We asked industry experts what can be done to fight back against increasingly sophisticated phishing techniques? Here are their responses:
Anthony Daniel, Regional Director – Australia, New Zealand and Pacific Islands, WatchGuard Technologies
What can be done to fight back against increasingly sophisticated phishing techniques?
It’s often said that the only certainties in life are death and taxes. These days, a third items needs to be added to the list: phishing attacks.
These targeted attempts to illicit personal details from unsuspecting users are growing in both number and sophistication. Cybercriminals are mounting them with the aim of either causing disruption to an organization’s IT infrastructure or securing a financial gain.
When they first emerged as an attack type, phishing attempts were relatively easy to spot. The poorly written nature of the emails, often riddled with spelling mistakes and grammatical errors, made recipients regard them with suspicion and avoid any associated attachments or links.
However, cybercriminals have become much better at their craft. Today, many phishing emails are almost impossible to distinguish from real ones. They often appear to have come from a legitimate source and can be difficult to spot amid a daily email deluge.
Be ever vigilant
Thankfully, there are some practical steps individuals can take to reduce their chances of falling victim to a phishing attack. They include:
- Don’t trust unusual requests:
Some phishing emails can appear to have come from a trusted colleague or manager which can make opening them tempting. Always keep an eye out for requests that seem out of the ordinary or arrive at odd times of the day or night. If in doubt, confirm veracity of the message with the apparent sender by phone. - Watch for poor grammar:
While phishing emails have become more sophisticated, many still contain misspellings and errors. If a received message has glaring errors in the text, proceed with caution. - Check the sender’s email address:
Some phishing emails can be spotted by checking the address from which they were sent. It might be similar to a legitimate address, but slightly different. If something doesn’t look quite right, avoid opening the message and double check with the apparent sender. - Avoid clicking on embedded links:
Many phishing emails contain links that take recipients to websites that contain malicious code. Think very carefully before clicking on any links in emails unless you are confident they have come from a legitimate source. - Never download files from an unknown source:
Attaching infected files to phishing emails is a popular tactic among cybercriminals. Resist the temptation to download files if they have come from an unknown sender. - Check with your security team:
If and when you receive what appears to be a phishing email, forward it to your organization’s IT department for closer inspection.
By taking these steps, the chances of falling victim to a phishing attack can be significantly reduced. This means disruption can be avoided and legitimate workflows can continue.
Mark Lukie, Director of Solution Architects – APAC, Barracuda Networks
What can be done to fight back against increasingly sophisticated phishing techniques?
Phishing has become a favored tactic for cybercriminals because it delivers results. By crafting emails so they appear to have come from a legitimate source, recipients can be tricked into opening attachments or clicking on links that result in systems becoming compromised. Indeed, The State of Cyber-resilience in Australia 2022 report revealed that 60% of employees assume links in emails are safe to click on if the message came through the corporate email system, and 22% download and install unapproved software on to devices used for work.
Recent global analysis by Barracuda of millions of business emails served to shine a spotlight on the problem. The research found that 51% of social engineering attacks are phishing attacks and small businesses are far more likely to fall victim than larger enterprises.
Thankfully, there are a range of initiatives that organizations can undertake to reduce the likelihood they will fall victim to a phishing attack. The initiatives fall into two distinct categories: technology and human.
Technological initiatives
There are a range of ways technology can be used to thwart attacks and they include:
- Deploying AI-powered email protection:
When it comes to technology, one of the most effective ways to use it against phishing attacks is to deploy some of the sophisticated Artificial Intelligence tools now on the market. These tools help to combat the fact that cybercriminals are adapting their tactics to bypass gateways and spam filters such as account takeover or business email compromise (BEC). - Monitoring suspicious logins:
Tools can be used to identify suspicious network activity such as logins from unusual locations and IP addresses as this can be a sign of a compromised account. It’s important to also monitor email accounts for malicious inbox rules, as these are often used as part of account takeovers. - Making use of MFA:
Multi-factor authentication (MFA) provides an additional layer of security beyond simple username/password combinations. Additional factors can include authentication codes, thumb prints and retinal scans. - Automating incident response:
An automated incident response solution will help an organization quickly clean up any threats found in user inboxes which, in turn, will make remediation more efficient for all messages in the future.
Human initiatives
There are also a range of ‘human’ initiatives that can help with the problem. They include:
- Conducting regular training:
Staff must be trained to recognize and report phishing and spear-phishing attacks. They need to understand their fraudulent nature and know how to respond. A phishing simulation can help train users to identify cyberattacks and evaluate the users most vulnerable to attacks. - Reviewing internal policies:
It’s also important to help employees avoid making costly mistakes by putting procedures in place that determine how all incoming email-based requests are handled. - Ensuring data-loss prevention:
Put in place the right technologies and business policies to ensure emails with sensitive information are blocked and never leave the organization.
By following these initiatives, an organization can significantly reduce the likelihood it will experience disruption and losses as the result of a successful phishing attack.
Martin Zugec, Technical Solutions Director, Bitdefender
The Coronavirus outbreak and the work-from-home ‘new normal’ served as a catalyst for the evolution of phishing emails. Traditionally, phishing emails were easy to spot because of typos, poor wording, and the lack of authenticity. Only spear phishing emails, which directly targeted specific individuals and organizations, were sophisticated enough to create a sense of legitimacy. All that changed when the pandemic hit, as cybercriminals started focusing on creating mass phishing emails that lack typos, use reader-specific jargon, and even abuse the legitimate logos of the organizations or companies that they’re impersonating. More than that, these new phishing attacks quickly leverage popular topics in the media and exploit the way users have started to engage with financial and delivery companies in a work-from-home context.
The social engineering component of these new phishing campaigns has reached new heights of sophistication, with attackers focusing more on increasing the success rate of their campaigns, rather than boosting the volume of spam sent. This increase in efficacy and sense of legitimacy in phishing campaigns makes it more difficult for the untrained eye to discern fake from real.
Here are some tips on how to fight back:
- Be aware of lookalike websites. Check the address bar for typos and look for poor grammar. If anything seems off, leave the website immediately
- Don’t use public Wi-Fi to make purchases or do your banking. If you do need to connect to a public network, use a VPN to make sure that no malicious individuals can intercept your sensitive info
- Use a protected browser designed to keep your online banking, e-shopping and any other type of online transaction private and secure
- Install a security solution on your PC and smart devices to locally protect your data and ward off e-threats including fraudulent websites, malware and phishing attempts that could ruin your holiday
- Monitor your accounts and credit card statements for suspicious activity so you can put a stop to fraud and limit the chances of becoming an identity theft victim
While these are general cyber hygiene tips that anyone can start implementing immediately, there are technologies available that offer even greater protection. When these online best practices are combined with technologies that protect your passwords with a password manager, offer an integrated virtual keyboard that makes it impossible for hackers to monitor keystrokes, or built-in hotspot protection to protect your device when connected to unsecured Wi-Fi networks, you can defend yourself against even the most advanced phishing campaigns.
Security solutions with integrated threat intelligence offer great protection against these modern phishing campaigns. Every day, we collect data from hundreds of millions of endpoints, analyze it, identify malicious sites, and use this centralized feed to protect various devices, from laptops, through network routers, to smartphones. We are seeing more cases where spoofing sites are indistinguishable from the legitimate ones, and the machine is better at detecting these malicious sites than the human eye and brain. These security controls were traditionally deployed on the network perimeter – but with work-from-home and mobile workstyle, threat intelligence needs to be available to every device.
David Arthur, Security Practice Lead – Australia and New Zealand, for multi-cloud security and application delivery company F5
The tactics employed by cybercriminals are not only becoming more sophisticated, but increasingly aggressive. The tactics have advanced considerably to now include impersonation and emotional manipulation. So, what can be done to fight back?
Learn to spot the tell-tale signs
If it looks suspicious, it probably is. So often these scams are full of grammatical and spelling errors, unrealistic but tempting offers, and questionable links. However, they can also be incredibly well-crafted and difficult to identify as fraudulent. It’s best to open a new browser tab and search for the website, promotion or content referenced.
One of the most important things to remember is that phishing attacks don’t only occur via email. Growing in popularity is phishing via SMS, known as smishing, which is proving successful as a means for criminals to lure victims into clicking on dangerous links. These must be viewed with the same level of skepticism. Search for the company and promotion in a separate browser link, and never click on the link from a text message.
Visibility over your information
It’s almost impossible these days to do anything online without your data being collected and stored, and that problem is only going to intensify as expectations for digital experiences continue to grow. Given the breadth of personal information to which hackers can now gain access, more accurately targeted phishing attacks, known as Spear Phishing, are a growing concern. By using sensitive information, attackers can convincingly trick people into believing the legitimacy of these scams.
While it’s easy to dismiss necessary action on the part of the individual, relying instead on organizations to prioritize security and have measures in place to protect your information and data, maintaining full awareness and visibility over your personal information is critical.
The best defense is a good offense
The entire cyber landscape is evolving at an unprecedented rate. We’ve seen this across every element of cybercrime, and phishing is no different. Cybercriminals regularly adapt and update their tactics to out-pace mitigation efforts and stay ahead of the game.
Keeping as well-informed as possible on the latest tactics and trends is fundamental to ongoing protection, as it is adapting your approach to managing the potential risks. Ensuring that the security software is continually (preferably, automatically) updated is easy to overlook, but crucial.
An adjustment to mindset is arguably the most important step in fighting back. As the quest for connectivity and digital acceleration increases, security must remain front-of-mind to guide our online movements.
Abigail Showman, Senior Intelligence Analyst, Flashpoint
Phishing attacks are commonly launched against both individuals and organizations, with the potential for devastating consequences to both. Therefore, fighting back against these attacks requires team and individual-driven efforts.
Two of the most commonly used phishing techniques are:
- Sending fraudulent emails impersonating organizations or administrators and asking potential victims for credentials
- Creating fraudulent websites impersonating a target website that then harvests a victim’s login information
Differing from the cyberattacks that target an organization’s systems, phishing attacks target individuals, making it much more difficult for security teams to oversee and prevent them.
Phishing attacks can appear in a number of different forms, from shipment tracking notifications to newsletters and promotional material. These can be generic or specifically customized to the target. Threat actors often leverage significant events, such as natural disasters or global news events/crises, to lend legitimacy to the phishing campaign. This often compels users to respond out of sympathy.
People should avoid clicking on any link within an unsolicited email or text message. Threat actors have become adept at making phishing campaigns appear legitimate by incorporating an organization’s real contact details, website information, or commonly used messaging.
Checking web domains to verify they are authentic should be common cybersecurity practice, especially if a site is asking a user to enter login credentials or other sensitive information.
Another important step is to limit the amount of publicly available personal information. Threat actors will use this information to create highly customized and personalized messages that appear believable, making it easier to trick the victim into providing sensitive information they may not otherwise provide. Threat actors are adapting and updating their methods, so it’s important to take extra care scrutinising unsolicited emails or messages.
Anti-phishing add-ons should be installed to company devices and browsers to notify employees of a suspicious email or text. Additionally, password rotation should be enforced, requiring employees to change passwords after a given time period. Firewalls should also be installed to shield devices from attempted attacks and prevent infiltration by threat actors.
It is critical organizations have a strong threat intelligence program to alert security teams to suspicious activity that could predict an imminent phishing threat.
Perhaps the most important element in mounting a defense against phishing attacks is education. Organizations should educate employees on the signs of a phishing attack and work to instil the messages of precautionary methods throughout the entire company. Good threat intelligence boosts an organization’s ability to educate, providing real-life examples and the most up-to-date information to guarantee individuals have a thorough understanding of the threat landscape.