In its early days, phishing came in the form of emails from long lost family members or royalty who’s dying wishes were to impart their fortunes to you. Most of us knew that we were not actually related to a Nigerian Prince and noticed the scam. But phishers have developed advanced tactics and are making billions of dollars every year off their scams.
Why Should I Care About Phishing?
Phishing attacks cannot be ignored. In a 2018 study by Wombat Security, State of the Phish1, 83% of surveyed information security professionals said that their businesses experienced phishing attacks. Of those phishing attacks, 65% resulted in compromised accounts, 49% resulted in malware infections, and 24% resulted in data loss. It should also be noted that ~93% of all malware is delivered via email. The fact of the matter is: if you do not take phishing seriously, you will pay the cost.
How Do I Prevent Phishing Attacks?
Plenty of products exist to assist in protecting users from phishing attempts: Antivirus, KnowBe4, Mimecast, Proofpoint, OpenDNS, etc. but your final line of defense is the user. This means that they must have the knowledge and tools to respond properly to phishing attacks. User Training is the lynchpin for security. At the end of the day, no amount of software will prevent a malicious or uninformed user from allowing an attacker into a system.
How Do I Spot the Phish?
Were You Expecting This Email?
This should be obvious. If you receive an unexpected email from an unknown sender, immediately hold the email suspect. This rule stands for all forms of communication. Phishers do not only use email; attacks come in many forms such as text, voice, or even social media and forums.
Does the Email Contain Malicious Links or Attachments?
Phishing emails are entirely harmless until you interact with them. Malware, Ransomware, Keyloggers, and other malicious files can all be installed by visiting a nefarious URL or downloading an infected file. Common methods include DropBox links, Docusign requests, Office documents, and various online services. Remember that attackers often obfuscate these links and files. URLs may not direct to the displayed address, and file extensions may not be accurate. For any email that requires action, access the action through some other route. If an email from your bank is warning you about fraudulent activity on your account, do not click the link. Instead, open your browser and type in the URL or use a bookmark and access the bank alert that way, and NEVER enter any credentials if you are not certain of the authenticity of the website.
How to Verify Legitimacy
Suppose you have received an email from a business partner. The email was not expected, but it is not entirely out of the ordinary. They need you to review a pdf. This seems like a legitimate business email, but you are wary of opening the pdf. How do you verify that this email is legitimate? File scanning tools can inspect the attached pdf, but many users do not have a safe location to sandbox the file in. In this case, you should verify the authenticity of the correspondence through a secondary means of communication. If your business partner’s email has been compromised, an attacker may be leveraging this against you. Call, text, or use some other out-of-band communication to verify the email’s legitimacy.
HTTP versus HTTPS
URL based attacks used to direct users to misspelled, unencrypted, malicious websites. But once again, attackers have refined their techniques. Over 50% of phishing links now use SSL/HTTPS connections, which means the “green padlock” in the corner of your browser is no longer sufficient to verify authenticity. Attackers have also begun using Unicode characters which appear nearly identical (Cyrillic vs. Latin), but direct to an entirely different website. This is called a homograph attack2 and some browsers can be configured to show “Punycode” which will reveal the actual characters. This tactic, combined with the use of SSL/HTTPS, can make malicious links very difficult to spot. Remember to use common sense when clicking links, typing them in or using bookmarks is always more secure.
Phishing tactics have advanced considerably, making them much more difficult to spot. With an alert mind, users can protect themselves from these attacks. Some quick tactics to remember: read emails with a critical mindset, never trust links or attachments, verify by using secondary forms of communication, and use verified/bookmarked/typed URLs.