The theme of the second week of Cybersecurity Awareness Month is “Phight the Phish”. Phishing scams fall under the umbrella of social engineering since they involve manipulating the weakest link in security, humans, as opposed to exploiting a technological vulnerability. Phishing messages try to trick the recipient into either divulging sensitive information, such as a credit card number or a password, or to click on something, such as a link to a fake login portal set up to harvest credentials, a link to a website that automatically downloads malware, or an attachment that contains malware. Not all phishing is done by email. Smishing (SMS phishing) is done via texts or SMS messages. Vishing (voice phishing) is phishing done over the phone or via voice messages. Phishing campaigns are targeted towards a generic audience, but phishing messages tailored to specific individuals are spearphishing messages. Whaling is when an attacker uses spearphishing methods to go after a target with a very high value, such as the CEO of a company.
Phishing emails can sometimes be identified by having incorrect sender addresses. For example, if the email of your coworker, Bob Smith, is “firstname.lastname@example.org”, they are not going to send you an email from “email@example.com”. However, sometimes identifying phishing emails is not that simple.
Attackers may use typosquatting to make the sender addresses look convincing. Typosquatting, AKA URL hijacking, is the practice of registering a domain name that is an intentionally misspelled version of the domain name of a popular website. For example, if your bank’s website is “bankofthenation.com”, a phishing email may use an address like “firstname.lastname@example.org” or “email@example.com”. An address with a small typo may seem convincing at first glance. Aside from sender addresses, typosquatting can be used for the links within phishing emails, which may either lead to malware or a fake website set up to steal credentials. Someone can identify phishing scams that use typosquatting if they take the time to verify that the domains are illegitimate.
However, attackers may take things a step further by using email spoofing, the practice of forging the sender address to make an email look legitimate. For example, if your company’s domain is “yourcompany.com”, an attacker with email-spoofing capabilities could send you a phishing email with the sender address of “firstname.lastname@example.org”. Phishing emails that use spoofed domains cannot be identified by simply checking the sender address. However, they can be mitigated by three email authentication protocols: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC). With email authentication enabled, spoofed emails would be either rejected from entering the inboxes of your organization or end up in spam folders depending on how DMARC is configured. Implementing all three of these protocols can be a tricky process, but it is worth doing for the additional layer of security they provide.
In addition to using misleading or forged addresses, phishing emails may also use the same formatting and images as the real emails sent by the organization they are impersonating. If they are impersonating an individual, they may use personal details gleaned from social media. People can fall for phishing scams if the emails are convincing enough at first glance and they are tricked into reacting without verifying. When crafting the body of a phishing email, attackers may come up with a time-sensitive scenario to invoke a sense of urgency to scare victims into reacting quickly. They may also try to impersonate someone with authority, such as a supervisor. In cases in which a supervisor or coworker is being impersonated, the scam can be identified if the language used is inconsistent with how the real person typically communicates. The (il)legitimacy of the email can be verified by reaching out to the supposed sender through another method, such as a phone call to a trusted number.
It is important that everyone in your organization is cyber smart about phishing scams. Phishing and ransomware go hand-in-hand; according to Coveware’s Q2 ransom payment report, phishing is one of the two most popular methods for cybercriminals to gain entry into a network for a later ransomware attack. According to Verizon’s Data Breach Investigations Report (DBIR) for 2021, phishing is one of the top attacks that lead to data breaches. If one employee falls for a phishing email, it could lead to an organization-wide data breach, ransomware attack, or both.