Phishing is the technique that has become the most used initial attack vector in the world today1. It can have a significant impact on an organisation by leading to data loss, financial cost or even malware infections.
Despite investing in sophisticated IT security tools, many organisations find they still fall victim to these attacks. The reason is that the weakest link in defences when it comes to phishing scams is users. Despite being told many times before not to click on suspect links or open strange attachments, people still do.
This is, of course, good news for cybercriminals as it means the technique continues to pay handsome dividends. While people continue to fall for the techniques, they will keep on using them.
Spotting an attack
One of the most effective strategies to use when it comes to defending against phishing is ongoing user education. Staff need to be made aware – and regularly reminded – of how the technique works and what they should do in response. It’s termed ‘hardening the human attack surface’.
A first step is to explain to users how phishing content differs from legitimate email. They need to be encouraged to think about email content more from a technical perspective than a social one. Factors to be examined include:
- Sender/sending details: Look closely at who is sending the email and from which domain. Examine the spelling, the email address, and the name of the sender. Is this sender someone with whom you frequently exchange emails? Is it claiming to be your CEO, but coming from a gmail.com domain? Misalignment of sender details is a good first indicator that something could be wrong.
- The recipient: Users should always check whether the recipient of the email is in a higher-risk category within the organisation. This could be a staff member with access to financial information, intellectual property, or customer data. If so, extra caution should be taken as they could be attractive targets for criminals.
- Subject line: Usually something associated with detecting spam, examining the subject line of an email can help to determine whether it is actually a phishing attack. Look for misspellings, incorrect grammar, and any other signs that the email might be unusual or from a strange source.
- Links: While most emails use HTML, it’s important to observe whether the email supports tags and links that are used commonly in phishing emails. Initially, a user can usually hover over a link and determine where it points to. If it looks suspicious, it should be referred to the security team for further investigation.
- Attachments: Even just the inclusion of an attachment from someone a recipient doesn’t know should be regarded as suspicious. Also, the type of attachment can also make a difference. For example, if you receive a password-protected Word document from someone you regularly do business with, and they have never sent one before, it should ring an alarm bell.
- Content: The content with the email should also be examined. For example, if a Word document attached is a “proposal” that wasn’t expected, it should be deemed suspicious.
Thorough user education is a key defence against phishing attacks, however it should always be backed up with the deployment of tools designed to automatically spot suspicious emails. These tools can act as another line of defence and are readily configured to identify emails that fit certain phishing criteria.
For example, the tools can compare the sending domain and sending server’s IP addresses against sender policy framework (SPF) and Domain Keys Identified Mail (DKIM) records. Attachments can be compared with known malicious file types, as well as with any analysis output from antivirus and endpoint-protection solutions.
By having a combination of comprehensive user education and robust security tools in place, your organisation will be well placed to avoid the disruption and loss that a successful phishing attack can cause. The technique is not going away anytime soon, so it’s important to be on constant alert.