery,” “security incident —reset your password” and “new job opportunity.” Messages like this are common enough not to raise suspicion and important enough to warrant action. After all, who isn’t shopping online and concerned about their account security?
When are we likely to click it?
When we are most vulnerable. Using real events like tax return deadlines and end-of-the-month/quarter rushes, attackers rely on us being tired and stressed out. Phishers know employees are more likely to respond to a spoofed email from their “manager” at 4 p.m. on a Friday versus 10 a.m. on a Tuesday.
Where is this happening?
Everywhere. Companies. Personal lives. It’s not tied down.
How can we get better at identifying phishing scams?
The first step in identifying phishing scams is to understand what it is you’re up against. Being mindful of what you are clicking on, who you are talking to and what you are reading is the first and most important step in a good defense. Next, you must verify. Look at the sender’s email address, not just their display name. Check hyperlinks before clicking them. Check the spelling of websites. Confirm with your friend or coworker who sent you the email with the attachment.
You can see more examples here.
What You Can Do
We know that phishing is everywhere and everyone is a target, but that doesn’t mean you should lose hope. We talked to Megan Cruz, Rhythmic’s compliance analyst, about the best practices businesses and individuals can use to protect themselves against phishing.
Best Practices for Businesses
Protect your office
A spam filter program is an easy way to have a first line of defense. Spam filters can detect unsolicited and/or unwanted emails and prevent them from reaching an employee’s inbox. While your spam filter can quarantine emails and should be able to remove “graymail,” it will not remove the threat of phishing completely and should never be relied on as your only defense.
There are multiple services that you can use to (harmlessly) phish your own organization. These services send out phishing emails to your employees, then score and report back findings around your effectiveness and weak links. The campaigns generally track at an employee level and look to see who and what is being opened, clicked or just deleted. These tools help you see what your employees would click on and where you are vulnerable. This information can help you decide what additional protections your organization needs, from additional employee training to better safeguards.
Train your employees
Basic security awareness training should always be done upon initial hire, and annually thereafter, to ensure all employees are aware of the threats that are constantly changing and evolving. Organizations should consider creating their own training course based on their specific needs and the needs of their employees. Security awareness training programs should be updated and revised as needed, annually at a minimum.
Best Practices for Individuals
Use strong passwords and multi-factor authentication
Use strong passwords, don’t write them down, never share them across multiple systems and use multi-factor authentication whenever you can. Multi-factor authentication comes in many forms: an additional password or pin, a code texted to a phone number that is in your possession, even a fingerprint or voiceprint.
Take advantage of the security features offered by your bank
Even when they aren’t advertised, many banks and credit unions will allow you to set up text and email alerts for specific types of transactions — for example, large wire transfers or withdrawals, or charges from a different country. Remember, you should never disclose your account information over email or text, even if you receive a security alert.
Use your best judgment
When checking your email, whether at home or at work, make sure you are only opening items from people or companies you trust. Cybercriminals do their best to trick you into opening attachments and clicking links in emails, but there are always things for which you can look. When using your best judgment, some red flags are misspelled words or bad grammar, threatening messages or hyperlinks you must click. If you have a feeling something is not right, it probably isn’t. Trust your judgment and do your best to protect your personal information.