The pandemic has accelerated the transformation of a hybrid workplace, and the expansion of the attack surface is inevitable. Although teams coordinate and engage remotely, "socially engineered" phishing attacks have become an unwanted risk and a nuisance for defenders. Phishing attacks have always been prevalent in the cybersecurity threat landscape, giving attackers a foothold into your infrastructure and wreaking havoc on organisations, with attacks and adversaries becoming more sophisticated, dynamic and persistent than ever. According to IBM, Phishing Attacks can cost organisations over $4mn in the event of a breach and is the second-most frequent reason for breaches!
What is a Phishing Attack?
A phishing attack is a socially engineered cyber threat that targets email accounts extensively. However, other kinds of phishing attacks target telephonic channels known as Vishing and Smishing. Vishing involves fraudulent calls to a target, and smishing campaigns send SMS with malicious intent.
Many people flatter themselves on their ability to spot the indicative signs of a phishing email; however, adversaries are becoming more cultured as they grow in number, with open-source knowledge available to the masses allowing them to refine how they disguise inducements to click.
The ages of "Nigerian Prince looking to transfer 1 Million dollars in exchange of few 100 bucks are long gone". Instead of substantial appealing buttons in an email provoking a reader to click, there might be a more inconspicuous sign, for example, hyperlinked text that someone clicks before realising what they've done.
Adversaries use ongoing trends, popular beliefs and progressing patterns to their benefit and pull off a sophisticated and dynamic attack through a phishing campaign. These campaigns usually present themselves to the users in an email, asking them to make some payments, click to confirm any account or give away their credentials by logging in to an anonymous website.
The complexity for identifying phishing emails is multiplying, with more advanced threat actors following all the countermeasures to get detected.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies 2
How phishing campaigns are organised?
The threat actor sends an email as part of the campaign that appears to be from a well-established service the user uses, with a subject line like "Immediate Action Required | Your Membership has been declined."
If the user already has a paid membership account, they may be worried that the subscription will be disrupted. To rectify the situation, users would want to log in to their membership account. If they don't, then there is a risk of identity theft.
There are several ways, then, that the campaign could progress:
The email might urge the user to click on the link which downloads a virus, keystroke logger or malware. This binary might sit idly on the machine or network to try and infiltrate the user's company's network. It can operate as a keystroke logger, a virus that sneaks into authorised infrastructure and performs a DDOS or ransomware attack.
Another way is an email or website that asks users to confirm account information, provoking users to submit their credentials through a login form. Yet, the URL is a malignant site that forges itself as a known initial website. The adversary then gets access to sensitive and critical user credentials.
Generally, the email or website will copy the brand, so users will believe that their activity is needed. All things considered, they will be giving their sensitive data to an adversary or unconsciously downloading a vindictive binary/software in their network.
How to defend? The Proactive Approach
Employee awareness against phishing is the first step towards mitigating the risk against phishing threats. You can organise regular employee awareness training, develop best practice checklists to maintain email security hygiene and conduct regular phishing simulations on your workforce to get an accurate picture of who's at most risk.
Best practices for making phishing simulations a success for your organisation:
Cover 100% of your workforce short intervals (1-2 months).
Be consistent in providing regular training sessions.
Everyone can identify Nigerian princes, change the difficulty posed to your targets across training. Make phishing campaigns more authentic and personable.
Segment employees into groups based on individual behaviour and adapt your campaigns scenarios to their skill. This could include password or data requests, messages from colleagues or seemingly legitimate senders.
Many vendors offer Phishing Protection solutions that can integrate with your email provider and adapt to detect different types of phishing threats, including emails, attachments etc.
FourCore ATTACK is a Breach and Attack Simulation platform that can help you simulate the events of an actual breach, of course, under safe conditions.
FourCore ATTACK offers the ability to simulate threat actors targeting your organisations via phishing emails. You can simulate a phishing campaign and gain increased visibility into your email protection infrastructure. Our phishing simulations offer a variety of email templates, malicious payloads (.docm, .xlsm), the ability to use our mail servers or your own and create a holistic evaluation of your security controls.