We all take email for granted these days. In fact, a lot of people have gone beyond taking it for granted and would rather replace it with tools like Slack or Microsoft Teams. Still others think that we rely on email too much and most of us struggle to contain our overflowing email inboxes at work. Because of this, I wasn’t surprised to read a recent article in DarkReading which reported a new study on Phishing. Said study reported that 91% of all cyber attacks start with a phishing email. I can believe it. Not because email attacks are becoming more technically sophisticated, but because they rely on human error – and us humans are prone to making mistakes.
Phishing relies on tricking someone to do something using email. The typical objective is to get you to open a malicious attachment containing malware or to trick you into disclosing your domain username and password (known as credential harvesting). Phishing emails differ in sophistication. Spear phishing emails are highly targeted and the attackers use information gathered on the target to create an email specifically aimed at him or her. Traditional phishing is more of a volume game, and commonly uses a genuine looking email purportedly from a credible source such as Microsoft, Dropbox or Google Docs. You don’t have to be a master forger to create these emails and the fake web pages they rely on; numerous tools exist which can help you create fake emails and ‘scrape’ genuine websites to build good copy of a real page. Other types of phishing email include ‘fake CEO’ or ‘bogus boss’ email where an attacker sends an email to an accountant or finance department purportedly from the CEO or other executive and asking them to transfer money to a named account urgently. Even though these requests typically bypass all internal processes and governance, organisations are regularly tricked into making these payments.
So, how do you avoid becoming a victim? Here are some of the tips that we provide on our education landing pages for clients using our phishing simulation service.
When you receive an unexpected email then treat it with suspicion, especially if it wants you to open an attachment or click a link. When you do get an email like this, take a look at the sender’s email address. Whilst it may look genuine at a casual glance, a spoof address is more obvious on closer inspection, as shown in the picture below.
If the email includes a link don’t click it – firstly hover over the link with your cursor to check whether the destination web address looks valid. Phishing links often look like a collection of random letters and numbers, as shown in the picture below. If in doubt, check with IT.
If you do click the link, the website may look genuine. Fake web pages are easy to create, but can be identified. Firstly, if the website asks you to submit your username and password then don’t do it. If in doubt, check with IT or your information security function. Secondly, look at the web address – does it look genuine? If it is a random collection of letters or numbers or doesn’t look as it should do, then don’t trust it.
If you receive an attachment that you didn’t request or expect then don’t open it, no matter how interesting it looks. Phishing emails often have attachments claiming to be a ‘purchase order’ or ‘remittance advice’ or similar. If in doubt, check with IT or your information security function.
Because phishing typically relies on human error, it important to ensure that you have an effective information security education and awareness and programme in place. A good programme should use multiple techniques for testing and improving awareness and phishing simulation exercises can help with this. We run these exercises for customers of different sizes and types and we always harvest credentials, but that isn’t the purpose of the campaign – because we aren’t trying to catch people out. We like hearing that calls to the IT help desk have gone up during a campaign and that word has spread about ‘dodgy’ emails having been received. This heightens awareness and, for a brief time at least, most employees are more willing to listen and engage in awareness activity. Some question the value to phishing simulation campaigns, but if they are well planned and followed up quickly with supporting awareness work they can be very successful in my experience.
Awareness activities should be relatively short, and ‘punchy’ – don’t let boring awareness campaigns become white noise. Consider a mix of video, online training, some classroom based work for those functions (such as finance and IT admins) who are likely to be targeted. Also, posters, screen savers, an intranet site and more. Support your policies and procedures with simple and easy to understand guidelines. Maintain a rolling programme of activities and ensure that your CEO or another regularly states how important information security is – that sets a ‘tone from the top’ and helps create a culture of security.