For many, protecting against phishing is intuitive: don’t open attachments from suspect email addresses, don’t buy into any sob story conveyed over an email or private message, don’t give out private information over email or text message. However, for some – particularly those who grew up without a huge amount of computer literacy – these are not instinctual responses. Additionally, so-called “phishers” are coming up with new ways of targeting health information that turns everyone into a potential victim. Phishing poses a threat to businesses of all scales and is only set to become more pervasive as industries become increasingly reliant on technology.
Phishing has been around for as long as the internet. Initially it took the form of “spam” emails that warned of bad luck or similar if it wasn’t forwarded or the attachment wasn’t read. Now, phishing is undertaken at a much larger scale. No longer satisfied with collecting data from individuals, phishers will now target information systems from large organisations such as health insurance providers or banks in the hope of harvesting thousands of individual data sets.
Regrettably, with every advance in cybersecurity comes advances in phishing software. Cybercriminals have become better at mass distribution of phishing software, whilst also making it harder to detect such software. “Nuisanceware”, a new phenomenon, doesn’t even require user interaction.
Phishing: The Stats
The Anti-Phishing Working Group is an international organisation composed of law enforcement personnel, government workers and technology experts that collaborate on new ways to protect against cybercriminals. One of its most important roles is monitoring the development of cybercrime across the globe – and its recent statistics have shown a worrying upward trend.
During 2016 alone, over 1.22 million phishing attacks were reported – an increase of 65% on the previous year. Though this may be due to better reporting and recording methods, it is likely that most of the increase is down to an increased number of attacks. Other analyses conducted by Cofense(PhishMe), a cybersecurity firm, showed that in the third quarter of 2016 alone there was a 97% increase in the number of phishing attacks. This trend continued into 2017, where there was a 33% increase in reports of phishing attacks by 2017.
Many of the attacks come in the form of malicious emails: data from Cofense shows that 93% of phishing emails are used to spread ransomware. This is a prevalent form of phishing software encrypts files on a target’s computer, holding them for ransom in return for a large settlement. They are not a new technology – PC Cyborg, an early example of malware, was spread in 1991 on floppy disks – though they have become more advanced in recent years. CryptoLocker, released in 2013, was perhaps the first example of modern ransomware. It affected 500,000 machines. A variant of this package, CryptoWall, accounted for over half of ransomware reports in the United States.
These attacks can reach a very large scale and often attract media attention. In May 2017, the WannaCry ransomware attacks reached global levels. Targeting the Windows OS, the malware held files for ransom, demanding Bitcoin in return. Luckily, teams at Microsoft worked quickly to develop “emergency patches” that stopped the attack, though not before the ransomware had spread to 120 countries. It is estimated that millions of dollars in damage was done.
Such ransomware can also affect smaller organisations. Shortly before the global WannaCry attack, the Hollywood Presbyterian Medical Center paid out a ransom of $17,000 to regain access to files held by ransomware. Yet this does not include costs incurred by so-called “computer downtime”. This leads to a loss of work hours, loss in billings, and general loss in productivity – which all add up to substantial amounts, especially for global businesses.
In total, IBM Security estimates that the damage caused by ransomware attacks is likely to exceed $5 billion in 2017.
Accounting firms and accounts departments within organisations are a key target for phishing software, which try to trick staff into making payments into certain accounts. According to Tripwire, a cybersecurity firm, one anonymous law firm lost $44 million in 2016 because of such a scheme. This is an unusually large amount, though any amount of money lost to such a scheme is a waste. Figures released by IBM and the Ponemon Institute put the average cost of data breaches in 2016 at $3.62 million: 91% of all data breaches are the result of a phishing email.
Types of Phishing Scams
|Phishing||Email (typical)||The most generic term, phishing is any cyberattack that aims to trick the victim into sharing private information or download software that will allow the attacker to access the information.|
|Spear Phishing||A more targeted form of phishing. The attacker usually conducts a lot of research, leading to highly personalised attacks.|
|SMiShing||Text messages and other instant messaging services.||Instant messages can be used to trick users into visiting dangerous websites or download malware.|
|Whaling||Similar to spear phishing, this is a highly targeted form of cyberattack. However, in this case it is directed towards the upper management of a company.|
|Pharming||This usually involves the editing of domain system names (DNS) to redirect users to malicious websites.|
|Vishing||Telephone||Phishing attacks conducted over the phone, either with an actual person or an automated system.|
|BEC or CEO Fraud||Business Email Compromise (BEC) or CEO Fraud is usually the second stage of an attack. Once the cyberattack has gained initial access to an email account, emails are then sent out as if the CEO or CFO of the organisation were emailing. They then request the transfer of money or details.|
|Deceptive Phishing||Websites/email||Here, an email from recognised organisation will ask you to click a link and enter your account details onto a specific server. However, these emails are not actually from the organisation and instead harvest your data.|
|Dropbox Phishing||Dropbox software/website||Scammers use the Dropbox logo and branding to trick email recipients into clicking a link and downloading malware.|
|Session Hijacking||Web sessions||Here, the phisher hijacks a web session and uses it to gain unauthorised access to personal data.|
|Link Manipulation||The phisher alters a link such that when it is clicked they can track the user and collect details such as login credentials.|
|Brandjacking||Various (triggered by email)||A broader term for Dropbox Phsihing, this is the use of any well-known brand or consumer product to trick customers into downloading malware.|
Phishing attacks can come in many forms and as the use of intranets and even social media expands into daily workflows, phishing attacks will only become more prevalent. It is important that employees are trained in how to spot potential phishers and alert relevant personnel within the organisation. They can then deal with the threat and report it to national security authorities, who can then go on to warn other businesses.
As a rule of thumb, phishing attacks require the recipient to act immediately. This will usually involve either transferring money to a certain account or opening a link provided to “login” to a password-protected account. The email will usually involve a negative consequence of not undertaking such actions – legal threats for not paying off the “debt”, or account deactivation. These are meant to inspire panic in the recipient, which often clouds their judgement. Here, we outline some common phishing practices that should be brought to the attention of employees.
- Fake refunds: The email may contain vague details of a “pending refund”, asking for bank details so that it can be transferred. They will not be detailed, and if there is a brand logo attached, it is best to call the store (using a phone number sourced from a phone book) and check.
- Prize wins: This is the most common ploy, banking on the fact that many people enter prize draws in shops or online that they soon forget about. Again, if you have no memory of entering the competition, call the company and check out its legitimacy. Don’t provide any details to the email.
- Account deactivation: These take the form of “brandjacked” emails that warn of account inactivity, requiring confirmation of credentials for reactivation. Double check the URL with that of the actual website, and don’t input any login details on links provided in the email.
- Wire transfer scams: This usually targets accounts departments, where a “customer” asks to change their bank details to that of a phisher’s account. Call the actual customer to double check any such arrangements.
- Legal threats: These can be lawyers’ letters or subpoenas sent over an email, asking the recipient to open attachments in the email. Do not open anything, especially if the body of the email lacks detail.
- Law enforcement threats: These come from so-called FBI agents or police officers that require a fee for “illegal activities”. No law enforcement official will ever email a person directly or ask for payment online.
- Missed delivery: Here, a mail firm or courier will ask the recipient to open an email regarding a “missed delivery” of an unspecified item. If you have no pending deliveries, or the email looks suspect, do not open the email.
- Fake CVs: These can be hard to discern, and are usually sent to HR departments. The sender is responding to a job advertisement and attaches a file named “CV” that actually has malware. Check the extension of the document before opening it.
- Security alert/Technical support: This is a double bluff; warning of malware infections, clicking on links provided causes infections themselves.
- Data requests: These are often secondary attacks: after an employee intranet has been infiltrated, the recipient is asked to fill out a form including a lot of personal data. Before filling out such forms, or opening attachments, check with the relevant department as to its legitimacy.
- Search Engine Optimization Poisoning: SEO poisoning uses common search terms to get malicious or dangerous websites higher up on search engine results pages. Check to URLs for anything suspicious, or download security software that checks filters out such websites.
- Pleas for help: Here, phishers masquerade as friends, charities, political prisoners, refugees etc. and ask the recipient for financial aid. By instilling a sense of desperation and urgency, phishers hope to trick recipients into sending money.
Many of the examples above include some form of “social engineering”, a technique used by cybercriminals that manipulates recipients into following certain instructions. This can range from scaring a recipient by alluding to so-called “illicit activities”, threatening exposure if a fine isn’t paid, to simply sending an email to a group of employees saying the login procedure has changed and requesting them to provide their credentials for the “update”.
In cybersecurity, social engineering is largely based on authority – the sender appears to know something the recipient doesn’t, or acts as an authority figure issuing instructions. Thus, the employee may not think to question such actions. It may be hard to instil scepticism against such actions, but encouraging caution and asking employees to double-check if in doubt is absolutely necessary.
Spam Filtering Software
Many commercial email providers will provide a spam filtering service for free. It is an excellent – and necessary – first line of defense against phishers, as most attacks start with an email. Other, fee-charging services employed by larger organisations may offer a more advanced version of the technology.
Spam filters use a variety of front-end tests and detection mechanisms to distinguish genuine emails from phishing emails. The combination methods means advanced spam filters can block more than 99.9% of spam emails. However, as good as the technology gets, it is unlikely to ever filter out all spam emails.
Cybercriminals are constantly developing new techniques and trick filters by compromising the email accounts of “trusted sources”, based off of the brandjacking method above. Thus, vigilance is key when looking at emails.
Cisco Talos, a cyber threat intelligence firm, suggest there are now 400 billion spam emails being sent each day. Research from Radicati suggests an average employee receives 96 emails per day. They may never reach the actual inbox, but it only takes one email to cause massive disruptions. Thus, employees must know the limitations of spam filters and how to identify spam emails that may get through.
Security Awareness Training
Upon arrival at the organisation, all employees should be trained in how to spot suspect emails. Existing employees, too, should be trained on how to spot new phishing techniques. Phishing Awareness is an essential element of any cyber defense strategy and should be mandatory for all employees that have corporate email accounts. No-one should be exempt, as higher management is often the target of spear-phishing.
Crucially, all employees should be warned to open email attachments or click hyperlinks in emails from unknown senders, and never to disclose sensitive corporate information such as login information over email. When possible, the employee should double check with managerial staff if they are uncertain.
Employees should be well informed of the shock tactics used by cybercriminals, such as warning of legal penalties. To help reinforce the point, trainees should be given examples of social engineering techniques commonly used in phishing emails.
Training the workforce to adopt security best practices and teaching the skills required to identify phishing emails will help protect the entire organisation against phishing scams.
Unfortunately, at the pace at which the field is developing, an annual training session is no longer enough to ensure security. Some form of awareness training should be held regularly, with refresher training sessions provided throughout the year. There should be alerts on the latest phishing threats and new social engineering methods used by phishers. This will also help to develop a “security culture” within the organisation that emphasises caution.
Another good strategy is a so-called “phishing simulation”, where a fake phishing email is sent to recipients within the organisation. Research from Cofense shows organizations typically reduce susceptibility to phishing scams by up to 95% by conducting regular phishing simulations.
Similar research shows that security awareness training can:
- Decrease susceptibility to phishing attacks by up to 95%
- Eradicate risky behavior that could lead to a data breach
- Help to develop a security culture where users are aware of common cybersecurity threats
- Teach employees to report suspicious activities to their security team
- Save time that would otherwise be spent responding to data breaches
- Save the considerable cost of mitigating a data breach
- Greatly improve an organization’s security posture
Thus, with a simple training course, employees can be a security asset.
Reporting Suspicious Emails
After training all employees to recognise suspicious emails, it is important that such emails are reported to IT Security within the firm – whether or not they’ve been opened. This is because it is unlikely that a phishing scam will target just one employee in the organisation: other employees may have the same message delivered to their inboxes. They might not recognize the same email as a threat.
Simple solutions, such as a one click reporting option, such as an Office 365 add-on, will allow employees to mark a potential phishing email as suspicious and notify their security team. Security can then go on remove all copies of phishing emails from their organization’s email system. There are many versions of this one-click reporting system, so it is worthwhile to research and implement them.
Two-factor authentication, the most common form of multi-factor authentication, is an important measure that can help to prevent unauthorized account access.
It requires the use of two methods of authenticating a user before they can access an account. The first is something that an account holder knows, such as a password, passphrase or login credential. However secure, these passwords may be obtained via phishing and are thus vulnerable. However, the second step in authentication is a single-use password only the individual has access to. This is usually sent to a hardware token, fob, or authenticated device such as a mobile phone. The codes are single use, so even if they are phished they are no use alone.
Two-factor authentication is not perfect, but it is now seen by security experts as a better alternative to passwords. It also limits damage caused by phishing for login credentials – they are no good without the one-time code. There are vulnerabilities:
If the user´s device has been previously compromised by a botnet with command and control capabilities, cyber-criminals will have access to the account when the authorized user logs in.
There are three common forms of phishing emails:
- Attachments that contains malware or malicious code that downloads a malicious payload.
- Conversational, leading to a request to disclose sensitive information, install malware, or perform an action such as making a fraudulent bank transfer.
- A hyperlink to a webpage hosting an exploit kit that probes for vulnerabilities, to a webpage already exploited to download malware, or a webpage that requests login credentials.
Internet filtering controls can help to protect against the hyperlink approach, preventing email recipients clicking malicious links. Some only allow users to visit whitelisted websites (cleared as malware-free and necessary for work).
Most web filters use databases of blacklists of webpages and IP addresses assessed to be a threat. Such websites will be blocked and downloads will be prevented.
Security Information and Event Management (SIEM)
Many phishing emails are just the first step towards a larger attack. From here, phishers will launch a “secondary attack” that allows them to assess the network, find any vulnerabilities, and suss out a way to attack as many endpoints as possible.
Security Information and Event Management (SIEM) detect unauthorized users in a network, detecting unusual behavior such as atypical requests and actions, or activities that exceed a certain threshold. This could include a high rate of file exchanges or changing names on documents. SIEM is based on real-time monitoring of networks and network users. As they do this constantly, they are able to detect abnormalities quickly and efficiently.
SIEM systems alert IT teams when events such as attempts to guess passwords are in progress. The tools can also issue warnings about potential worm propagation, the presence of malware on a host, unusual port activity around the network perimeter, and excessive bandwidth use (indicative of cryptocurrency mining software).
Threat Intelligence Services
Cyber-criminals user an ever-evolving strategy to attack companies. Managing such threats can be difficult, especially for smaller organisations without advanced security teams. Thus, subscribing to a threat intelligence service will provide information on the latest threats, enabling organizations to take address new tools, tactics, and procedures used by cyber-criminals.
Threat intelligence services collect huge datasets on the nature of recent threats, process that information, and issue advice on how to combat those threats. Some threat intelligence services translate this data directly into security appliances and systems, or send email alerts to security teams. These intelligence services allow organizations to stay informed and better protect themselves against phishing and other cyber threats.
Implement Policies and Procedures for Verifying Certain Requests
All organizations should have a defined set of protocol that instruct employees on how to deal with requests made over emails, be they from a client, CEO or other personnel.
As described above, spear phishing attacks aim to gain access to email accounts of board members or the CEO. These details are then used to launch other attacks on employees across the organisation. Broadly, these are termed Business Email Compromise (BEC) attacks. After the initial attack, requests are sent from the compromised account to the HR department. The phishers, if undetected, can them obtain sensitive data on employees or request transfers to certain accounts.
As such, employees should be given a clear set of protocol on how to respond to requests for sensitive data if they come from within the organisation. Similarly, they should be informed on what to do if an alleged customer requests their account information is changed. It is recommended that, in such instances, employees check with higher management, or call the customer directly before actioning such changes.
Simply put, a botnet is a network of compromised computers connected over the internet that can be remotely controlled by an individual. Botnets are often used carry out Dedicated Denial of Service (DDoS) attacks, where the network targets a certain endpoint and does not allow the user to access it. This usually involves multiple requests for login credentials to “access” the service.
Botnets can be also used to send spam emails and phishing emails from compromised email accounts. However, these emails over pass through filters as they originate from trusted accounts. This, and the fact that users and employees are more likely to open an email from an apparent trusted, make botnets a real threat. Most email filters only scan emails entering and leaving the network and not those circulating internally. As internal email can account for up to 70% of email traffic, once a botnet is installed on a work computer it can spread malware quickly and efficiently.
In this case, prevention is the best cure. Internet content filters and emails filters with URIBL/SURBL filtering can prevent users visiting websites containing malicious botnet downloads. Organizations should employ software that prevent botnets being imported from mobile devices and portable storage devices drives when they connect to the network.
Syametic, estimates that, as of 2017, there are 98.6 million botnets in existence. Their prominence in phishing scams is huge: in early 2018, McAfee Secuirty reported in March 2018 that 97% of all the spam email sent in the last quarter of 2017 was caused by just two botnets – “Necurs” and “Gamut”. Necurs is responsible for spreading “Locky”, a ransomware package that send emails invoicing recipients.
Cryptocurrency Mining Software and its Consequences
Cryptocurrencies have taken off in recent years, even if they have not quite reached the mainstream. These virtual currencies were made famous by Bitcoin and use decentralized controls and blockchain technologies to allow transactions.
Recently, several IT security companies have spotted a trend for an increase in the volume of phishing emails with cryptocurrency mining software. As cryptocurrency mining is expensive and requires a lot of processing power, it is more profitable for cyber-criminals to infect other users´ networks. Soon cryptocurrency mining could outstrip ransomware as the biggest cybersecurity threat.
Frustratingly, the signs of such malware are subtle – computer power gradually diminishes and their electricity costs increase. Often, if these are noticed, it is attributed to the age of the computer rather than malware. Thus, cyber-criminals remain undetected for long periods of time.
In the short-term, cryptocurrency mining software is not as disruptive or costly as ransomware. However, the cost can be significantly higher over the long term, due in large part do lack of detection. Thus, its important that any security measures employed to target the above threats are also used to protect against cryptocurrency mining software.
Summary: Top Tips to Prevent Phishing Attacks
However clever phishers may seem, and however advanced or manipulative their techniques, organisations are not completely open to attacks. There are some simple steps that can be implemented that will prevent the majority of attack, from technical safeguards like the SIEM software or administrative precautions such as reporting any suspect emails. Below, we summarise our top tips for preventing phishing.
- Always approach emails from unknown senders with caution, and never open any links until checking with security personnel. Generic openings, such as “Dear Google customer”, should act as a warning sign, as will misspelled names or unusual URLs.
- If the email appears to be from a bank or other holder of sensitive information, call the organisation (but do not use any phone numbers provided in the email: most banks will have an emergency contact number printed on the card).
- Don’t use insecure networks and, if necessary, use them only for browsing: never input sensitive data.
- Install a variety of filters that will alert you to suspect websites or emails.
- If you work in a large organisation, consider the use of two-factor authentication or other measures to enhance security.