Think Before You Click: Spotting and Stopping a Phish

It’s nearly 3 p.m. and, despite three cups of coffee, you’ve barely made a dent in the massive backlog that didn’t even exist when you got in this morning. You decide to steal a precious few seconds between meetings and messages to check your email, hoping none of the four notifications you’ve just received are more requests.

One in particular catches your attention: Someone has successfully logged into your email account from thousands of miles away. “If you don’t recognize this login,” the email warns, “change your password immediately.” Between worst-case thoughts of identity theft and ruined credit, and the promise of something quick and easy to check off your to-do list, you can’t mash that button fast enough. You enter and confirm your old password, enter and confirm your new password, then sigh with relief — your account is safe for another day.

Except it isn’t: Unbeknownst to you, the email was a phish, and your credentials have just gone from “confidential” to “commodity,” available to anyone for a few bucks on the dark web.

Hook

While phishing has been around for nearly 30 years, it’s still growing: According to IC3 data, phishing attacks have increased 182% since 2019. Today, one in every 99 emails is a phish.

Worse, your email service provider’s security measures may not be as much help as you think: A quarter of phishing emails are able to sneak by the default security measures included with Office 365, and more than 10 percent are able to bypass both Microsoft Exchange Online Protection (EOP) and Microsoft Advanced Threat Protection.

From there, the success of a phish just depends on whether they’ve used the right kind of bait: Nearly one in three phishing emails is opened, and when referring to spear-phishing, that number jumps to 70%.

The most successful hooks share two common characteristics: They appear to come from a known contact or organization, and they use a problem or issue to inspire a sense of urgency. Common examples include warnings that your payment information has expired, your account is on hold due to a billing issue, an order you never placed is set to be shipped, etc.

Line

So how do criminals get you on the line? The three most common techniques involve malicious attachments, malicious URLs and fraudulent data entry forms.

Malicious Attachments
These attachments may look like ordinary PDFs, Word docs or Excel sheets, and may even include legitimate-sounding data to help maintain the ruse, such as an invoice or a receipt. But in the case of a phish, they’re infected with malware that can infect your device and spread throughout the network — to servers, external hard drives/backups, and even cloud systems.

Malicious URLs
That link you may think is taking you to Amazon.com to clear up an account issue may instead be taking you to Amazom.com — an imposter homepage designed to launch malware. If you notice that the URL looks a little odd once you get to the page, however, it may already be too late: In the case of a drive-by download attack, simply visiting a site is enough to begin download of malicious code to your device. These sites are a moving target for the IT admins attempting to block them: 84% of them are live for less than 24 hours, with some up for as little as 15 minutes.

Fraudulent Forms
Not all phishing sites deploy malware, however. Some are just seeking information, often in the form of fake data-entry forms. Often this takes the form of a phony login page, such as a popup window imitating the login prompts for Office 365 and other services. Another common scam is an email alerting you that your payment information has expired. After clicking on the link in the phishing email, you’re taken to a fraudulent URL asking you to reenter your credit card information or other data such as your social security number, full name, address and more. The goal of these attacks is to collect credentials to launch further attacks, often spearphishing or Business Email Compromise (BEC) attacks, or to collect personal information that can be exploited or sold for a profit.

… And sinker.

If you’ve fallen for a phish, you and others on your network could be sunk. 91% of cyberattacks start with a phish, and 66% of malware is installed via malicious email attachments.

Unfortunately, despite being alarmingly common (83% of organizations reported suffering successful phishing attacks in 2021), phishing is the second most-expensive attack vector to remediate, costing organizations an average of $4.65 million.

More than half of organizations that experienced a successful phishing attempt reported experiencing data loss or compromised accounts/credentials, and over 40% experienced subsequent ransomware infections.

Don’t Take the Bait!

But despite an increase in prevalence and sophistication, you can still avoid falling for a phish. Here are a few ways to stay safe:

1. Implement Dedicated and Regular Security Awareness Training: Training employees on security awareness significantly decreases the odds that someone will fall for a phishing attack, and can reduce the cost of a successful phishing attack by over half.
2. Learn the Hallmarks of a Phishing Email: Poor spelling and grammar in an otherwise professional-looking email, logos that are low-resolution or look a bit “off,” a sender address that is similar to but different from one you’re accustomed to seeing and a sense of urgency are all reliable indicators of a phishing email.
3. Be Leery of Links: Don’t ever click on embedded links in an email, even from a trusted contact, and avoid clicking on any link in an email from a sender you don’t recognize. Ensure the URL of any site you visit begins with https, not http. And watch out for subdomains — hulu.iscamyou.com is not a part of Hulu’s website just because Hulu is in the URL.
4. Upgrade Your Browser and OS Regularly: Most modern browsers are equipped with phishing protection, which is upgraded as attackers introduce new techniques.
5. If You’ve Been Caught, Act Quickly: Report the incident to your IT department immediately, and find out whether you’ll need to notify other departments, such as Finance or Legal. In the case of malware infections, a service like SonicWall’s Capture Advanced Threat Protection (ATP) should protect you — otherwise, disconnect the endpoint from the internet and network immediately until a scan can be run. If your personal information has been compromised, set up a credit freeze and fraud alerts through your financial institutions to ensure no new accounts are opened in your name.

Identifying a phish will go a long way toward keeping your organization safe — but if you aren’t regularly updating and patching, your network could still be vulnerable to cyberattack. In next week’s Cybersecurity Awareness Month blog, we’ll offer tips on how to stay safe by staying up to date.