“What is phishing?” is one of the most searched terms on the Internet. It has become one of the most effective techniques used by cybercriminals to gain access into the corporate network.
The risks associated with a phishing security threat is growing daily as criminals plot targeted and highly sophisticated campaigns to secretly breach the network of an organisation, whether for financial gain, espionage or other motivation.
Phishing has become one of the biggest business risks of the century and according to CSO Online 92% of malware is delivered via email. In addition, it is also the number one delivery vehicle for ransomware.
Criminals are targeting the outer ‘layer’ of a company’s defence – it’s employees – by crafting cleverly disguised branded emails and very realistic communication to entice users to click on the email link or attachment.
Once the employee clicks on the link, malware is automatically downloaded to their computer or device.
Alternatively, a spoofed website collects login credentials, in essence compromising the data on that device, and in most instances providing entry into the company network.
Cybercriminals are looking for a way to penetrate the corporate network by gaining access through usernames and passwords which provide access to company platforms.
Targeted phishing is known as ‘spear phishing’ and is where the attackers hone-in on specific individuals with privileged admin rights such as executives or individuals at the C-Suite level.
Usually targeted individuals are ‘stalked’ on social media or may previously have been identified via a phishing email which they clicked.
The outcome can be disastrous to a company compared to ordinary phishing, because it often leads to larger financial losses or wider access to mission critical systems.
While companies and individuals are aware of the risks of phishing email, they continue to get caught out time and again because of the sophisticated nature of these cyber social engineering tactics.
With the rise of remote working, personal apps on mobile devices provide a big IT security risk, because these devices often do not come with the required phishing defence.
During the coronavirus pandemic, there was a marked increase of phishing attacks related to Covid-19 communication – centred around tax relief for individuals and companies.
This is a perfect example of social engineering at play, because of the uncertainty around Covid-19 and financial fears, people were ready to click on an email to apply for Covid-19 relief.
The malware Azorult used a fake email and Coronavirus map to infiltrate and generate ransomware attacks within organisations around the globe within a matter of hours of being distributed.
In the political realm, recent research from CSC in the United states about the Presidential race, shows that over 90% of websites linked to Donald Trump & Joe Biden campaigns were found to be at risk for potential disinformation or data theft.
This is because the web domains used in their campaigns are not protected from domain and DNS hijacking – a technique often used by hackers to launch their phishing scams.
The Damage From a Phishing Scam
Phishing attacks are known to result not only in the loss of company data, finances and reputation, but is also said to severely affect employee productivity.
One phishing attack can cost a medium-sized company an average of $1.6 million due to having sub-standard cybersecurity practices in place.
Phishing statistics 2020:
- 22% of breaches in 2019 involved phishing
- 96% of phishing attacks are by email
- One in every 99 emails is a phishing attack
- One in 25 branded emails is phishing
- Close to a third or 30% of phishing emails make it past default security
- Two in three phishing attempts use a malicious link and over half contain malware
- 65% of organizations in the United States experienced a successful phishing attack
Source: Verizon, Sonic Wall, Veronis
Although the majority of people know what phishing is, it is not always clear what the right phishing prevention strategy and defences are.
Many companies have poor cybersecurity practices in place which fails to protect the network, endpoints and corporate data which places them at great risk to the rising tide of phishing attacks.
At ENHALO we believe that layering the defences will limit the effects of phishing and remains a consistent way to mitigate against the IT security risks.
Eight Layers of Defence
1. Education
In a phishing defence strategy, education is one of the single most effective ways of dealing with an attack.
Because phishing uses social engineering and attackers continue to improve their craft, these emails become more difficult to identify as fraudulent.
According to 2020 statistics, 97% of users cannot identify a sophisticated phishing email and therefore fall for them time and time again.
Since they are at the forefront of the attack, education of employees and users of your platforms remain a fundamental part of the defence and should be prioritised and maintained.
2. Rule of Least Privilege
Limit users’ access as much as possible. It’s vital to ensure that users only have access to what they need to fulfil their function.
If they do not need access to a resource or system, don’t give it to them!
It’s often the case that most users don’t need the access that they think they need. Once access is granted, it’s difficult to take it back.
Furthermore, roles change within companies and when this occurs it’s important that access rights are checked so that access continues to align with what is required only.
Review access rights periodically. Don’t skip this review and ensure strictness and remain firm.
The access that systems have should be carefully thought out too. Systems should be treated in the same way as people, with regards to access control.
Systems should also only have the access that they require to fulfil its purpose. For instance, if a computer or device does not need access to a server to function, then don’t give it access.
Having devices such as mobile phones or IoT devices (such as a kettle for example) on the same network as your company file server, does not make sense.
Rather put them on a separate network that is isolated from the company’s ‘crown jewels’ for not only phishing prevention, but any hacker attack.
If these devices are isolated, and are compromised, they can’t be used as a springboard to get to the organisation’s files. It may sound unlikely, but it does happen.
Rather use the rule of least privilege and be safer in the long run.
3. Email Scanning
Scan the email on the way in and on the way out of the organisation with a tool that is not part of the echo system. This means, if you use a particular cloud provider, forward the mail to a third party that is not connected to that cloud provider for additional scanning.
By doing this the integrity of the email can be ensured. Often attackers break into a cloud platform and send the phishing email from within the system.
Alternatively, attackers create an email in the inbox of the user which means that it’s not even sent, so it can’t be scanned. In these instances, they are difficult to stop with scanning, so other layers of defence (controls), including education are critical.
4. Multi-factor Authentication (MFA)
MFA helps protect against phishing because if a user is tricked by a phishing email and their credentials are compromised and stolen, the attacker will still require the one-time use component of the credential, which the attacker will not have access to.
5. Tighten Your Geo-location
Only accept connections and emails from geographic locations that you deal with and ensure that the users are only able to visit and interact with countries that they need to -especially when using corporate devices.
It’s surprising how half of the planet as a minimum can be eliminated from the equation through doing this. This will reduce the phishing attack surface and will result in a more secure posture.
Moreover, if the computers and users are blocked from addressing other geo-locations, it means that an extra layer of defence is in place which the attackers will need to get over in order to exploit the user through phishing.
6. Proxy and filtering
Filter all access to and from the computers and from user interactions with links. By limiting where the users can go and by implementing user and application aware proxies, connections can be filtered.
This is quite simple to achieve if the devices which the users utilise are configured correctly.
Remember to include the mobile devices that are largely used by all. One easy way to do this is by using a secure and trusted DNS service that filters the DNS request.
Very soon Secure DNS will be the norm, and this will further enhance overall security. Already, vendors of browsers are implementing versions of secure DNS to avoid the trickery.
7. Disable External Links
If a link is not to and from a system that is trusted by the organisation – disable it. It’s surprising how habitual we are, and often use the same sites daily to do our work.
It is possible to create a list of trusted sites and only allow traffic to and from those sites for added security. After a couple of days that profile will encompass a trusted list.
From time to time a user might require an additional site, if a new application or process is introduced.
This approach is not as difficult as one may think and introduces a very strong level of security, far superior than allowing access to everything.
8. Manage the Credential Most Likely to Get Phished
This is an ‘out of the box’ idea that is being adopted nowadays. In simple terms, groupings of privileged accounts exist that are used for transactions including special usernames and passwords and credit card numbers.
These credentials are only active for a small window, for instance, when the transaction needs to go through and subsequently the credentials are deactivated, and the credit card invalidated until needed again.
This control is extremely effective, as the window of opportunity is consistent but limited to minutes and the attacker would need to know when that small window of opportunity is available to exploit the credentials.
If alerts exist on theses credentials whenever they are used, it will be apparent if they are compromised.
If the accounts are locked and the cards deactivated, and you get an alert then you know that the accounts have been compromised and appropriate actions and measures can be taken.
Using the assumption that the credentials get compromised despite all other layers of defence (controls) in place, the management of credentials is a good safety net.
Connect with us to meet with an experienced consultant to tailor a cybersecurity solution for your business.