04/12/2014
By Trey Ford, Global Security Strategist, Rapid7
Phishing is one of the primary and preferred tools used by attackers. Many large breaches have been initiated through phishing attacks stealing passwords, gaining access to sensitive data. One of the most memorable examples is the RSA breach, which disrupted not only the company itself but also its customers. By avoiding attacks altogether or detecting phishing attacks early, you can contain them and reduce the damage they cause.
User education is hugely important because increasingly the users represent the greatest threat to a business environment, by clicking on links, sharing information, losing laptops, downloading unsafe apps, and using cloud services without telling you. Essentially every user is now a point of entry to your corporate network, every user is a potential target.
It can be easy to assume that everyone knows about phishing and wouldn't fall for an email claiming they've won £100,000, open an unexpected attachment, or click a link from a recipient they don't know. However, reminding users again and again of the risks might help them become more judicious about which links they click.
What is phishing?
Phishing refers to the process where a targeted individual is contacted by email or telephone by someone posing as a legitimate institution to lure the individual into providing sensitive information such as banking information, credit card details, and passwords. As the name suggests, this typically works by dangling some kind of bait in front of you. One of the classic examples of phishing is the Nigerian 419 scam, which lured people into giving their bank information with the promise of huge riches.
Other kinds of phishing emails try to convince you to open an attachment or click on a link. These can lead to your device becoming infected with something nasty, or it could lead you to unknowingly giving a criminal your password to a website. You may, for example, receive an email from LinkedIn saying someone wants to connect with you. You click on the link and you get the login page for LinkedIn. Once you have entered your password and landed on the page you expected to be sent to, whilst everything may look normal, what you may not realise is that you have just given your LinkedIn password to a criminal.
Traditional phishing attacks are designed to engage anyone in the general public. In stark contrast are “spear phishing” attacks, specially tailored for specific groups or individuals. These targeted individuals have passwords that have access to valuable intellectual property, financial, trade or other confidential data. Spear phishing attacks leverage key bits of information collected about the targets, job descriptions for that team, posts to social media, or information gleaned from the target’s friends or peers - then craft an email or social media campaign designed to look highly plausible and attractive to the target.
Phishing emails can be very sophisticated, and extremely hard to spot. Why would someone want to target you in this way? They might not actually be targeting you personally, but using you as a way to get a foot in the door of your corporate network. Perhaps it could be that they’re ultimately after someone in your network. You never know how tempting a target you might represent, or how the attacker might value data you have access to, so it’s important to be vigilant.
How can you protect yourself?
A good way to approach email is to imagine there is something sinister potentially lurking behind every one - what that might look like. Anything unexpected in an email from an unexpected sender, an attachment or invitation, or message via social media – anything out of place should be treated with a level of scepticism. This is true whether it’s email (work or personal), or any social media link or message, so you must treat interaction with some level of caution.
Protect your information
Do not send sensitive information, such as bank details, passwords, ID numbers, or information you have used to reset passwords (like a birthday, mother’s maiden name, etc), over email. If it can't be avoided, be sure that you know who you are sending them to, and start a new email thread as opposed to replying to a chain and be sure to check the email address carefully.
Check the address
Be mindful of who is emailing you. Check email addresses for accuracy and look for signs of suspicious activity, for example if an email is not in the format you’d expect or a name appears to be spelt incorrectly. Email addresses made up of seemingly random combinations of letters and numbers may also be suspicious.
If suspicious - Don’t click on links
If you are at all doubtful of the email or message, type in or use a search engine to find the website you need rather than clicking on a link.
Don’t open attachments
Treat any attachment that you didn’t request as highly suspect. Send to your security team if you’re not sure whether it’s safe and they will check it out for you.
Take special care with email passwords
Set up multi-factor (sometimes called two-step) authentication for your email if at all possible. If an attacker can steal your password, they have the keys to your kingdom. (Remember – almost all password reset requests send a message to your email account to recover a lost password).
Check with IT/ Security
If in doubt, forward the email (as an attachment, if possible) to your security team. They will let you know whether something is safe to open or click on.
It’s better to be safe than sorry.
Phishing isn't complicated, but this simplicity is the key to its success. Given the sheer amount of email we all receive every day, it’s tough to remember to be vigilant.
