Phishing is one of the most pervasive security threats today and it’s only getting worse
Over the last few years, phishing attacks have continued to rise as attackers refine strategies, execute successful programs, and make money. Attackers are taking advantage of end users to steal credentials or get them to click on malicious links. In fact, with 66% percent of malware now installed via malicious email attachments, most cyberattacks resulting data breaches now begin with a phishing email message.
Attackers persistently target organizations with spam, phishing, and advanced socially engineered attacks (using deception to trick users into divulging personal information). End users are an easy target and are the weakest link in your security defense. In this blog, I’ll delve into phishing attacks, why they work, and what your risks are. I’ll discuss the importance of protective controls, a comprehensive security awareness program, and some best practices to reduce the phishing risks.
What is phishing?
Phishing exploits were once associated with poorly constructed emails from Nigerian Princes. Today, attackers have improved their techniques significantly and these phishing emails are getting much more difficult to spot. Phishing uses malicious emails that attempt to bait a user into performing an action such as:
- Clicking a link which directs victims to a malicious website
- Opening a malicious email attachment that installs nefarious software on the users’ device
- Tricking users to enter their credentials in a fake site
Do phishing attacks really happen?
Sadly, phishing attacks are happening more frequently. Across Ascend’s client base, we see daily phishing attacks. Attackers are targeting specific individuals and groups within organizations including senior leadership, accounting, and human resources. In the phishing campaigns we perform for our clients, 40% percent of emails are opened, 25% of links are click, and 7% of users enter their credentials or open malicious attachments. The numbers do improve during subsequent tests but keeping end users educated is critical.
Why are cybercriminals using phishing attacks?
They work! Attackers are interested in money. Phishing is a big business in and of itself, and the scope and scale of phishing attacks have increased significantly in recent years. Advanced phishing attacks are costing businesses an average of $140,000 per incident. Attackers extort money from your organization using ransomware or social engineering, or they’ll steal data and credentials that can be sold via dark web markets. And as the phishing threat landscape evolves, so do the attackers.
What are the risks?
Phishing emails lead to data harvesting or the execution of malicious code on the victim’s workstation, which can have wide spread effects on an organization. After a successfully phishing attempt is made, the attacker usually tries to capitalize by attempting to transfer funds or steal confidential information. The following are the most common exploits of a successful phishing campaign.
- Email Compromise: Attackers send an email and bait your employees into clicking on a link that looks very similar to your company’s email login page. The user inadvertently enters their credentials (usually your company’s Entra ID, formerly known as active directory credentials) and gives the attacker exactly what they wanted. After their credentials are compromised, the attacker has full access to your user’s email account and it’s hard to identify them in your environment since they look like a legitimate user. Attackers also try to cover their tracks by creating email rules or forwarders. With the compromised credentials these cybercriminals are trying to steal corporate information, access credentials, or steal funds from your company.
- Ransomware attacks: Phishing emails can also contain malicious code, such as ransomware. Ransomware is a widespread and damaging type of malware typically used to extort money from businesses users by encrypting their files. Unlike other ransomware, Wanna Cry and Petya ransomware attacks in 2017 used worm-like behavior which caused major organizational outages, with only a single user clicking on a phishing email.
What should organizations be doing to stop phishing attacks?
Phishing emails are always changing, and unfortunately, no single product or technology will fully protect your business from a targeted phishing attack. However, a multi-layered approach of combining security technologies and educating employees is a good way to start to reduce risk. Below are a few successful approaches we have seen work for our clients:
- Prevent phishing email from entering your organization, by implementing effective email and web filtering tools. The best defense against phishing emails is your email gateway. Block as much bad email as possible, including malicious attachments, content, and URLs. However, even with all these preventative measures, email will still get through your technical controls. I have seen users release phishing emails from quarantine, so they can click on them!
- Since attackers are attempting to steal credentials or install malicious code on workstations, organizations should consider controls like multi-factor authentication or limiting the ability for users to install applications on their workstations. While these controls could limit your exposure to the effects of a phishing attack, these controls could significantly impact the end user experience. To be successful, make sure your organization has a strong change management program in place to minimum business impacts.
- Setup a security awareness program. Our security education programs have been successful when organizations setup quarterly phishing awareness and training programs. First, the program should include basic and advanced phishing campaigns attack simulation to help identify areas of weakness in your organization’s security posture. Then you should educate users on how to identify typical phishing attacks across a wide range of industries. Finally, report on employee performance to reward good performance and help improve others. Also, you might be surprised to learn that some users will continue to fail every campaign.
- Even after strong preventions and training, some phishing email will be convincing enough to be clicked. For that, you should invest in a next generation exploit prevention solutions that identify, analyze, and reduce the effects of even the most advanced, unseen malware out there. Some tools can even automatically clean up all trace of infection or rollback the negative effects.
- Since a phishing attack will likely happen, make sure you are continuously hunting and monitoring for attacks. This should include reviewing network traffic and log to detect malicious activity before it happens. Also, have an established and tested incident response plan that you can quickly execute on in the event of a breach.
Phishing attacks are real and will eventually hit someone in your organization. Make sure your organization encourages your employees to question requests that seem out of character from other employees, customers, and mostly importantly, senior leadership. End users will continue to be the easiest target for attackers in most organizations but establishing preventive controls and training employees can go a long way to prevent these attacks.
Even after investments to ensure a strong security posture, something will fall through the cracks. You should have a process for two-stage approval for all significant fund transfer requests. The process could be as simple as calling the other party to validate the transaction, but something that requires an additional authorization is critical.
The best defenses still may not stop an employee from unknowingly compromising your organizations intellectual and financial security. A strong security program with employee training regarding phishing helps put checks and balances in place.
By Mike Manske