Email remains one of the most popular attack vectors used by cybercriminals to compromise systems or obtain private information. This was brought to mind recently, when a new phishing exploit came to my attention. Phishing was known at first as a type of attack where the attacker would pose as an entity "trusted" by the user, such as banks or government agencies, and try and convince the user to disclose private information including passwords and credit card information. Lately however, the use of the term has been expanded to identify almost every type of email based attack. First, I'll quickly recap how phishing works.
Phishing relies on social engineering techniques in order to convince the user to perform an action that will compromise their private information or their systems. "Classic" phishing attacks are those that attempt to extract information from the user, usually through a link in the email that will direct them to a fake site asking for private information such as login credentials. These forged sites in some cases are very detailed and at first glance, they could pass as the real thing.
More recent types of phishing attacks attempt to compromise the machine with malware, either by convincing the user into opening a malicious attachment or clicking on a link that will direct them to a site with a malicious payload. If the attack is successful, the compromised computer usually becomes part of a botnet.
Most phishing "expeditions" don't have specific targets in mind, simply attempting to catch as many victims as possible. On the other hand, highly targeted phishing e-mails, known as spear phishing, try to address their specific target as personally as they can in order to better convince them of their "legitimacy". Information of the target obtained by other means, such as public posts on social networks, can help attackers craft these e-mails more effectively.
Your best defense: User awareness
Technological defenses can only take you so far in protecting an organization's users against phishing attacks. Your best defense lies in user awareness: teaching your users how to identify an email attack can go a long way in securing your organization. You may think your users are savvy enough not to fall for these scams, but even seasoned users may be taken in by increasingly sophisticated ploys. Routinely reminding them of the basics will hopefully plant the seed of suspicion in their minds. Here are some tips you can share with your users on how to detect phishing attempts:
- E-mails that have generic salutations such as "dear customer" or have spelling or grammatical errors should be considered suspicious. Also, if the message warns of dire consequences that will occur if no action is taken, or tries to create a sense of urgency, it should be considered suspect.
- Don't open attachments you were not expecting. If you get one from a trusted source, such as a friend or a company you actually do business with, call them and confirm they sent it before opening. Their e-mail account or their computers may have been compromised and sending e-mails without their owner's knowledge. It's also possible that the attacker is faking ("spoofing") the sender e-mail address.
- Be wary of clicking on links in emails. One of the most common phishing techniques is the use of obfuscated links. There are many tricks used to mask the true destination of a link, including using misspelled versions of the real organization's URL or including the real company's name in an URL that belongs to another domain. Instead of clicking on the link, users should visit the websites manually by typing their addresses on the browser. There are also other ways to check suspicious links: users can hover the mouse over the link, which should reveal its true destination.
As part of your security program, you could include regular "phishing tests" where you send test e-mails to your users to determine if they are prone to falling for these types of attacks. You can set up your own test or use the service of a security provider you trust. You could also set up interactive quizzes for your users, such as this Phishing IQ Test from SonicWALL.
In the end, defending against email attacks and other scams depends entirely on common sense. Help your users recognize phishing emails for what they are and you move can improve your organization's security posture immensely.
Have any of your users fallen for phishing attacks lately? What kind of phishing ploys have been successful either in your workplace or with friends and family? If you've seen anything particularly noteworthy, share it with us below.
I am a technology specialist with over 10 years of experience performing a variety of corporate IT functions, including desktop and server operations, application development, and database administration. My latest role is in information security, focusing on multiple areas including log management and security incident investigation and response.