Running a business organization presents quite a few challenges. In addition to persuading partners and customers to do business with you, you have to make sure the financial statements are in good shape. On top of that, you should keep your employees’ morale up and work on making them as happy as possible.
Due to the sheer amount of responsibilities, many business owners tend to forget the importance of protecting their organizations against phishing attacks.
Today, we’ll explore some of the repercussions of phishing, and we’ll see what you can do to improve your company’s security profile.
What Is Phishing?
Phishing is a form of social engineering attacks. In this type of cyber crime, the hacker impersonates a legitimate organization or individual to trick victims into giving away confidential information or installing malicious software to steal their data.
Online scammers want to steal your Facebook username and password. They start by creating and publishing a carbon copy of Facebook’s login page. They may host it on their own infrastructure, but, more often than not, the phishers use a hacked website.
Next, you receive an email from what appears to be Facebook. According to it, there have been login attempts from unusual locations, and the platform is trying to warn you about it.
The email comes with a convenient link that lets you quickly log into your Facebook profile and secure it. You follow the URL, and you see what looks like FB asking for your username and password. You enter the details, and with that, the phishing attack is successful.
Here’s the reality.
The email you received didn’t come from Facebook, it was actually sent by the scammers. There have been no suspicious login attempts, and the link you followed didn’t lead you to your Facebook account at all.
Phishers devise such scenarios to trick you into landing on their fake page and voluntarily giving away your username and password.
Why Is Phishing So Popular?
57% of the companies taking part in a recent Proofpoint survey admitted they had suffered from a successful phishing attack in 2020. According to the same report, about 10% of simulated attacks end up with the user clicking on a fake link. In other words, phishing is more common than you might think, and if you don’t take any measures, you’re just asking for trouble.
A successful attack against an individual user can have horrific consequences on the target’s life. Because people reuse the same passwords for all online services, a successful phishing campaign can have far-reaching consequences.
Not only can they be extremely damaging, but such attacks against individual users are often cheap to organize and launch. A compromised hosting account effectively allows scammers to send bulk mail for free, and the abundance of vulnerable websites means they can also publish malicious login forms without breaking the bank.
In a corporate environment, however, successful phishing attempts usually involve more careful planning and preparation from the scammer’s side.
Phishers utilize quite a few advanced techniques to make their campaigns more convincing. For example, they can spoof the sender’s email address, and sometimes, the scam may even involve a lengthy message exchange during which attackers gain the victim’s trust. If the budget allows it, phishers can register domain names similar to the legitimate URLs involved in the attack (e.g., g00gle.com with two zeros instead of google.com).
A successful phishing campaign can affect the livelihoods of all the people working for the targeted company. Let’s see some common types of attacks so we can learn to recognize and avoid them:
10 Common Types of Phishing
Phishing comes in various shapes and forms that target different companies and individuals. To successfully defend your organization from such attacks, it’s best to first familiarize yourself with the most common types of phishing and how to identify them.
Standard email phishing, also known as deception/deceptive phishing, is the most popular type of scamming. Phishers send emails impersonating individuals, legitimate organizations, or brands to breach the targeted system and steal sensitive information.
Such emails contain malware-infected links that either redirects the victim to fake websites or installs malware directly on their system in the form of downloads (e.g., PDF files). The objective is to collect usernames, passwords, and other important data.
But how can we identify email phishing?
Concise content: Phishing messages usually contain little content or just an image to bypass detection by email filters.
Fake logos: Phishers use fake organization or brand logos to fool their victims. While some email filters are able to detect such fabricated images through their HTML attributes, sophisticated scammers may evade detection by altering these characteristics (like color or size).
Shortened links: Attackers tend to use shortened URLs in phishing emails to trick Secure Email Gateways (SEGs). A legitimate company never uses such shorteners.
Contact information: To make their phishing emails look legit for mail filters, hackers may include legitimate links and contact information of the organization they might be impersonating.
Spear phishing also uses email, but it’s a more precise and focused type of attack. Spear phishers prepare carefully for their attack by collecting information about the targeted organization from public sources like the company’s website and social media profiles.
Next, they start targeting specific employees by posing as colleagues from the same organization. They use real names and job titles to convince the victims the email requests they received are legitimate. Just like standard email phishing, the whole point is for the victim to click on the infected link, code, or file lurking in those emails to give the attacker access to confidential data.
Here is how we can identify spear phishing threats:
Password-protected files: Spear phishing emails often contain infected password-protected file attachments that require the recipient to use their company credentials, such as username and password, to unlock them.
Uploading malicious files and links on cloud services: Without proper security or IT monitoring, attackers can upload malware-infected documents and links to cloud services like Dropbox, Google Drive, O365, etc.
Suspicious requests: Receiving unusual requests to give out or input confidential information, such as permission to access specific resources from other colleagues, is often a sign of spear phishing.
Similar to spear phishing, Whaling (also known as CEO fraud) targets corporations to steal precious information. This type of attack “harpoons” high-level employees (whales) such as executives (CEO or CFO) within an organization.
Why them? Because these high-value targets have the most access to the company’s sensitive data resources, of course.
Attackers start with an extensive research to gather as much intel as they can on the targeted organization’s senior leadership team before launching the attacks. Whale phishers find it more effective to infiltrate a network through malicious code to hack executive accounts instead of using fake email accounts.
Here is what to watch out for:
Unusual email requests: Imagine receiving an email asking you to run tasks that require your work credentials from an executive member of your organization you’re not familiar with – better check if he really exists or is just another whale phisher.
Phone calls: Whale phishers can follow you up with a spoofed phone call after sending their emails to make their scam even more convincing.
Email destination: Most companies use email apps for communication or request their employees to have separate mail addresses for work. A whaling email could be sent to your personal email address, which should start raising flags.
Hypertext Transfer Protocol Secure (HTTPS) is normally a sign of a safe link since it utilizes advanced encryption to protect your data.
But, did you know that more than 50% of phishing sites use HTTPS and over 80% of them are SSL encrypted?
Savvy hackers nowadays strengthen their phishing attacks by implementing HTTPS in the links embedded in their emails. This gives a false sense of security and makes it easier for the phishers to fool their victims into clicking them.
Here is how to identify HTTPS phishing and stop it in its tracks:
Hypertext: Fraudsters often include hypertexts in their phishing emails to conceal the real URL you’re clicking on.
Shortened links: Like standard email phishing, phishers usually use URL shorteners to cover the telltale parts of the URL and evade email filters. The email could be sent from your colleague or boss to make it look legit.
Since users are becoming more and more aware of different phishing types, attackers started using pharming as an alternative. With this type of scam, the individual isn’t the target. Instead, the attacker hits the Domain Name System (DNS) and the underlying IP address. With this method, every time a user types in the name of the website, they’re automatically redirected to an identical malicious website.
Once the user accesses the website, the attacker can easily install malware on the user’s device and gain access to sensitive information. Another name for this is DNS cache poisoning attack.
Here are the weak spots of pharming attacks:
Insecure website: The fake malicious website names won’t include HTTPS and instead will be displayed as HTTP.
Inconsistencies in website layout: Most fake websites are usually created in a hurry and for a certain temporary purpose. Looking closely, you may spot certain misspelled words, strange fonts, or mismatched colors.
Voice phishing, commonly known as vishing, doesn’t rely on emails to lure and attack victims. Instead, fraudsters depend on voice calls to carry out their attacks, impersonating legitimate entities and inciting urgency to steal your information.
For example, you receive a phone call from someone claiming they represent your bank and asking for your personal and financial information for security reasons related to your account.
In the corporate world, vishing attackers can target a company’s employees through spoof calls impersonating someone from the IT department, and use technical jargon to sound credible. With the provided credentials, they can install malware-infected software masked as a legitimate product, like an antivirus program.
A more advanced level of vishing involves the attacker changing their phone number to make it look as if they’re calling from a real place in your area code.
Here are some tips on identifying vishing:
Urgent action: Vishers create fake scenarios with a sense of urgency that stir up emotional responses, such as panic or fear, to dismiss any suspicions.
Emotional response: Vishers will take advantage of your emotional state and say anything for you to give away personal information or confidential data about your organization.
Smishing is similar to vishing in the sense that fraudsters use phones as means for their attacks. The initial contact is made via a text message (sms) that contains a malicious link. It tricks you into installing hidden malware on your device or disclosing personal/financial information.
The text may also come in the form of instructions to contact a specific number for customer support of a specific vendor. The number will, of course, connect you with the attacker, who will pose as a customer representative and request sensitive information from your end. Accordingly, smishing can sometimes be used as a gateway to a vishing attack.
Here are the telltales of smishing scams:
Unusual number: If the text you received is not from the usual number of the company and asks you to take some quick action – then it’s most probably a scammer.
Survey link: Some texts include links claiming it’s a survey to evaluate the service or some similar purpose. For example, during the pandemic, fraudsters took advantage of the circumstances and sent out texts with an infected link for a fake survey about Covid-19.
Angler phishing relies on using notifications or direct messages on social media platforms. These include infected links that will either lead the victim to a malicious website or download malware directly on the user’s device.
The messages aren’t always sent from unknown sources. Sometimes, cyber criminals hack into social media accounts and use them to target the contacts inside.
Identifying angler phishing should be simple enough if you watch out for:
Messages from unusual contacts: If a contact on your friends’ list doesn’t usually message you through social media and suddenly sends you a direct message with a link, – it’s most probably infected and their account is already hacked.
Being added to posts: If you receive a notification that you’ve been added to a post by a contact who doesn’t usually tag you, be careful, as it might be a way to lead the recipients to a malicious website.
Watering Hole Phishing
Watering hole phishing is a more complex type of attack where the cyber criminal researches the websites often visited by the employees of the company. For example, industry-related news, hobby pages, blogs, or podcasts.
The fraudster then infects the IP addresses of these websites with malicious code. Once the employees access these pages, they automatically download the malware without noticing.
When it comes to watering hole phishing, watch out for:
Browser alerts: If you receive a browser alert that the visited website may be unsafe or have malicious codes – it’s best not to proceed. While the reasons for such warning may vary, it’s better to be safe than sorry.
Firewall rules: If your firewall is continuously updated, the chances of it preventing access to infected websites will be much greater.
Like watering hole phishing, clone phishing involves some research and monitoring from the attacker’s end. They monitor the employee’s daily use of applications and links, later utilizing these services to send similar phishing emails with malware-infected links.
An example of clone phishing is when companies use certain applications to send, receive, and sign (digital signature) electronic contracts. The fraudster will closely monitor these transactions and create targeted emails similar to these vendors.
How can you identify clone phishing? Simple.
Personal information requests: If one of the emails includes requesting personal information and this is not a usual request -it could easily be a clone phishing attack.
Unexpected timing: If you receive an email, which looks like your usual daily correspondence, but arrives at an unexpected time – be cautious and make sure that it is legit before you open it.
How to Protect Your Organization from Phishing?
Drawing up a business organization’s cybersecurity strategy is a complex process. Setting up defenses against phishing attacks is only one part of the equation, and by no means something you can do in a day or two.
Here are some of the steps you can take:
Raise Awareness Among Your Employees
One of the particularly nasty things about phishing is that it doesn’t attack your company’s IT infrastructure. Instead, it’s aimed directly at the employees, so you can’t really deploy a security patch and be done with it.
It’s a matter of showing your staff how dangerous phishing can be and teaching them how to avoid falling victim.
Don’t think that a quick course or a few lectures will be enough, though. Theoretical knowledge won’t get you very far, especially if you fall into the sights of more sophisticated attackers.
Phishing simulations can be vital in your quest to keep your company and its workers protected. You should hire experts who know the ins and outs of even the most advanced phishing campaigns. Once your employees will get a first-hand experience of how clever phishers can be, they’ll see just how easy it is to fall into the trap. It’s equally important to include your executive team members so you can train them against whaling and other high-level phishing attacks.
Turn the phishing simulation campaigns into a regular occurrence. On the one hand, workers will stay up-to-date with the latest social engineering tricks phishers use. On the other – it will keep their vigilance at the required level.
Deploy a Robust Spam Filter
A reliable spam filter can significantly limit the amount of junk that reaches your staff’s inboxes. Modern filters scan every incoming message thoroughly, and they’re clever enough to spot inconsistencies that the naked human eye might overlook.
Get in touch with your hosting and email service provider and ask what sort of spam protection you’re getting with your plan. Get them to tell you whether any specific anti-phishing measures have been put in place. Finally, do some research and figure out whether the solutions you’re given are the best available on the market.
Keep Your Systems Up-to-Date and Install a Security Product
Everyone, from the developer of your email client to your browser vendor, should be trying to minimize the damages phishing causes. The threat is constantly evolving, with new trends and techniques appearing all the time. The IT industry is updating its products regularly to try and stay on top of the problem.
If you run old software applications, anti-malware programs, and operating systems – you are isolating yourself from the new features and mechanisms designed to protect you and your organization.
Set Up a Strict Password Policy
Getting your employees to be more careful with passwords will protect you from many different types of online attacks and scams. Ideally, workers should never mix the passwords for their personal accounts with the ones they use at work. All passwords must be reasonably long and difficult to guess, but perhaps more importantly – they must be unique.
Mind you, your employees will struggle to follow all rules on their own. If you want any security policy to be successfully implemented – you need to give workers access to a reliable password management tool and ensure they use it for all work-related tasks.
Deploy a Web Filter If Possible
It might seem like a somewhat drastic solution, but if your employees need to access a relatively limited number of websites to do their work, you might as well set up a filter and restrict the rest of the internet.
Members won’t be able to freely browse the web during working hours, which may annoy some of the staff. However, this can significantly protect them and your company from a phishing attack.
Disable HTML in Emails
HTML enables companies to add some eye candy to their messages. Unfortunately, it also allows phishers to impersonate legitimate providers more efficiently and disguise their malicious URLs behind authentic-looking links and buttons.
Disabling HTML in your organization’s incoming emails will display the malicious URLs the phishers are trying to redirect you to in plain view. This way, you and your staff will be able to spot the potential dangers more efficiently.
Use Two-Factor Authentication
The most sophisticated phishing attacks can get around that, but more often than not, two-factor authentication (or 2FA) provides the vital layer of security that stands between the phishers and a compromised account. The higher the percentage of workers that use it – the safer your company is.
Mind you, the sign-in process may take a bit longer if 2FA is enabled, but the security advantages are far too significant to ignore.
Create Multiple Backups
Although installing antivirus and updating your operating systems, hardware, and software programs are helpful solutions to minimize exposure to phishing attacks, your data will still be vulnerable to hackers.
You may not notice that you’re infected with malware for days or even weeks, depending on the type of malware. That’s why backing up your data is essential in the event of breaches and accidents (e.g., hardware failure). But just backing up data in one place isn’t an ideal strategy – it’s best to create multiple archives and keep them on an off-site location to maximize protection levels.
You should keep at least three recent copies of your data to avoid getting everything destroyed in a single event. Store your data in different formats (e.g., hard disk drives, USB drives, and cloud storage), and keep one copy offsite to protect it from natural disasters, accidents, or internal security breaches.
Implement DMARC in Your Company
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a marketing tool that can be used by any organization to secure its company domain. It also verifies that emails sent from this domain are coming from a legitimate source and helps you establish a strong verification policy for incoming and outgoing messages.
DMARC is useful in combating phishing attacks as well. You can use it to define exactly how you want your email recipients to handle emails and whether they have valid SPF and DKIM records. DMARC also provides you with detailed message authentication reports, as well as other security benefits.
It’s not difficult to see how cybersecurity tumbles down many executives’ priority lists when they’re thinking about what they can improve in their company operations. Often, the logic is that if they haven’t been hit by a major cyberattack – there’s no point in changing anything. Even business owners who have had previous issues, think that lightning can’t strike twice.
What they fail to realize, however, is that even a single phishing attack against an employee can cause irreversible damage.
All in all, it’s probably best to act before it’s too late.