A recent US Cybersecurity and Infrastructure Security Agency (CISA) survey showed that eight out of ten organizations reported at least one person within their business fell victim to a phishing attack. CISA performed its own penetration test on organizations willing to be tested, and the results confirmed that most businesses are vulnerable to cyber-criminals using social engineering and phishing methods. People were found to be the weakest link. Even with endpoint protection, businesses were vulnerable: Approximately 15% of emails with malicious attachments were not blocked by endpoint protection.
Not only are employers vulnerable to phishing and malicious attachments, CISA also reported that 84% of targeted victims sent sensitive information to the phishing sender or interacted with malicious links. The results of the CISA penetration tests indicate that more security awareness training is necessary. Without it, phishing attacks could lead to malware installation like ransomware or trojans, credential theft, theft of business intellectual property, and costly data breaches. Access Point Technology has collected some tips for organizations to train their employees to better detect phishing and social engineering, which we share in this article.
Recognize Phishing
A common tactic cyber-criminals use to trick users is to convey a sense of urgency. When users are rushed and feel that they need to respond quickly, they often forget their security training and make mistakes. It’s important to let employees know that they should stop and think before responding to an email message that seems urgent, but cyber-criminals often pretend to be an executive or a person in a powerful position to convince a recipient to perform an action quickly. Employees should know to slow down and evaluate messages.
Check the Sender
Cyber-criminals use domains similar to the official business, so users receiving an email from the misspelled domain or a different top-level domain (e.g., mydomain.com vs. mydomain.us) quickly glance at the sender and don’t notice that the domain is not the official one. In some cases, the sender will have a slightly different domain spelling but use the official username of the sender. Cyber-criminals specifically targeting an organization can get this information from testing or social engineering. Most organizations have a specific policy for the way email usernames are created (e.g., first initial, last name or first name and lastname), so cyber-criminals can easily find the specific email address for certain high-privileged users.
Before responding to any email, always check the sender address. Note that the sender for an email can be spoofed, meaning that any sender name can be used when a cyber-criminal sends a message including an official email address. Never fully trust the sender property of an email, but it’s a good first step in identifying a phishing email.
Look for Generic Greetings
Take a look at an email from an official source like your bank or an online store where you’ve made a purchase. Notice that the email greeting addresses you by name and usually has some information that only the sender would know. For example, an online store might address you by name, and then the email lists your address or a recent purchase. A phishing email is usually unspecific and uses a general greeting. The email contains no specific information about your name or any personal information related to the way you interacted with the site.
Any greeting that simply says “Hi” or “Dear customer” should be scrutinized. Look at the sender as suggested in the previous section and review other aspects of the message. If the message has an attachment, do not open it.
Beware of Urgent Requests
Creating a sense of urgency is one of the biggest strategies in a phishing campaign. Cyber-criminals aim to catch an unwary employee off-guard to trick them into bypassing their normal security training. By creating panic, the employee is too flustered to notice any red flags. Employees should be trained to recognize these signs, but many organizations do not offer any security awareness of any kind.
Everyone within the organization should be on board with security measures, so taking a minute to verify identities and sender information should be acceptable. Employees can call the supposed sender internally, or verify the sender by emailing them directly. Any links in the email claiming to be a legitimate business should not be clicked. Instead, type the official domain into your browser.
Verify Links
Some phishing messages include embedded links. These links could take the user to a malicious website where users are convinced to divulge their credentials, or the website could host malware downloads. Modern browsers use open APIs from large tech companies (e.g., Google Safe Browsing API) to warn users before accessing known malware or phishing sites, but cyber-criminals constantly make new domains to avoid detection. Once a new domain is registered as malicious, cyber-criminals make dozens of other ones. It’s a cat-and-mouse game for threat intelligence.
You could hover over a link to see the target domain, but you should not click it. Any zero-day threats leveraging browser vulnerabilities could be exploited if users click the link to check out the target domain. Instead, type the domain directly into your browser or report the email to a security staff member if you have one.
Watch for Misspellings and Grammatical Errors
Scammers and cyber-criminals don’t have professionally written messages, so you’ll often find errors. The English may be poorly written, or the email could contain obvious typographical errors. Of course, some professional email messages contain typos, but malicious email messages usually contain errors and are poorly structured.
Check for Suspicious Attachments
Recipients should never open attachments from people they don’t know, and never run attachments labeled as executable files. Businesses should have email security set up to block executable attachments, especially any messages sent from an outside sender. Without email security, though, users should know to be suspicious of attachments.
Attackers mask file extensions and use common icons to trick users into opening malicious attachments. For example, an attacker might use the PDF icon for the attachment, but the file extension is a .exe or .ps1 (PowerShell) script.
Report Phishing
Suppose you know that a message is phishing, so what should you do? For personal email, you can delete it. In a business environment, it’s best to report it. Most cyber-criminals use targeted phishing campaigns, so it’s possible that others within the organization will also receive the same phishing message. Reporting it lets administrators send warnings to other users and possibly configure any email security to better protect from false negatives. Here’s what you should do if you suspect that a message is phishing:
Do Not Respond
Never interact with any part of a phishing email including replies. In some cases, the attacker wants to know if the email is monitored and could be a target for additional social engineering. It’s common for administrators to configure email servers to forward messages for unknown recipients to a “catch all” address where they can review bounced messages. Attackers would never know if the email address is legitimate until you reply to the message.
Report to Your IT Department or Security Team
Instead of replying–even to ask a question to find out if the sender is legitimate–always forward the message to an administrator, preferably a security administrator. If the message contains an attachment, point out that the message contains a suspicious file. A security administrator can quarantine any attachments for further review.
Use Anti-Phishing Tools
Email servers should have security software installed that filters out phishing email messages and malicious attachments. The security software quarantines messages for further review by an administrator. It protects the business from human vulnerabilities where users haplessly click a link or open a malicious attachment. Instead, users never see the email message, so they are effectively removed as a vulnerability to phishing.
Most email services have a way to report phishing. If your business uses a third-party tool (e.g., Microsoft Office 365) for email services, use the provided link to report phishing. Any reported phishing messages can be used in security patches for the email service to block future malicious messages.
Report to Authorities
For serious data breaches, reporting to authorities including law enforcement might be necessary. Law enforcement also has investigators to help resolve the data breach, especially when it comes from sophisticated malware such as ransomware. For smaller businesses, authorities are the only resource that they have to investigate the severity of the data breach and find the vulnerability that allowed for an exploit.
Forward to Anti-Phishing Organizations
Anti-phishing organizations can help identify phishing strategies. The Anti-Phishing Working Group (APWG) is an international organization of numerous security researchers and professionals. They offer counter-phishing strategies, investigations, forensics, investigators, evidence collections, university guidance, and response to cyber-criminals using a phishing attack to compromise an environment.
Most phishing has monetary gain for cyber-criminals. Phishing attacks are combined with ransomware to extort money from victims, often millions of dollars for businesses. Organizations like the APWG help businesses better prepare for attacks and train employees to recognize and stop them.
Warn Others
Cyber-criminals count on email recipient inability to recognize a phishing email. Warn friends and family when you receive a phishing email so that they can stop it too. For businesses, administrators should warn their users to stay aware of the latest phishing attack, especially if your business is the target of an attack.
Security awareness training also helps users recognize phishing so that they can report it to the right person. In your security policies, make it clear to employees where to send reports of potential phishing. Employees should feel empowered to report suspicious email messages and ask questions if they are unsure of the legitimacy of a message.
Phishing Attacks Constantly Evolve
With all these suggestions, it’s equally important to know that phishing strategies are constantly changing. Cyber-criminals know that users recognize old phishing strategies and become complacent, so they change their strategies to avoid detection. Human error powers the success of phishing, so having a system in place to filter out suspicious email messages greatly reduces risks for businesses.
Security awareness training should be done annually so that users are aware of the latest phishing strategies. Administrators should also send warnings to users after determining that your business is the target of an attack.