Phishing attempts are on the rise. In fact, the FBI recently reported that it was the top Internet-related crime they dealt with in 2019. In the wake of coronavirus, companies and security experts alike are seeing no evidence of things slowing down. A report from earlier this year found that between February and March alone, phishing attempts spiked by 667%. What steps can your organization take to identify phishing attempts, determine the latest trends, and prevent falling victim to attacks?
What Is Phishing?
Phishing is “the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.” In short, the thing about phishing emails is that the criminals work hard to make them look legitimate. Some common examples you might see are:
- A spoofed email that appears to be from a colleague asking you to send money or sensitive information
- An email that looks like it comes from a company you do business with, such as a financial institution, that includes a link that prompts you to log in
- A request to verify log-in credentials to a key company system
From Spear Phishing to Whaling: Phishing Becomes More Sophisticated
One of the biggest challenges today’s cybersecurity experts face is the reality that phishing attacks are becoming more sophisticated. All the examples we just outlined will look familiar to any seasoned security veteran. However, today your employees face an even wider set of threats. Some emerging phishing threats include:
Mobile and Chat-network Phishing: As employees increasingly work from home and rely on their mobile phones to complete critical work, cybercriminals are turning their attention to mobile phishing. The attack may be sent as a text message or within an instant messaging platform. While the goal is often similar, such as compromising log-in credentials or initiating a wire transfer, employees may be less vigilant when it comes to security on their phones—and more likely to fall for the scam.
Social Platform Attacks: One of the ways phishing has become more sophisticated is by embracing a wider range of platforms. As social media usage increases—and even becomes a vital part of the job for many roles, such as sales or marketing—social media networks can be used for attacks. In many cases, the messages focus around a fraudulent competition, a rewards program, or an offer for a gift card in exchange for information. These messages may suggest that users have to log in, making it easier to steal key information before employees realize what has occurred.
Whaling: High-level social engineering has been at play in the phishing landscape for the last few years. Typically, the criminal sends out at a message impersonating a senior official of the organization, such as the CEO or CFO. The message often demands log-in credentials or requests that a money transfer be completed under short notice. In organizations that are geographically dispersed or have strict communications hierarchies, fearful employees complete the request before they have a chance to verify it with their colleagues.
Spear Phishing: Another more recent addition to the phishing landscape is based on sophisticated social engineering where criminals research and impersonate individuals or organizations that are part of your company’s ecosystem. For example, a quick search on LinkedIn may reveal who hires freelancers for your company, what marketing or accounting agency your company is affiliated with, or critical suppliers you engage in business with. From there, the criminals simply send a request for credentials using spoofing—and all too often they are successful in their efforts.
COVID-19 Phishing: The pandemic has increased the time we’re spending online and how individuals are relying on digital solutions to complete a wide variety of transactions—including staying updated on pandemic information. A variety of schemes ranging from spoofing news sites and pandemic maps to invitations to sign in to “collaboration software” can be found.
Steps to Take to Stay Safe from Phishing Threats
Educate Employees: While phishing has been a significant security threat for several years, many organizations are still improving how they get a handle on the issue. Employee education can play a crucial role in preventing phishing expeditions from reeling them in. Google recently found that just 60% of professionals could correctly define phishing, which suggests there’s opportunity for further growth and engagement around general awareness, identification strategies, and ideas for testing and automated protection.
Use Best Practices to Detect Phishing Attempts
There are several best practices IT leaders have come to rely on to identify and prevent phishing. These include:
- Check the email address: When a phishing attempt uses spoofing, the email address may look right in the “from” field but appear differently when you hover over it. Another strategy to look at is that criminals sometimes use email addresses that are close to—but not exactly like—the correct URL. They’re banking on the fact that busy employees won’t have time to thoroughly check.
- Check links: Another area for users to check is where the path of any embedded links lead. The text may read as a familiar address, but when you hover over it or use your touch screen features to look at the URL, it takes you to a different address. These can all be signals that phishing is in play.
- Be wary of attachments and log-in requests: Attachments from an unknown address can also be a challenge to identify and can lead to fraudulent destinations. For example, one common tactic is phishing emails that look like invoices and require users to log in to view them.
- Read the copy: Another signal that phishing is afoot can be questionable copy. If the email features an impersonal greeting, grammatical errors, or misspellings of keywords, that would be an important series of clues that it needs a second look.
Automate Your Training and Monitoring
There are a number of tools that can help busy IT teams reduce or eliminate the phishing threats employees face. Some to consider include:
- Email Security: Email security solutions such as those offered by Mimecast can help verify senders, scan links, and identify phishing attempts before they hit employee mailboxes.
- Specialized training solutions: Effective cybersecurity training can be difficult, and it’s most likely to have an impact when it touches emotions, uses real stories, and employs tested techniques. Leveraging programs such as Security Innovation’s Anti-phishing program is a great way to invest in training.
- Anti-phishing Policies: Take advantage of tools and solutions within Connection’s Microsoft offerings, including Microsoft 365 and Azure, to protect against phishing. Here’s a full reference guide to some of the most important options.
Phishing is on the rise, but it doesn’t have to harm the security of your network. If you’re concerned about phishing or want to discuss your organization’s unique needs, contact us today to learn how a variety of Connection’s solutions can be deployed to help your organization stay safer throughout the rest of 2020 and into the new year.