Everyone has been on the receiving end of a phishing email. While modern email solutions have become extremely effective in identifying and binning suspected phishing emails, this hasn’t always been the case. Even now, some emails slip past the filters and make it into the Inbox, making it vital for end-users to be able to identify and properly respond to attempted phishing attacks.
Beyond being a nuisance, phishing attacks can also be extremely damaging to an organization or individual if they are successful. Phishing emails are designed to steal sensitive information, money, or to act as the first step in a multi-stage attack. As a result, knowing how to prevent phishing is an important component of any organization’s cybersecurity strategy.
However, this is not as easy as it may seem. The cybersecurity landscape, in general, evolves rapidly, and this also applies to phishing in particular. As cyber defenders create new means of detecting and blocking phishing emails, attackers develop new means of bypassing these protections. The end result is that the end-user is faced with the challenge of correctly identifying and responding to this rapidly evolving threat.
A Brief History of Phishing
Phishing attacks have been around for a very long time. The original phishing attacks were relatively unsophisticated, including misspellings, poor grammar, and implausible pretexts. However, these attacks were also effective (and many of these features were intentional) since anyone naive enough to respond to the poorly crafted phishing email was also likely to fall for the rest of the scam as well.
Over time, end users have become more knowledgeable about phishing emails and the risks associated with them. Cybersecurity researchers have also developed phishing defence software that can automatically detect attempted phishing attacks.
As a result, phishing attacks grew more sophisticated. With the development of more polished wide-scale phishing attacks and of spear phishing attacks that precisely target a particular person or group, phishing emails have become capable of tricking even a discerning email user.
The Modern Phishing Landscape
Enter the modern phishing landscape. While phishing attacks may seem like a minor threat compared to other attack vectors (like web application vulnerabilities and other attacks against Internet-facing systems), in fact, 93% of organizations cite phishing as a major threat to their organizational security.
Targeted Phishing Attacks
Part of this increased feeling of danger regarding phishing attacks is due to their increased sophistication and focus. Spear phishing and Business Email Compromise (BEC) attacks are well-researched phishing attacks designed to trick a particular person into taking actions that would hurt themselves or their company. These attacks are designed to provide a large payoff to the hacker, allowing them to spend a significant amount of time and effort researching and crafting the phishing email while still making a tidy profit.
Bypassing Security Solutions
While many organizations rely on software-based solutions to prevent phishing, these are not always effective. While these solutions are designed to protect against the “standard” phishing email, attackers are creating new campaigns with emails specifically designed to bypass the protections offered by common anti-phishing products.
For example, an email scanning product won’t check the document pointed to by a sharing link in the email. On the other hand, the cloud storage provider that the link points to (Google Docs, Dropbox, etc.) won’t check for phishing links in the document. As a result, phishers are turning to these cloud-based document storage solutions as a stepping stone in the chain leading from a phishing email to a malicious website or a malware download.
Most anti-phishing training and software solutions are focused on email as the primary threat vector for phishing attacks. However, businesses are increasingly moving to other communications solutions like SMS messaging, Slack and social media to perform even core business actions.
And the hackers are moving with them. Phishers are increasingly using social media as a platform for sending out phishing messages. Since the end-user has been trained to think of the phishing threat as the phishing email threat, their guard is down when on other messaging platforms, making them vulnerable to attack.
Protecting Against Phishing Attacks
When dealing with modern phishing threats, cybersecurity awareness training for employees is definitely an important aspect of any organization’s cyber defense. All employees should be aware of the threat that phishing poses, the common types of phishing attacks, and how to respond if they believe that they are the target of a suspected phishing attack.
However, cybersecurity awareness training isn’t enough to adequately protect an organization against the phishing threat. Modern phishing attacks are sophisticated and designed to fool even an end-user who is aware of and on their guard against the threat. Some phishing attacks will slip through, and organizations need to be prepared to deal with the consequences.
One of the primary targets of phishing emails is credentials that can be used to gain authenticated access to a user’s account on a system. All services that an organization provides that user authentication should implement two-factor authentication to minimize the impact of compromised credentials. For web applications especially, solutions exist for efficiently applying two-factor authentication protection for URLs, even ones including queries or AJAX pages.
Phishing attacks are the most common cyberattack in existence and is commonly used to enable other, more damaging attacks. A truly cyber secure organization takes steps to kill phishing at all stages: from preventative training to taking proactive steps to minimize its impact.