Sometimes you realize it just a split-second too late. A wave of terror passes over you as you wonder, What did I just click? I think I’ve really messed up!
If this sounds familiar to you, don’t beat yourself up. Being duped by a good phishing scam can happen to the very best of us, and you’re joining millions of innocent victims worldwide who have done the same.
But it’s also important to take immediate action and to know what you need to do to avoid repeating the mistake. The human element contributes to 82% of breaches, according to the 2022 Verizon DBIR. Besides employing security technologies to prevent phishing attacks, companies must also take a hardline approach to educating people on how to spot phishing emails.
To help avoid email scammers continuing to get the better of us, SonicWall is thrilled to announce our new online Phishing Quiz. This quiz is designed to help educate users on how to recognize common signs of a phishing email. And because it’s interactive, it’s more engaging and informative than a simple email or handout would be.
Email is often the first attack vector.
Based on the lessons of past data breaches, those successful attacks involve using multiple tactics, techniques and procedures (TTP) to compromise the user. Moreover, in those events, email was the first to deliver at least one of the following:
- The initial URL, in the form of a link to an exploit kit or phishing website
- The malicious attachment, in the form of a dropper or payload
- A pretexting message that becomes the starting point for a social engineering attack, manipulating users into giving up their credentials, sending money, disclosing sensitive data, etc.
Today, we’re seeing targeted phishing and pretexting attacks that are very well developed. The genuine appearance of these emails sent from stolen or fake identities can trick even the most security-conscious users. In addition, security practitioners we spoke with said they still see users clicking on phishing emails because they are unable to discern legitimate emails from fake ones.
Phishing tactics, techniques and procedures (TTP) are too clever.
As security vendors create new capabilities to protect users from phishing emails that bypass pre-delivery filters, attackers are equally devoted to creating more clever ways to reach the inbox. An example of these attacks is a low-volume, high-quality targeted phishing email that appears to come from Microsoft 365 or Gmail, as shown below.
This fake email renders professionally and is personalized for specific users, as opposed to the traditional high-volume spray-and-pray campaigns of the past. These attacks are sophisticated in both their ability to reach the inbox and the user experience on the back end. Each link brings up the login window of the second page of the account challenge, which pre-populates the user’s email address. It already knows who you are.
The phishing innovation curve is now happening post-delivery, as in the above example. In other words, instead of putting the malicious URL in the email, phishers link to a redirect server that acts as a gateway, sending queries from a security company to a benign site. In contrast, queries coming from the intended victims are directed to the phishing server.
The obfuscation methods developed over the years include identity deception, multiple redirections, URL splits, HTML tag manipulation, polymorphic malware, and dynamic obfuscated scripts, to name a few. We have seen skilled hackers combine numerous obfuscation techniques inside targeted phishing campaigns to hide the true intent of the target page, which is often a credential-harvesting page.
People are not perfect.
“Human beings are not creatures of logic; we are creatures of emotion. And we do not care what’s true. We care how it feels,” said Will Smith, a famous actor, rapper and perhaps even philosopher of our generation. These words have a deep connection to those who live and breathe cybersecurity. The notion that as long as human emotions can be manipulated, someone will likely make a bad mistake underscores one of many complex challenges for security practitioners to fix, but it cannot be addressed through technology alone. While phishing prevention technologies are necessary, it is also essential to establish a cybersecurity awareness program.
Raise employee awareness with the SonicWall Phishing Quiz.
Aside from advancing artificial intelligence and machine learning technologies inside security tools, SonicWall investments in training humans to resist human deception is part of a more significant effort to help people become part of the solution instead of being part of the problem.
The belief that security rests only on security practitioners and their technologies is dangerous, because when a phishing email invariably does make it to the inbox, there is no further line of defense. To reduce this human risk factor requires a culture and a mindset adjustment at the corporate and the individual level, aimed at getting everyone consciously thinking and proactively involved to become a key stakeholder in an organization’s security.
In a simple but effective way, the SonicWall Phishing Quiz encourages people to stay aware and exercise healthy suspicion when checking and responding to emails. The quiz lets you interactively examine a series of sample emails, including embedded links, to test your intuition and knowledge in distinguishing legit versus phishing emails.
To measure your own ability to spot phishing emails, take the SonicWall Phishing Quiz today.