For the past twenty years, those of us in the cybersecurity industry have focused on how to use technology to secure technology, and we are getting pretty good at it. Unfortunately, organizations have ignored the human factor and cyber attackers have taken notice. They have simply shifted their attack vector; the human is now their primary target as we have done too little to secure them. The three most common ways cyber attackers are targeting people is what many call the three *ishings: phishing, smishing, and vishing. In this series of three blog posts, we will cover in more detail what these three methods are, how cyber attackers are changing their tactics and techniques, and what you can do about it.
In this blog post we start with answering the question, “What is Phishing?”
What is Phishing and Why?
This may sound like a silly question as everyone knows what phishing is, but you would be surprised at how often people have different definitions. Phishing is a type of social engineering attack. Social engineering is when a cyber attacker tricks or fools their victim into doing something they should not do, such as giving a criminal money, sharing their password, or giving an attacker access to their computer. Cyber attackers have learned the easiest way to get something is to just ask for it. This concept is not new, con artists and scammers have existed for thousands of years, it’s just that the Internet makes it very simple for any cyber attacker to pretend to be anyone they want and target anyone they want.
Phishing is one of the most common forms of social engineering as it is one of the simplest and most effective. We will define phishing as an email based social engineering attack; (smishing is any messaging based social engineering attack and vishing is any voice / phone based social engineering attack, both of which will be covered in future posts in this blog series). What makes phishing so effective is almost every person in every organization uses email every day, so it’s a technology cyber attackers know we are engaging with. Also, it is very easy to craft emails that manipulate and trick people into doing things they should not do. Finally, email is a low-cost way to reach millions of people around the world.
Remember, cyber attackers are human, they don’t get an award for coming up with the most creative way to hack an organization. They have a goal, and they want to achieve that goal the easiest way possible, and that often starts with phishing.
How Does Phishing Work and What Has Changed?
Most of us are familiar with the typical phishing email with the goal of getting people to click on a link or open an attachment. If you click on a link, you are either taken to a website that attempts to hack into and infect your computer (sometimes called a drive-by or watering hole) or you are taken to a website that appears to be a legitimate organization, but which harvests your password. In most cases link based phishing emails are attempting to harvest passwords. If you open the attachment, the goals are similar. Either the attachment is infected and will attempt to infect your computer or the attachment provides a link that takes people to a website which attempts to harvest their passwords. Unfortunately, the days of simple infected email attachments or malicious links are over.
Cyber attackers are creating more novel phishing emails, including:
Business Email Compromise
Business Email Compromise (BEC) (sometimes called CEO fraud) phishing emails are customized, targeted attacks that have no link or email attachment. Instead, there is simply text attempting to fool someone into an action. These emails normally target someone in finance with the goal of tricking them into authorizing a wire-transfer, payment, or changing a payments account so cyber attackers get paid money. These attacks often cost organization’s millions of dollars an incident. What makes them so effective is the cyber attackers do their research and craft the emails, so they appear to come from someone the finance team knows and trusts, such as the CEO, CFO, or a vendor they work with. You often do not read about these attacks in the news as victim companies do not have to go public and instead usually quietly reach out to and work with law enforcement.
Call Back
Once again, there is no link or attachment in the email, but there is a phone number. The goal is to get the victim to call the phone number, and once they have you on the phone the attackers are VERY persuasive. These attacks often appear to be an invoice stating you owe money or a charge to your credit card. They create a tremendous sense of urgency. Anthony Davis does a great walkthrough of one of these attacks.
QR Codes
Instead of including links in an email, cyber attackers include QR codes. At first this may sound odd but it’s actually brilliant. QR codes act like links that send you to websites. But there are advantages with QR codes in email. First, not all phishing filters can analyze QR codes. Second, if the attacker can get the victim to use their mobile device to visit a website, security teams often don’t have visibility or control of that mobile device, making it far more vulnerable.
In phishing, you will often hear the terms spear phishing or whaling. These are terms used to indicate special phishing emails that are highly customized and target specific people. These terms imply that there are only two types of phishing emails, opportunistic targeting of anyone or highly focused targeting only a few specific people. I tend to find there is also everything in between, i.e., phishing emails that are somewhat customized but still target large groups of people in many companies.
Finally, phishing attacks will most likely only get more advanced. Many cyber attackers no longer craft their own phishing email attacks or build out their own phishing infrastructure, instead they simply rent it out as a service. You may have heard of Software-as-a-Service (SaaS), now cyber criminals will rent out Phishing-as-a-Service (PaaS) to other cyber criminals. For a simple monthly fee, anyone can get access to all the phishing templates and infrastructure they need for the most advanced phishing attacks with just the push of a button. It often even includes technical support!
What to Do About Phishing?
Most organizations are actively addressing the risk of phishing through both technical controls and workforce training. While technical controls continue to get better at catching phishing emails, some phishing emails continue to get through as cyber attackers continue to evolve and come up with new methods. From a training perspective, we do not recommend you try to teach people about every different type of phishing attack and every lure possible. Not only is this most likely overwhelming your workforce, but cyber attackers are constantly changing their lures and techniques. Instead, focus on the most commonly shared indicators and clues of an attack. This way, your workforce will be trained and enabled regardless of the method or lures cyber attackers use. In addition, emphasize that phishing attacks are no longer just email but user different messaging technologies.
That is why these indicators are so effective, they are common in almost every phishing attack, regardless of whether its via email or messaging.
- Urgency: Any email or message that creates a tremendous sense of urgency, trying to rush the victim into making a mistake. An example is a message from the government stating your taxes are overdue and if you don’t pay right away you will end up in jail.
- Pressure: Any email or message that pressures an employee to ignore or bypass company policies and procedures. BEC attacks are an example.
- Curiosity: Any email or message that generates a tremendous amount of curiosity or a sense that something is too good to be true, such as an undelivered UPS package or receiving an Amazon refund.
- Tone: An email or message that appears to be coming from a coworker, but the wording does not sound like them, or the overall tone or signature is wrong.
- Generic: An email coming from a trusted organization but uses a generic salutation such as “Dear Customer.” If FedEx or Apple has a package for you, they should know your name.
- Personal Email Address: Any email that appears to come from a legitimate organization, vendor, or coworker, but is using a personal email address like @gmail.com.
Phishing Indicators You May No Longer Want to Use
Below are typical indicators that were recommended in the past but are no longer recommended.
- Misspellings: Avoid using misspellings or poor grammar as an indicator. In today’s world, you are more likely to receive a legitimate email with bad spelling than a carefully crafted phishing attack.
- Hovering: One method commonly taught is to hover your mouse cursor over the link to determine if its legitimate. We no longer recommend this method except for highly technical audiences. Problems with this method include having to teach people how to decode a URL, which is a confusing, time consuming, and technical skill. In addition, many of today’s links are hard to decode as they are re-written by phishing security solutions such as Proofpoint. Finally, it can be difficult to hover over links with mobile devices, one of the most common ways people read email.
Phishing has been and will continue to be one of the primary attack methods used by cyber attackers today simply because it’s easy to do and it works. To learn more about the latest in how cyber attackers are targeting people and how to secure your workforce, register now or sign up for a free demo of SANS Institute’s three-day LDR433 Managing Human Risk course.