Phishing continues to be the primary means for unlawful entry into an organization, with attacks growing, year over year. Security firm Zscaler reports a nearly 50% increase in attacks in 2022 over 2021. The report goes on to state that Education was the most targeted sector, showing that threat actors are not just targeting big money companies. According to IBM Security X-Force’s annual threat intelligence report, more than two of every five security incidents involved phishing as the initial access vector. To better understand this statistic, let’s first understand what phishing is and why security tools alone can’t seem to stop this threat.
So, what exactly is phishing? In its simplest form, phishing is the sending of emails under false pretenses in order to coerce an individual into giving up valuable information or downloading malware that can be used in an attack against the recipient’s organization. Often, the target information is a username and password, but it can also include bank account numbers or other highly sensitive information. The best phishing attempts will look and feel like legitimate emails from a trustworthy source. This could be a supplier or other known service provider. It might even look like it came from the internal company IT organization. These emails often have an element of urgency to them, encouraging the user to act quickly to resolve a problem or crisis. These attacks play on the human psyche, manipulating some of our best qualities in order to get us to unintentionally divulge vital information.
A few common examples include emails seemingly alerting you to a failed package delivery or claiming there is a problem with your invoice or payment—or perhaps the IT help desk saying there is a problem with your laptop. These emails will encourage the user to act swiftly to resolve the problem, often including language declaring the issue to be time sensitive and potentially escalating if not resolved immediately. This is designed to get the user to divulge the desired information as fast as possible, before they can step back and think about what’s being asked, or double check the legitimacy of the claims. These emails often include links where the user is asked to login or provide other confidential information. The sites will use graphics and imagery that make them look like the real site, so a user will unknowingly provide the sensitive information. Sometimes the link will bypass any web pages and download malware directly to the user’s PC. Alternatively, these messages may include malware as attachments. The user is urged to open the attached file and review the information in the file. Unfortunately, these files contain macro code or other maliciousness that can lead to the user’s computer being compromised. The goal is always the same: to steal sensitive information from the user or otherwise compromise the recipient’s laptop or workstation.
Now that we have a better idea of what phishing is, why is it so hard for information security tools to stop it? There are a variety of factors at play. First, the very nature of email is such that we don’t always know who has legitimate business to be sending us emails. It’s a relatively open model, where the only trust involves having knowledge of the email address of the target recipient. There is no trust model where we first have to request and be granted permission in order to be able to send an email. And, unfortunately, we as humans seem to jump at the chance to provide our email address (and other personal information) at every opportunity when asked.
Apart from the lack of trust inherent in email, there are security tools to filter out much of this malicious email. Email security heavyweight Proofpoint reported blocking more than 75 million threats in 2022, though this amounted to only about 10% of the total volume. The sheer quantity of attacks is staggering, and makes for a very difficult problem to solve. This Newswire report indicates an average of 22 billion emails sent daily, 85% of which are spam or malicious. In this security professional’s humble opinion, we need to completely rethink email as an Internet service. As mentioned previously, one improvement might be to implement a trust model, where senders must request and be approved to send emails to each recipient.
The second and more difficult problem with phishing is the human element. AI tools have helped malware creators to craft even better phishing emails. Gone are the days where the broken English is a telltale sign of a phishing attack. Now, many phishing emails have perfect spelling and grammar, making it very difficult for human users to spot the fakes. As human beings, we’re programmed to respond to danger and threats. Phishing emails are often crafted in such a way as to evoke a fight or flight response, encouraging us to take quick action. This results in clicking the link or opening the attachment before thinking through the consequences. Truly, training employees to watch for and not click on suspicious links nor to open unsolicited attachments is a very difficult job, given these emails are using every trick in the book to motivate the recipient to do the opposite.
Given all these challenges, what can be done to combat phishing?
The battle starts with a secure email policy and configuration on company email servers. Utilize capabilities such as Sender Policy Framework (SPF) to specify trusted email servers for a given domain, DomainKeys Identified Mail (DKIM) to prevent altering email in transit and Domain-based Message Authentication, Reporting, and Conformance (DMARC) to reject spoofed emails. These all exist to help fight phishing and SPAM. Sadly, according to this post from Security Info Watch, only about 60% of Fortune 100 companies have DMARC enabled, and of those, many do not have it configured correctly. Correctly configuring these policies is far beyond the scope of this article. But the important take-away is to know there are technologies available that can help prevent the emails from ever getting sent or delivered in the first place, if used correctly.
On the user side, though some may call it extreme, is the option to disable hyperlinks in emails. This requires the user to manually cut and paste or type out the link into a web browser in order to open it. The thought is that this extra step may prompt the user to first inspect the URL, to make sure it is in fact a legitimate destination. The easier option is to train users to avoid clicking links in emails and text messages altogether. Let’s suppose you get an urgent message from your bank telling you there’s a problem with your account and you need to log in immediately to fix it. If this is true, it’s highly unlikely the bank hasn’t also posted a similar message to your account directly. Instead of clicking the link in the email, type in the bank website manually and login as usual. Then look for the message and respond appropriately. This avoids the risk of clicking on a potentially hazardous link and takes only seconds longer to complete.
Also, train users to be suspicious of unsolicited emails, and to never provide usernames, passwords, or bank account numbers over email or other insecure transports. A common phishing scheme targeting small and mid-sized businesses involves a scathing email about a past due invoice. It demands account information be entered / verified and payment processed immediately, or the vendor will stop service. These emails appear to come from legitimate vendors. They target specific employees responsible for managing the client relationship. Unfortunately, in real-world instances of this, these emails linked to a fake PO site, where after entering bank details, the company account would be drained and the hackers would disappear without a trace. A better approach would be to call the vendor first, using saved contact information, and not bogus contact information from the suspicious email. Don’t trust the information in the email. Verify it with a trusted 3rd party or with what you already have on file.
Since many phishing emails are designed to capture usernames and passwords, adding a one-time password (OTP) or other multifactor (MFA) component as an extra step to the login process can also help protect companies after an account has been compromised. This way, even if a user is phished and types in their username and password, the extra step will thwart the attacker and provide a much-needed detection point to spot the intrusion. The speed bump provided by OTP and MFA technologies is a great additional measure of security, that on the surface seems completely unrelated to email.
Lastly, one often overlooked capability is user testing. A multitude of services exist that will send fake phishing emails to your organization and track who clicks and who does not. The service will craft an email message to your specifications. When clicked, the user will be informed they have just been phished and should contact their infosec organization. This provides a great tool for identifying those users that might need a bit more training and awareness education, especially if they click on links or open attachments repeatedly during multiple phishing campaigns.
It should now be clear that phishing is a major threat, worthy of significant attention for any organization. It’s not just for the Fortune 500, but for small to mid-sized business and even the not-for-profit sector. It’s a top vector for infiltration into any organization. It’s also one of the hardest doors to close given current technical limitations. If phishing isn’t already on the radar of your organization, it should be. Use the information provided to start an exploration and see how well your organization fairs. Or, you can always call in the professionals at Black Kilt and let us do the heavy lifting for you.
