Trouble Phishing? How to Avoid Becoming the Next Catch of the Day

Phishing often starts with an email, telephone call, or text message that baits the recipient into giving over personal information and passwords, or tricks them into clicking a malicious link, or to send information with monetary value. Although many of us may roll our eyes at the possibility of falling for such a scam, we must acknowledge the fact that phishing attacks are increasingly getting more difficult to spot and remain a huge problem for organisations and security teams today.

 

In fact, a recent report by the Anti-Phishing Working Group revealed the number of unique phishing sites and emails increased by 46% from Q4 2017 to Q1 2018 alone, and an earlier report found that around 156 million phishing emails are sent out on a daily basis. Phishing attacks affect all industries and verticals and show no sign of slowing down anytime soon. Bad actors are looking for information they can exploit and cause businesses severe downtime, financial losses, and theft of intellectual property. With these attacks on the rise, it’s important to be aware of the most common methods of email phishing attacks and how to strengthen your security against them to reduce the risk of falling victim to the bait. 

 

 

The most commonly used ‘hooks’ for phishing attacks

 

Phishing scams have tell-tale signs that give the threat away. Here are some to watch out for:

1. Mimic Attacks – The most common type of phishing scam covers any attack by which fraudsters impersonate a legitimate company and attempt to steal people’s personal information or login credentials. Criminals know individuals trust household names they’re familiar with. As a result, fraudsters impersonate a brand’s logo and communications convincingly to trick users into submitting their personal details to a hoaxed page.
2. Malware email attachments– Threat actors commonly pose as victims’ co-workers to ensure that targets believe they're interacting with a person they trust. The attackers use the trusted name and persona of a colleague to trick them into downloading and opening infected attachments.
3. Whale Phishing – Whale phishing, a form of spear phishing, often targets CEOs or other high-value recipients. Here, fraudsters customise their attack emails with the target’s name, position, company, work phone number and other information, to trick the recipient into believing that they have a connection with the sender. These ‘phishermen’ often find high-value recipients easier to impersonate, as they often use personal email addresses for business-related correspondence; which doesn't have the same protection installed by corporate email.

 

Avoid ‘swimming’ into a phishing attack

 

Organisations should not assume that users are aware of what phishing attacks are or how to spot one.  Reinforcing the risk of a phishing attack periodically, with best practices and real-world examples is a key proactive defensive posture to take. However, human error will continually be a vulnerability, which is why phishing attempts continue to thrive. Therefore, a security approach that shields both the user and the business, but doesn’t impact on usability, is needed to stop phishing attacks in their tracks.

 

Modern identity and access management solutions secure access to applications, networks, and devices by offering single sign-on with multi-factor authentication methods. Adaptive authentication is a modern approach that provides invisible risk analysis checks to confidently determine the legitimacy of every login attempt. It includes techniques like analysing of an authenticating IP address and comparing it against known “bad” IPs associated with anomalous internet infrastructure commonly used by attackers, geographic location analysis (where the user is in a known “bad” location) and geo-velocity analysis (where login attempts take place in an improbable amount of travel time).

Other checks also include whether phone numbers or mobile devices have been subjected to fraudulent activity like phone porting fraud, or an attacker trying to use a virtual number rather an actual mobile phone number. By using these layered techniques, organisations can eliminate identity-related breaches caused by attacks such as phishing.

Closing Critical Security Gaps

 

The basic anatomy of a phishing attack has not changed, yet it’s still astonishingly successful. Organisations need to refocus their efforts on implementing technology that renders compromised credentials worthless. It is crucial that IT teams keep on top of phishing strategies and ensure their security policies and solutions can eliminate threats as they evolve. It is just as equally important to make sure that employees understand the types of attacks they may face, the risks, and how to address them. Regular and engaging security awareness training with employees at all levels will equip them with the tools to identify and flag potential phishing attacks as they emerge.

 

Informed employees and a tight-knit security application are key when protecting a company from phishing attacks. By implementing modern cyber defence strategies, such as adaptive access control, stolen credentials will be rendered useless to a threat actor, preventing them from catching phishing victims anytime soon.