Something Phishy: How to Identify and Avoid Phishing Scams

Harish Chib, Vice President MEA, Sophos.
Harish Chib, Vice President MEA, Sophos.
6 years ago

Phishing is one of the most common attack vectors for hackers who exploit end-user behavior as the weakest link in an organizations cyber-defense. For years, criminals have disguised attacks in emails and today we see phishing emails as a primary delivery method for ransomware payloads. Phishing emails have led to massive data exposures, which caused major reputational and financial damage in the private and public sector over the last few years. As cybercriminals continue to prey on employees through their technology, they are always taking measures to be one step ahead. In an organization all it takes is one employee to take the bait.

Today’s phishing attacks are so prevalent and so convincing across organizations. What started off as simply “phishing” has now developed into three branches of attacks: the classics, mass phishing and spear phishing, and the recently emerging trend of Business Email Compromise tactic acting as a subset of spear phishing. Business Email Compromise is associated with employee email accounts being compromised rather than the sender address being spoofed. This makes difficult for end-users to spot attacks. It has been stated that 91% of cyberattacks and their resulting data breaches now begin with a spear phishing email message.

Phishing has evolved in lockstep with the ‘Malware-as-a-Service’ phenomenon. Phishing emails come in all shapes and sizes, and unfortunately, no single product will fully protect your business from phishing attacks. Phishing is now run as a business and cybercriminals have been using different attack strategies to retrieve information from their target. Some of strategies include phishing services, off-the-shelf phishing kits and Business Email Compromise.

Free phishing kits

An interesting facet of the phishing ecosystem is that there are a large number of actors committing attacks, but only a small number of phishers that are sophisticated enough to write a phishing kit from scratch. Because of this, phishing kits are now widely available for download from dark web forums and marketplaces, and give attackers all the tools they need to create profitable phishing attacks: emails, web page code, images, and more.

Attacks-as-a-service

In fact, attackers don’t even need to know how to create malware or send emails anymore. As-a-service and pay-as-you go solutions permeate most online service technologies, and phishing is no different – with a range of services increasingly available to attackers:

  • Ransomware-as-a-service allows a user to create an online account and fill out a quick web form, including the starting ransom price and a late payment price for victims. The provider of the service then takes a cut of each ransom paid, with discounts offered if the user is able to translate the malware code into new languages or if the volume of the attack exceeds a certain level
  • Phishing-as-a-service allows users to pay for phishing attacks to be sent for them, using global botnets to avoid known dodgy IP ranges. Guarantees are even made to only bill users for delivered email messages, much like any legitimate email marketing service.

These services have led to the explosion of phishing attacks highlighted earlier, as any attacker can launch an attack regardless of technical skill.

Phishing attack prevention: How organizations must protect itself from getting hooked

Stop threats at the door

The best defense against phishing emails is your email gateway. Email protection is your watch guard, blocking 99% of unwanted email at the gateway, including malicious attachments, content, and URLs – long before an end user ever sees them.

Web filtering is another must-have as a front-line defense, filtering and blocking infected URLs should your users click an email link. And file sandboxing ensures those nasty malware laden downloads get removed from the threat chain early on.

Protect your weakest link: users

Even with the best upfront filters, attacker methods such as BEC – with no executables or links to detect – may still get through. Appropriate training and education is critical for ensuring that all your employees know how to spot and deal with these types of email messages.

Secure your last line of defense

If your click-happy end users inadvertently unleash potent, powerful malware onto your systems, there’s still ample opportunity to stop the damage – and even reverse its effects. Next-generation exploit prevention solutions will identify, analyze, and neutralize the effects of even the most advanced, unseen malware out there, and automatically clean up all trace of infection so you can get on with your day.

Know your business

Make sure your company processes are understood, that you encourage employees to question requests that seem out of character from other employees and senior managers, and perhaps most important of all, ensure you have a two-stage approval process for all significant fund transfer requests. All the defenses in the world aren’t going to stop an employee from unknowingly sending large payments to a thief without some proper checks and balances in place.

Phishing is a problem that will not go away. But you can be more cautious and train yourself to look for giveaways that will tell you if you have visited a phishing website. Cybercriminals will continue to take advantage of opportunities as long as they are getting their money. The fight is challenging but it’s something we can win.