Go Phish: Keeping Your Organization Off the Hook

drawing of computer phishing attempt

This guest post is by Connor Rapp, Crew212 member. Thank you for your insight, Connor!

In 2018, roughly 53% of attacks resulted in loss of $500,000 or more. Every year, Cisco releases a Cybersecurity Report that aggregates the key data from other related studies. Pulled from their Security Capabilities Benchmark Study, which surveys over 3,600 respondents across 26 countries, it indicates just how substantial a breach in your technological defenses can be. Therefore, a question must be asked: is your company prepared for an attack?

What is Phishing?

The common definition of phishing is being contacted by an imposter disguised as a legitimate source in an attempt to withdraw sensitive data. I know what some of you reading might be thinking. Why is this called phishing? There are no aquatic fauna included in that definition. In truth, the name “phishing” is actually coined from the attacker having their target “on the hook” and reeling them in. In other words, you are the fish.

One Phish, Two Phish, Red Phish, Blue Phish

Much like there are different species of fish in the sea, phishing can be considered diversified as well. With the introduction and popularization of new technology, phishing has divided itself into multiple subcategories. For the sake of this article, we will focus on what I refer to as The Big Three.

  1. For the categorical ordering of The Big Three, we will start with the most common form, Deceptive Phishing. As the name implies, the purpose is to mislead the target into supplying personal information or the access credentials that can lead to personal information. Typically, these attacks are mass-produced with no specific target in mind. An example of this is an email sent from “Apple iTunes” stating there was a purchase that just occurred on your account. Luckily for you, a direct link has been supplied from which you can sign into your account and verify the (fake) purchase. Most likely, the website that you will be directed to will look eerily similar to that of the actual iTunes website. When you “sign in”, your credentials (both username and password) will be shared with the attacker. Thus, you’ve literally handed them the keys to your account.
  2. Almost identical in pattern to that of deceptive phishing, albeit with one exception, our second variation concentrates its attack to a limited, if not singular, target. Spear Phishing is personalized in its attempts, where the attackers often have prior knowledge of the victims before launching the attack. As such, it can be expected that this format will be the most common in terms of breaching security of a company.
  3. There are little fish, there are big fish, and there are really big fish. Sometimes, Spear Phishing can be focused on a very high-ranking individual. Attacks such as this are known as Whaling. This variant of phishing is no small matter, as the attackers will typically conduct a great deal of research on their target and instigate with far more organization than other forms.

It should be noted that the three forms listed in this article do not encompass all forms of phishing. There are many niches of phishing and to list all would have made this article far too long. Instead, we will provide a basic anti-phishing education that, if correctly followed, should be able to defend from most attacks.

Finding the Hook

Using a little effort, one might find it’s actually quite easy to distinguish a phishing attempt. Simply looking for a few details can easily reveal a malicious attempt:

  • A large portion of phishing emails are sent from abroad. This means grammar and spelling are often sub-par and easy to notice for an individual that is fluent in English. It is highly unlikely that a major organization (your own included) will send out an email that is seemingly riddled with errors.
  • Who is this email from? Was it sent from outside the organization? Be sure to examine the domain name of the email address closely. Often you will see that the email will be from someone not typically in communication with you. If it is from someone you know and the message seems irregular by comparison to how they usually write, they could have very well been phished themselves and the attacker is now using their account to try to get to you.
  • When was this email sent? Did it appear outside of regular business hours, when it would usually arrive in your inbox within operating hours?
  • Check the CC’d field. Do you recognize the other recipients? Would it not seem odd that you are included in an email with a bunch of other strangers or people outside of your usual work environment?
  • Are there any attachments or hyperlinks? Be incredibly wary of attachments, as they can contain viruses. The same Cisco report revealed that 38% of all malicious file extensions were Office, 37% were Archive, and 14% were PDF. Should you examine everything else that I’ve listed for you and decide that this email is still legitimate, then proceed with caution. Otherwise, don’t risk it. Hyperlinks, on the other hand, are easy to check for legitimacy. Simply hover your mouse over the hyperlink (without clicking) for the connected web address. Is the address the same as what the email is promoting? In any case, it’s usually a good rule of thumb to not follow hyperlinks in emails. Typically, you will know what web address you need to go to and where to sign in. The hyperlink can easily be taking you to a website that mimics the original in an attempt to harvest your credentials.

Preparing Your Defense

If there is anything to be taken away from this post, it’s that the education of the work force is one of the most simplistic yet efficient means of defense against phishing. Fortunately, this can be done easily, and the results measured. Host a meeting or two detailing how to weed out malicious emails. Be sure to cover basic cybersecurity principles that all levels of employees can follow. At my previous employer, one way we tested whether these lessons hit home was to make fake internal phishing campaigns. We would author our own phishing emails to have them appear as legitimate as possible, with a few minor tweaks to arouse suspicion.

Should the user activate the provided hyperlink, they would be forwarded to a page that would provide details on how they have just fallen for a phishing attempt, what to look out for, and how to improve. With tests like this, the metrics of how many and which users have clicked on the link can be recorded.

A second security measure that can be integrated with ease would be incorporating an MFA (multi-factor authentication). An MFA is a security measure that has users supply additional means of verification for their access credentials. For example, a personal cell phone number or secondary email address. How does this do anything, you might ask? Say one of your employees had their access codes phished.

The attacker will clearly attempt to use them. However, the MFA will come into action at this point. When you try to log into a computer that is “unfamiliar” with your account, it will request that you provide the additional information that is tied to your MFA. So, if the attacker was not able to retrieve these bits of information, which is highly unlikely in a broad phishing attempt, they will not gain access to said account.

All-in-all, knowing is indeed half of the battle. Simply teaching your workforce how to recognize the characteristics of malicious emails will go far and is a cost-effective way to exponentially bolster your cybersecurity. Don’t let your organization be another statistic for Cisco to write about in their 2019 report.

Leave a Reply

Your email address will not be published. Required fields are marked *