Phishing is the most popular vector for ransomware, data theft, identity theft and online fraud, given how the vast majority of cyberattacks begin with a phishing email. Gmail reportedly blocks 100 million phishing attempts daily.
Attackers use a common set of manipulative tactics – exploiting every emotional hot button (anxiety, uncertainty, urgency) – to achieve their disruptive, anti-business ends. Knowing what these commonalities look like is the first step to understanding how to identify and deflect them; and it requires a repetitive process.
Common phishing tactics
Phishing tactics are continuously evolving but the fundamental features of phishing attacks haven’t changed in the past decade. Cybercriminals prey on human psychology using the following techniques:
Too good to be true: Something that’s eye-catching or entices the user to perform an action. “Hey, you’ve won $500!” or “Thank you for shopping at Amazon. Here’s a free gift card!”
Sense of urgency: Usually a bait that lures the victim into performing an immediate action. “This offer expires in the next 30 minutes!” or “Your password has expired, change it now”.
Hyperlinks: Fraudulent URLs that either exploit misspellings or transpose characters to emulate a domain name. Fraudsters try to make the URL appear credible enough to trick you into clicking, taking the bait.
Attachments: Cybercriminals exploit fear, anxiety or curiosity and lure people to open attachments. Usually there’s code that gets executed and a backdoor is downloaded to your environment.
Unusual sender: Attackers send out thousands of emails, looking for that one person who will click. Victims often click bogus links or download attachments from unknown senders out of sheer curiosity or thoughtlessness.
Top phishing attack vectors
A majority of internet users (97%) still fail to recognize sophisticated phishing attacks. There has also been a significant increase in Business Email Compromise (BEC) attacks because attackers are now shifting to targeted attacks in a bid to secure greater profits. Listed below are the top attack vectors:
Spear phishing: Spear phishing is a highly targeted attack where adversaries go after a particular organization or target. Phishers gather data and email addresses of people that work at the target company, carefully selecting their targets and crafting emails that are specific to that individual or group.
SMSishing: Massive data dumps are available on the dark web that contain email addresses, home addresses, phone numbers and more. Research has shown that response rates of SMSes are significantly higher (209%) than that of email and that’s why hackers like to target cellphones. Messages usually relate to shopping accounts or financial institutions. There’s also a sense of urgency created, such as falsely alerting on expired IDs, passwords or alerts of unusual banking account activity or lures using free gift cards, to cite examples.
Vishing: Vishing is another tactic where attackers conduct social engineering over the phone. A caller claims to be from a vendor’s IT department. They may claim a virus was discovered on your network. Many people fail to verify the authenticity of these callers, permitting them access. The FBI and CISA have issued several warnings cautioning users of a rising wave of vishing attacks targeting remote employees.
Five steps to manage a phishing predicament
Detecting and preventing all the various types of threats known and unknown is nearly impossible. What needs to happen when a company, device or person is victimized? Here are steps that can help mitigate the damage.
1. End-user steps: If you suddenly realize that you’ve been phished, always remember to:
a. Disconnect PC from the network
b. Alert your IT Team
c. Scan for known malware
d. Change your login credentials
e. Change any stored credentials on your browser
2. Incident response: Incident response is a program or team of people that deal with the aftermath of an incident once it is reported. Incident response is typically a company-wide effort involving cross functions and departments. The goal is to compile agreed-upon policies, procedures and communication paths. A number of industry frameworks are available from the likes of NIST and ISO standards such as ISO/IEC 27001 for incident response.
3. Remediation: Review the entire network to root out any malware infection. If threats are identified, wipe the affected systems clean and reset to default factory settings. Conduct an extensive analysis of email gateway rules, logs, SIEM, etc. to determine if this is a one-off or a full-scale attack. One of the biggest challenges of phishing remediation is that it requires robust phishing response tools to detect and remove email threats from the network. We suggest your business invest in tools that use automation, machine learning and artificial intelligence to identify and report suspicious emails.
4. Prevention: The biggest mistake businesses make post a phishing attack is treating the symptom and not the root cause. It’s important to clean the machines that were infected with malware and to determine how it entered the system in the first place.
5. Assessment: Organizations must conduct regular baseline assessments to gauge the level of security awareness among teams. Identify weak spots, train users and then proactively phish them to test their resilience. Assessments should be done monthly or quarterly. I specifically recommend doing phishing as often as your organizational culture will tolerate it. You are working to build muscle memory.
When it comes to phishing, people are the attack surface, opening the front door and letting the attackers easily bypass technical defenses. But people are the solution as well. Studies show that regular training promotes a healthy behavior of skepticism. It’s why developing a security-minded company culture is the best defense against security threats like phishing.