Bad actors have taken advantage of unpatched systems, software vulnerabilities and increasingly devious forms of malware for years, but their preferred weapon is often phishing. While their motives haven’t changed — luring target victims to click highly legitimate-looking emails so they can steal the keys to the castle — I’ve seen their attack methods grow more sophisticated as the CEO of a data security services provider.
According to a 2017 FBI bulletin, phishing scams cost U.S. victims studied approximately $500 million dollars a year. More alarming evidence is seen in a public service announcement from the FBI issued earlier this year to spread awareness of the phishing threat, which it called a $12 billion scam.
Even though many businesses spend considerable sums on cybersecurity, phishing scams continue to thrive. The reason is simple: Cybercriminals probably won’t hack firewalls when all they need is a vulnerable employee. The fundamental reason I see for why enterprise security fails against advanced cyber attacks is not lack of competency but lack of awareness training and policy-setting among employees.
Phishing is all about deception, and the methods cyber baddies use are evolving. For example, many phishers seem to be moving away from the “infect them all” approach and turning to regionalized email attacks and location-based targeting. In a bid to customize attacks and make email scams more believable, cybercriminals are getting better at imitating local brands. Their spelling and grammar is improving in many cases, too.
While email is most strongly associated with phishing attacks, I’ve seen that cybercriminals have been quick to seize on new potential routes into networks, such as social media and messaging apps. Moreover, with more businesses and people turning to cloud applications, attackers are launching more advanced cloud-phishing attacks. One highly sophisticated 2017 phishing campaign targeted Google’s roughly 1 billion Gmail users.
Even as organizations implement advanced security measures and spread awareness about cybersecurity, both corporate and government environments can do more to train employees. Phishing attacks are so appealing to criminals because of the promise of readily offered credentials or admin privileges they can steal directly from staff, which enables attackers to move laterally in the targeted network.
Below are a few useful guidelines that will help safeguard your business from phishing attacks.
Phishing is effective because attacks usually take the form of a well-crafted, apparently legitimate email from a trusted source, like a friend, your CEO, service provider, bank or even your delivery company. Recent phishing attacks that targeted Gmail and Office 365 managed to fool even savvy users. Encourage employees to sniff out phishing scams. Inspect every email carefully, especially if it has any sense of urgency or if it comes from an unknown sender. Scanning emails for links to non-standard webpage addresses is also a useful practice.
The Anti-Phishing Working Group (APWG) issued its Phishing Activity Trends Report for Q1 2018 that reveals a 46% rise in unique phishing web pages. Attackers frequently embed malicious links in emails that appear to come from familiar sources. The promise of a video or an attractive photo encourages unsuspecting recipients to click, only to unknowingly download malware. Sometimes the email may request login details with a link that appears to be your company website. Avoid such phishing traps by always typing URLs into the address bar of your browser yourself. Never click unreadable links in emails.
Email is a favorite attack vector because it can make distributing malware cheap and easy. While email is most strongly associated with phishing attacks, I’ve noticed that cybercriminals have been quick to seize on new potential routes into networks, such as social media and messaging apps.
Many spam and phishing emails carry malicious attachments. Even if you do recognize the sender, it’s smart to flag emails with attachments for further scrutiny. As many people have seen, some of these attachments are able to slip through known cloud-based security systems. Make sure your messaging security automatically scans and discards suspicious attachments, and instruct your employees to do the same for any that slip through.
If you are not sure about the content of an email, then you should report it. Seek further advice from your company’s IT security team. Create an email support team specifically for suspected phishing emails that can help validate whether a reported email is legitimate or not. You may also consider filing complaints at the Federal Bureau of Investigation’s Internet Crime Complaint Center.
Awareness and education remain your best defense against phishing campaigns. As crafty phishing attacks manage to penetrate security defenses, it is necessary to train employees to make them more aware of various phishing tactics used by cyber fraudsters. These email-borne threats have become an endemic scourge that can seriously damage your company’s reputation. While it’s vital to keep systems and applications up-to-date with the latest patches and security updates, it is equally important to keep employees informed by running regular security awareness training.
That means assessing likely threats, making your staff aware of them with clear examples and updating them on new threats regularly. In my experience, an annual training session is not enough. You should also ensure that the training was effective, so consider asking your IT team to simulate phishing attacks and record how well the team performed.
Phishing certainly poses a significant risk to your organization. Knowing how to identify a phishing attack is obviously the best defense. If you manage to avoid the bait, the attacker will have no choice but to move on to the next target.
Image credit: Getty