Phishing, whaling, spear phishing, smishing, vishing ⸺ why are there so many varieties of phish in the cyber-sea? Because phishing, despite years of attempts to thwart it, STILL works, and the secret to its success is two simple words: social engineering. We can whitelist, blacklist, and filter, but we can’t deprogram human foibles like trust, carelessness, greed, or alarm. (But if you read on, we’ll share that One Weird Trick that will let your employees block most phishing attempts ⸺ guaranteed!)
What is phishing?
In a nutshell, phishing is a social engineering attack transmitted through email, SMS text messaging, or Internet-based telephony (VoIP). We’ll mostly discuss the email version here. Phishers pose as legitimate contacts or companies with the goal of committing fraud, identity theft and corporate espionage. The more realistic the bait, the more likely it is to trick users into providing confidential information like banking credentials, credit card numbers, and passwords.
While phishing scams are common and have been around in various forms for a long time, the COVID-19 pandemic caused explosive growth. The combination of a shift to remote work and increased internet gave criminals and hackers more opportunities to create phishing scams. The rise of fake COVID-19 websites (many promising testing and cures) has largely been responsible for a 350% rise in phishing emails since the beginning of 2020.
Common Email Scams
- Tech Support Scams: Tech support phishing emails assert that you have malware on your computer. The hacker will ask to install remote access software on your computer to “fix” the problem, which of course is really malware.
- Clone Scams: Clone phishing is when hackers create malicious, nearly identical copies of legitimate emails from reputable sources to trick you into sharing sensitive information.
- Spear Phishing: Spear phishing is an attack targeted at specific individuals or companies. Scammers will research a targeted individual to discover details that lend credibility to the email, such as their manager’s name. (Our manager regularly reminds us that she will never, ever send us an email asking us to purchase her a Visa gift card.)
Now that you know what phishing is, how can you keep yourself and/or your company’s employees safe (and your corporate bottom line protected?) Again, we aren’t selling software that magically fixes this problem. What you, and anyone in charge of enterprise security, can do is make sure you’ve implemented all of these barriers to phishing in your workplace.
1. Install security software (like Microsoft Defender and Malwarebytes…both free!) Security software is your first line of defense against phishing. Antivirus programs, spam filters, and firewall programs provide a decent buffer against email-based phishes. Many enterprise-level security solutions incorporate modules that block known malicious websites by reputation.
2. Update, update, update. Keeping software current with the latest security patches and updates also decreases your chances of getting caught in a phishing scam. Schedule regular updates and continually monitor the status of all software and equipment. I, as a white hat hacker, recommend keeping the following updated:
- Security software
- Operating system software
- Internet browsers and apps
3. Protect your remote workers. Establishing BYOD (Bring Your Own Device) policies is essential if you have employees who work remotely. Require encryption for remote workers’ devices, and connect them to your server over a VPN to prevent them from accessing phishing sites.
4. Schedule regular backups. When was the last time you tested your backup and recovery plan? If you can’t remember, chances are you’re long overdue. Scheduling regular backups help ensure that your data can be fully recoverable in the event of an emergency like a ransomware attack.
5. Enforce password policies. Keep policies in place that enforce password expiration, allowable passwords, minimum password length, and password reuse. Numbers and special characters help create complex passwords that are more difficult to hack. (But allow passphrases to exist like “Take @ M0m3nt!” Include spaces as that will take FOREVER for someone to brute-force. You’re welcome!)
6. Use MFA (Multi-Factor Authentication). Require two or more credential factors before an employee can log in to company accounts or resources. Deploying multi-factor authentication prevents hackers who have compromised a user’s credentials from gaining access to your systems, especially if the network itself is segmented.
Pausing for a second:
What’s the one weird trick you can use to protect your employees from phishing?
TRAINING.
The best defense is a good offense. Educating your employees on how to identify and (not) respond to phishing attempts will be the highest return on your security investment. Let them know that if they’re ever unsure about a particular email, they should contact your IT department, Help Desk, or designated response team before taking any action like clicking a link or downloading an attachment.
Train new users on the company’s security measures as part of their orientation. Inform all employees when you update your internet security policies and procedures. And have – and use! – a security policy that includes annual employee awareness training.
7. Avoid emails from ANY unknown senders. If you have employees in a customer service capacity who regularly receive emails from the public, this may be challenging. However, spam filters should help weed out malicious messages. Teach your employees to take the following steps to minimize risk from internal emails:
- Forward rather than respond: If an email looks suspicious, even if seems to be from a trusted contact, then forward the message back to the sender using your known-good contact info rather than replying directly to the email. Suspicious signs include emails that ask you to forward or upload company documents to an external website, FTP site, or cloud storage account.
- Still not sure? Call the sender directly to confirm they sent the message.
8. Beware of spoofing. While this may seem obvious, “spoofing” scams can fool even the most observant user. One kind of spoofing entails creating an email name that is very similar to an email in your contacts. For example, “[email protected]” could be spoofed as “[email protected].” If Emily is someone you talk to regularly, then you may not notice that the “m” in her first name is actually the letters “r” and “n,” which can resemble an “m” on some screens. These scams can be especially dangerous if the person spoofed is in management or from a company you know. Some phishers use real company logos in their correspondence to make them look legitimate. People often feel safe providing sensitive information to those they trust.
9. Do not EVER share personal information or click random links. Do not provide personal or confidential information unless you have verified it directly with the person making the request. Legitimate people and organizations will never ask for sensitive information (like account numbers or government ID numbers) via email. If you can confirm the request via phone, text, or direct email, you have a better chance of avoiding danger. Employees should never click on links in an email, even if they appear to come from trustworthy sources. If you’re unsure, open a new browser window and type the URL into the address bar rather than click a link. Another test is to hover your cursor over the email sender or links. If the links are malicious, then they probably won’t match up with the email or link description. Use common sense here!
10. The more urgent the message, the slower your reaction. When spoofing is combined with threats or deadlines, the chances of falling for a phishing scam are even more likely. Phishers create a sense of danger or urgency (like the threat of a fine or account closure) that often frightens people into following the instructions, like “Click here to download an urgent security patch!” Your employees should know how to report any threatening or urgent-seeming messages to a designated internal person or team.
11. Pay close attention to the body of the email and watch for spelling or grammar mistakes. Scammers often run phishing attacks from other countries. While some are quite sophisticated, many phishers make obvious mistakes that are easy to catch if you’re paying attention. Spelling and grammar errors, along with content and images that aren’t quite “right,” are common red flags.
For entry-level cybersecurity certification, CompTIA Security+ is a great place to start. Stay safe out there, and cheers!