This week, we sat down with our Director of Security Operations, Brad Pierce, to get his thoughts on phishing attacks. Below we discuss best practices to fight the phish, phishing trends, why phishing is so lucrative and what to do if you have been caught in a phishing attack.
What are some current trends in phishing and social engineering you think readers should be aware of?
A few of the trends that we see around phishing attacks stem from old tactics. The bad actors are really trying to be more detailed and try to add familiar context to emails that are sent in a phishing attack. We do not see the classic examples of bad grammar that used to make a lot of phishing attempts stand out. There is the classic: you have an email about a UPS package that is not being delivered sent on a mass scale in the hopes of catching a subset who clicks the link and downloads the malicious attachment.
Another area that really seems to be trending right now is the compromise of business email accounts or even personal email accounts. Once the malicious individual gains access to credential information, usually by means of a phishing or data breach information dump, they can then start validation of the credentials to get into an email account. From there, they will study the dialogue throughout that inbox and look for conversations or targets in that person's conversation history around financial transactions and things of that nature. Recently we have seen a personal email account get breached, and the bad actor figured out that this person contacted their financial advisors through this email account, so they started some conversations with financial advisors, requesting that money be wired from this person's investment account—this is just one example of the tactics we see used in phishing attacks.
One of the solutions here is educating your users and paying close attention to who they are communicating with. The bad actors can purchase a domain that may be one letter off from a legitimate domain enabling them to launch a phishing attack from a similar domain name that someone might be familiar with and coerce them into providing sensitive information.
These examples highlight the importance of making users aware that these attacks can occur. The key is to have users, especially users dealing in financial transactions, have a heightened awareness of paying attention to who they are communicating with and have a process by which they verify monetary transactions before they are completed.
This could be something as simple as a phone conversation, or a preestablished extra step outside the email chain. Often, we see that the bad actors avoid having those voice verifications or a phone call. They will say they are out of the country or just cannot make a call. So, these are red flags that users need to be aware of when dealing with emails and carry out additional verification on whether they are communicating with the legitimate user that they think they are.
Why is phishing so lucrative for cybercriminals?
One of the reasons phishing is so lucrative for bad actors is that there is extraordinarily little monetary investment necessary. Several platforms allow people to create free email accounts and the ability to purchase a domain with one or two letters off from a legitimate domain can be very inexpensive.
Once an attacker gets their hands on a set of email addresses, or they target a company (they can acquire company email addresses through LinkedIn or company websites), it is almost free for them to make the phishing attempt.
Typically, you see a lot of these operations phish hundreds or thousands of people in the hopes of getting fifty to a hundred people to click links, provide information or continue the dialogue. Whether they get a set of credentials or coerce someone into sending money, there is no monetary overhead for them to start that type of operation. So, phishing can be profitable if they can get targets to do what they request.
What are some ways businesses can fight the phish?
Businesses can defend themselves from phishing attacks by adopting a combination of IT infrastructure, user education and testing. Spam filters (hardware & software) that are positioned to analyze emails, detect anomalies that may be present in an email and inspect any links included in an email are all part of this process.
While a portion of the responsibility falls on the IT staff implementing proper infrastructure to protect against phishing attacks, the area with greater risks is the human element. Educating employees about the many types of phishing attacks out there, along with setting up clear communication channels between IT and various sections of an organization on how they should communicate in the event of IT outages, or teaching users to identify questions that the IT department would never ask is another crucial part of cybersecurity, as we do see a lot of attempts come in the form of IT Department emails.
Another sensitive area in organizations is around the HR departments, payroll or accounts payable. We have seen an uptick in third-party accounts being breached in any area dealing with invoices or payments. The bad actors are using those accounts to act as a legitimate customer of an organization and requesting that certain things be paid, and that money be sent. So clearly defining that channel of communication and having an additional step in place, other than email, to verify those transactions before they are sent out is especially important.
Along the same lines as education, testing the team members is critical. There are products on the market that IT departments can utilize to carry out tests or partner with a firm who specializes in running phishing campaigns to test your users. It is critical to do that testing and then act on its findings. For example, if a user clicks a link, an IT department representative or a security analyst from the company may request a meeting with them to discuss why they clicked the link and why they should not have. Phishing attack prevention is becoming more focused on training and awareness as a result of testing.
If you find out you’ve been phished, what do you do?
If your organization is the victim of a phishing attack, the overall response could go several different ways. If a malicious link has been clicked, software has been downloaded, or a user accessed a website that does not seem legitimate, it could revolve around a simple password change and re-imaging of a machine, all the way to some type of monetary transaction where funds are sent to an unknown bank account.
Instances of monetary fraud might warrant reaching out to law enforcement or the local FBI to provide the information around that attack. It could very well be that information might help them in a current investigation. A lot of these scams target a large set of companies and users, so it is possible law enforcement could already be investigating another attack by the same group. So, the information could help a current investigation at a minimum.
It is particularly important to have a plan for when these types of incidents occur and know the steps to be taken. Right out of the gate, the IT department needs to be involved. They are going to know how to go about password changes and make sure that the machine involved has not received any malicious software. The first step involves reaching out to the IT department and letting them do their investigation, gather all the information needed, and determine whether it should involve law enforcement.
Next week, we will be back with Jen McBride, Cyber Risk Manager, to discuss the benefits and opportunities of a career in cybersecurity. We hope you will join us then. For now, do your part. #BeCyberSmart