Phishing is the act of attempting to trick the recipient of a malicious email into opening and engaging with it. The “sender” of the email deceives the victim by making the email appear to be sent from a reputable source, such as a government department, a supplier, or a customer of the business.
The phishing email may have a malicious attachment, like a PDF or Word document, that, once opened, will harm the user's computer by installing malware. Or, the phishing email will contain a malicious URL link in its body. When the user clicks on that link, they might be directed to a site that appears legitimate, but in actuality it is used to collect confidential information such as usernames and passwords, or to install malware onto their device.
To achieve this, cybercriminals simply use compromised email accounts or spoof the sending email addresses, obfuscating the real, malicious sender. This is a relatively simple task, involving little more than alteration of the email header so that when it lands in a user’s inbox, it appears to have been sent by firstname.lastname@example.org rather than having been sent by email@example.com.
Cybercriminals simply use compromised email accounts or spoof the sending email addresses.
Unfortunately, by default, the email server responsible for receiving the email does not check to confirm that example.com is authorized to send email on behalf of anybank.com. There have been numerous technical solutions proposed and deployed to eliminate this authentication weakness in email, but uptake has been slow.1 Part of the challenge is that both the sending and receiving email servers need to be configured correctly for that authentication to work properly.
Phishing email attacks are typically components of broader email spam attacks, and are usually delivered in large volumes from botnets of compromised computers. In 2016, the volume of email spam increased by 400%, with nearly half of all emails sent globally being considered spam.2 However, with the takedown of the Necurs botnet, spam volumes have decreased by 50% during 2017.3 Despite this positive trajectory, email remains the top method for distributing malware.4
Deceptive Phishing: This is the most common type of phishing scam wherein cybercriminals impersonate a legitimate company or domain and attempt to steal personally identifiable information (PII) or login credentials. This manner of phishing often lacks customization or personalization and is disseminated in a shotgun approach. The hope is that if the volume of emails is very high, then a sufficient number of users will open the emails.
An example of this type of scam includes a “banking” phishing email that is sent to a wide audience with the hope that some of the recipients are customers of whichever bank is being spoofed. The email subject line is typically crafted to create urgency: “Your bank account has been compromised—update your password immediately” or “Overdue Invoice attached—pay now to avoid legal action.” As described earlier, once the link is clicked and details submitted, or the attachment is opened, the damage is done.
“Your bank account has been compromised—update your password immediately”
Spear Phishing: Unlike generic phishing emails, spear phishing emails contain an abundance of personalization. While the end goal is the same—to lure the recipient into clicking on a malicious URL or attachment—the sender customizes the attack email to contain the target’s name, company, or title, or mention the recipient’s colleagues and business connections. These personal details make engagement with the malicious content much more likely. And given the proliferation of business networking sites and social media, it’s relatively simple for cybercriminals to gather the personal information necessary to forge a convincing email.
Whale Phishing/CEO Fraud/Business Email Compromise (BEC): This type of phishing targets a business’ leadership team with the goal to spear phish a “whale,” or an executive, and collect their login credentials. Once those details have been stolen, the cybercriminals may impersonate that executive, conducting what is known as CEO fraud via business email compromise (BEC), and authorize wire transfers or other significant actions. An example of this would be an urgent email sent “from” a CEO to the finance team authorizing a sufficient transfer of funds because she is in China on business and urgently needs to pay an outstanding invoice to a local supplier. Between 2014 and 2016, CEO fraud affected 12,000 companies and cost $2 billion.5
Between 2014 and 2016, CEO fraud affected 12,000 companies and cost $2 billion.
Educate the weakest link. Phishing requires a user to open or click on something malicious. As such, educating employees about how to recognize, avoid, and report the various types of phishing is imperative. Exercises where company personnel are sent faux “phishing” emails are effective in coaching users to distinguish between a genuine supplier communication and a phishing email with the subject line “Urgent: Invoice Attached - please open and pay now.” Companies must commit to a program of continual education and awareness across the organization.
Don’t forget about educating business leaders too. Executives are just as fallible as their employees, but a security misstep by a business leader carries far greater consequences. As whale phishing, CEO fraud, and business email compromise (BEC) continue to rise as cybercriminals become more sophisticated, ensure that business leaders are included in your education and awareness program.
Don’t forget about educating business leaders too.
Review your finance processes. The cost of doing business continues to grow in today’s hyper-connected and demanding world. As a result, large sums of money are frequently and urgently required to be transferred across the globe, with varying degrees of rigour applied and/or accepted. Explore implementing processes that validate that such money transfers are genuine. While no one likes to impede, question, or upset an executive, being ultra cautious is absolutely preferable to having hundreds of thousands siphoned out of the company coffers.
Deploy multiple layers of security defenses. Working on the principle that malicious actors will do their utmost to bypass your security and will continuously modify their tactics, having a defense-in-depth security strategy is best practice. Start with having an email filter that scans all of the incoming emails to your business; this will block a decent portion of phishing attempts. Then, have an endpoint Anti-Virus product that also includes phishing protection. Finally, deploy a solution that looks at the outgoing web request in the event that a user clicks on a malicious link. This can either be a DNS- or a proxy-based solution.
Having a defense-in-depth security strategy is best practice.
Activate multi-factor authentication. Even if you take all of the above precautions, there’s still a chance that a phishing attack could succeed, resulting in the theft of an employee’s username and password. To mitigate that risk, deploy multi-factor authentication to ensure that, even if the credentials are stolen, the malicious actors won’t be able to access your applications, services, and sensitive data.