Week two of Cybersecurity Awareness Month focuses on “Fight the Phish.” If you have never received a phishing email, you probably don’t have an email address. They are typically much more common than actual business correspondence. Beyond that, you can say that there are two types of people in the world – those that have clicked on a phishing email, and those who will do so in the future.
Phishing remains one of the easiest and most common ways to hack a computer, get personal data, or spread malware. Securing a domain and sending thousands of fake emails cost little, and even if one person in a hundred opens one or clicks on a link, the attacker has access to do any of the above. According to the Verizon 2021 Data Breach Investigation Report, Phishing is one of the top breach actions. 36% of all breaches in 2020 were related to phishing, an 11% increase from 2019.
It’s especially difficult when people use their work email for personal purposes. That way personal emails get commingled with business correspondence. And due to their nature, personal emails are more likely to contain spam and other phishing links.
It’s important to know what techniques attackers are leveraging so you can warn your users and update your detection tools. The FBI maintains a website with of common spoofing and phishing attacks. There you can find resources and recent news. And information about known phishing attacks can be found on the Anti-Phishing Working Group website. The organization publishes a quarterly Phishing Activity Trends Report. Here is the report for 2nd quarter 2021.
Over the past few years, Gurucul has observed the following new trends in phishing attacks:
So especially within an organization, how can we fight the phish? How can we help users navigate through their day on the computer safely?
The first step is education. We can break that down into multiple parts. First, it involves getting users to think about cybersecurity whenever they are online. A heightened awareness of the risks is an essential starting point in establishing a foundation for security.
Second, users have to know about active phishing attempts. Often they seem to come from legitimate sources – partners, banks, pharmacies, or stores, for example. There are often telltale signs, such as misspellings and unusual links, that indicate a particular email isn’t legitimate. Users have to be trained in identifying these signs.
Phishing can also be accompanied by social engineering techniques, such as phone calls, visits by colleagues, social media notifications, and follow-up emails. Users are more likely to click on phishing links if they are accompanied by a personalized follow-up.
Beyond that, if there are any publicly known and prevalent phishing attempts, organizations have to let their users know about them. Phishing attempts tend to come in familiar waves, and the more information users have, the better equipped they are to deal with them.
Of course, this also comes with an obligation to tell users what to do if they encounter such attempts. Education not only refers to information on how to identify phishing attempts, but also what to do about them. In many cases, that answer is to report them to IT staff or cybersecurity staff, but users need these messages reinforced on a regular basis.
The second thing that enterprises should do is continuously monitor for possible attacks. While few organizations have the inclination or resources to read all incoming email, anything outside of the ordinary can and should be flagged for further investigation. This should be a largely automated process, and the Gurucul Security Analytics and Operations Platform determines the degree of risk with emails in real time.
Gurucul provides a range of pre-packaged supervised machine learning (ML) models specially trained to detect specific types of phishing attacks. These models are not signature-based but rather “trained” on real-world threat data sets to detect and capture various known phishing attacks.
Among the data that train these phishing ML models are:
While emails can be difficult to monitor, and phishing often uses multiple email addresses, domains, and names, it’s possible for algorithms to identify emails and other data that doesn’t fit into the normal discourse for individual users.
Below are details on the telemetry and available Gurucul models for detecting various phishing attacks out-of-the-box:
Telemetry | Perpetrator | Victim | Tactic | Data Sources | High Level Model Use Cases |
External Bad Actor | Internal Employee | Phishing, Spear- Phishing, | Email, Proxy, Windows Security |
| |
Phone / VOIP | External Bad Actor | Internal Employee | Reconnaissance, Trusted Relationship | VOIP logs |
|
Social Media | External Bad Actor | Internal Employee | Phishing | Proxy, DLP |
|
All Traffic | Internal Bad Actor | Internal Employee | Insider Threat Use Cases | Multiple |
|
Despite best efforts, it is likely that someone will click on something that brings phishing home to roost. Enterprises do their best to educate and detect potential attacks, but it only takes one to slip through. There should be a plan to execute when this happens, including identifying all affected users and communicating the mitigation plan.
Internal users are the key here. They are on the front lines of phishing attacks, and have to decide which emails are legitimate, and which contain malware. To do so, they need regular training and information on what to look for, and how to respond to potential attacks. In particular, users have to develop a “no confidence” attitude toward emails with unusual subject lines or unknown senders, and report those emails to the experts that can look further into them.
And by all means, unless users are certain of the sender and content, they should always follow best practices for thwarting phishing attacks: don’t open emails from people you don’t know or aren’t expecting communications from, don’t click on links in such emails, and don’t open any attachments.
As always, the best offense is a good defense. Gurucul can help. Contact us for more information on our Security Analytics Platform.