Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.
The threat of phishing looms large for every organization and is a drag on business, to say the least. Phishing attacks allow cybercriminals and other bad actors to bypass technically sophisticated security controls via naturally weak human tendencies. They enable those with malicious intent to gain a foothold on networks that can serve as a foundation for bigger, more serious attacks.
As much as they promise, defensive technologies can only do so much. To guard against phishing effectively, it’s crucial to strengthen your organization’s human layer.
Thinking about phishing might feel overwhelming at first. But really, for all the nuances involved in phishing scams, the risk points are the same. This makes guarding against them that much easier.
The Common Link In Phishing Scams
If you are like most people, the term “phishing” might conjure up a typical email attack. We’ve all received an email that purports to come from a familiar service and threatens account closure unless you click a link and add your login credentials. Equally common are emails with document or spreadsheet attachments, which appear to come from a legitimate source, entreating you to review the attached invoice or fill out a form.
A lack of personalization, suspect formatting or grammatical errors can all serve as clues with basic phishing attacks, but these telltale signs aren’t always present.
Some attackers employ much more sophisticated approaches with carefully chosen targets. With increasingly well-thought-out and devious phishing scams, attackers are targeting specific companies and even execs within those companies to mine opportunities that can be exploited later.
Cybercriminals phish for a variety of reasons. And, while Symantec’s Internet Security Threat Report 2019 said that 65% of groups use spear-phishing as the primary infection vector in targeted attacks, in 96% of cases the primary motivation ultimately proves to be intelligence gathering. Patience pays off down the line as information is exploited to exfiltrate data and spread malware or ransomware. Yes, one successful phishing attack can be the gift that keeps on taking. Ultimately, whatever the endgame might be, I’ve found that phishing attacks always adhere to certain rules.
Motivating You To Act
Phishing attacks count on our natural desire to be helpful. They appeal to targets to solve a problem, whether that’s a pending account closure or suspension that requires the input of information to halt it, or the delay of a pending payment until some issue is addressed. Attackers play on the target’s emotions and count on their instinct to comply and be helpful.
No phishing attack, regardless of the complexity, can be successful unless it persuades the target to act. The hook might be that invoice that needs confirmation or the threatened account closure, but it’s only by biting down on the hook and opening the attachment or clicking the link that targets become victims. That’s why attackers will go to great lengths to bait the hook further with a false sense of urgency, such as:
• “You have 24 hours to comply or your account will be closed.”
• “Your payment can’t be processed until you confirm the following information in the form attached.”
• “Bob in HR needs this form filled out by close of day.”
There are many techniques that can be used to encourage you to act now without thinking deeply or critically. But however tempting that lure may be, you can avoid being hooked by following two very simple rules.
Rule No. 1: Don’t blindly click on links.
It might be dressed up in countless different ways, but phishing attacks are usually all about getting you to click that link. Even in the event that an attacker has created a fake website or webpage form to harvest information, simply visiting the page via their link can trigger a malware download. Links frequently come in emails, but they can be easily dropped into blog posts, tweets, Facebook comments and many other places.
Sometimes you may hover over a link and see that the URL doesn’t look right, which is why many nefarious links will have been run through URL shortening services first. The safest policy is simply to avoid clicking on any links you’ve been sent. If it’s from an organization you know, then simply visit the website independently using your own bookmark, by searching in your browser or by typing the address in yourself. Where this isn’t possible, try phoning or contacting the purported sender directly, but never by replying to the message or using the address in the suspected phishing email.
Rule No. 2: Don’t take attachments from strangers.
Simply opening an attachment is enough to trigger a malware installation on your system. It’s a good policy to never open attachments from strangers. The trouble is when you work in a job where it’s common to receive emails with attachments.
Some advice suggests that you look for potentially dangerous file extensions such as .exe and avoid them, but attackers can disguise dangerous file types with more legitimate-looking extensions like .doc or .pdf, so this is not a guarantee that something is safe to open.
It’s also important to note that some attackers will use legitimate documents or PDF files but put malicious links in them that will trigger malware downloads if clicked.
The safest policy is to confirm legitimacy before you open anything. Unless you’re convinced of the authenticity of the sender, take the time to send a quick message separately or pick up the phone. A quick confirmation can save you a lot of trouble, and it’s a minor inconvenience compared to the threat of malware.
These two rules should be a central part of security awareness training for any organization. After implementing these two rules, it’s vital to test employees and ensure they understand by exposing them to mock phishing attacks on a frequent (at least monthly) basis to see how they respond and to train their security reflexes.