Posts

Can You Catch All the Phish? Take Our New Phishing IQ Quiz and Find Out!

Sometimes you realize it just a split-second too late. A wave of terror passes over you as you wonder, What did I just click? I think I’ve really messed up!

If this sounds familiar to you, don’t beat yourself up. Being duped by a good phishing scam can happen to the very best of us, and you’re joining millions of innocent victims worldwide who have done the same.

But it’s also important to take immediate action and to know what you need to do to avoid repeating the mistake. The human element contributes to 82% of breaches, according to the 2022 Verizon DBIR. Besides employing security technologies to prevent phishing attacks, companies must also take a hardline approach to educating people on how to spot phishing emails.

To help avoid email scammers continuing to get the better of us, SonicWall is thrilled to announce our new online Phishing Quiz. This quiz is designed to help educate users on how to recognize common signs of a phishing email. And because it’s interactive, it’s more engaging and informative than a simple email or handout would be.

Email is often the first attack vector.

Based on the lessons of past data breaches, those successful attacks involve using multiple tactics, techniques and procedures (TTP) to compromise the user. Moreover, in those events, email was the first to deliver at least one of the following:

  1. The initial URL, in the form of a link to an exploit kit or phishing website
  2. The malicious attachment, in the form of a dropper or payload
  3. A pretexting message that becomes the starting point for a social engineering attack, manipulating users into giving up their credentials, sending money, disclosing sensitive data, etc.

Today, we’re seeing targeted phishing and pretexting attacks that are very well developed. The genuine appearance of these emails sent from stolen or fake identities can trick even the most security-conscious users. In addition, security practitioners we spoke with said they still see users clicking on phishing emails because they are unable to discern legitimate emails from fake ones.

Phishing tactics, techniques and procedures (TTP) are too clever.

As security vendors create new capabilities to protect users from phishing emails that bypass pre-delivery filters, attackers are equally devoted to creating more clever ways to reach the inbox. An example of these attacks is a low-volume, high-quality targeted phishing email that appears to come from Microsoft 365 or Gmail, as shown below.

Phishing emails are now more advanced. Attackers can replicate MFA screens to steal credentials.

This fake email renders professionally and is personalized for specific users, as opposed to the traditional high-volume spray-and-pray campaigns of the past. These attacks are sophisticated in both their ability to reach the inbox and the user experience on the back end. Each link brings up the login window of the second page of the account challenge, which pre-populates the user’s email address. It already knows who you are.

The phishing innovation curve is now happening post-delivery, as in the above example. In other words, instead of putting the malicious URL in the email, phishers link to a redirect server that acts as a gateway, sending queries from a security company to a benign site. In contrast, queries coming from the intended victims are directed to the phishing server.

The obfuscation methods developed over the years include identity deception, multiple redirections, URL splits, HTML tag manipulation, polymorphic malware, and dynamic obfuscated scripts, to name a few. We have seen skilled hackers combine numerous obfuscation techniques inside targeted phishing campaigns to hide the true intent of the target page, which is often a credential-harvesting page.

People are not perfect.

“Human beings are not creatures of logic; we are creatures of emotion. And we do not care what’s true. We care how it feels,” said Will Smith, a famous actor, rapper and perhaps even philosopher of our generation. These words have a deep connection to those who live and breathe cybersecurity. The notion that as long as human emotions can be manipulated, someone will likely make a bad mistake underscores one of many complex challenges for security practitioners to fix, but it cannot be addressed through technology alone. While phishing prevention technologies are necessary, it is also essential to establish a cybersecurity awareness program.

Raise employee awareness with the SonicWall Phishing Quiz.

Aside from advancing artificial intelligence and machine learning technologies inside security tools, SonicWall investments in training humans to resist human deception is part of a more significant effort to help people become part of the solution instead of being part of the problem.

The belief that security rests only on security practitioners and their technologies is dangerous, because when a phishing email invariably does make it to the inbox, there is no further line of defense. To reduce this human risk factor requires a culture and a mindset adjustment at the corporate and the individual level, aimed at getting everyone consciously thinking and proactively involved to become a key stakeholder in an organization’s security.

In a simple but effective way, the SonicWall Phishing Quiz encourages people to stay aware and exercise healthy suspicion when checking and responding to emails. The quiz lets you interactively examine a series of sample emails, including embedded links, to test your intuition and knowledge in distinguishing legit versus phishing emails.

The Phishing IQ Test evaluates your ability to identify fraudulent emails using real examples of common phishing attacks.

To measure your own ability to spot phishing emails, take the SonicWall Phishing Quiz today.

TAKE THE QUIZ

Phishing Threats – How to Identify and Avoid Targeted Email Attacks

Phishing threats have been around for years. By now anyone can easily detect a fake email, right?

Wrong. How confident are you that you wouldn’t divulge your password, credit card info or online identity? Here is a quick refresher on phishing threats and what you can do to protect yourself.

What is Phishing?

As you may already know, phishing threats involve malicious emails that attempt to get you to disclose your personably identifiable information (PII) to compromise your personal identity or corporate data.

Hackers create emails that look like official communications from familiar companies. These are sent to millions of unsuspecting addresses in hopes that someone will follow the links and share sensitive information that the hackers can exploit. These phishing emails employ a variety of techniques.

How to Spot Phishing Attacks

The best way to protect yourself from phishing threats is to recognize and avoid these common phishing tactics:

  • Generic greetings: The opening lines of phishing emails are often very vague and general in nature.
  • Typos or Poor Grammar: A poorly written email is less likely to have come from a legitimate company. In addition, do not be tricked if the email happens to include a legitimate-looking logo.
  • Urgency: Phishing emails often sound alarmist, trying to scare you into taking action (and sharing your information) immediately.
  • Fake Links: Phishing emails routinely obscure the URL addresses, and instead take you to an unsecured site where your sensitive data is solicited. To see exactly where a link will take you, simply hover over it. If in doubt, don’t click it. Instead, open a new browser session and manually enter the address (i.e., don’t copy and paste) you want to visit.
  • Attachments: Delivered via email attachments, malware that is executed (i.e., the attachment is opened) allows a hacker to exploit vulnerabilities on your computer Never open an attachment unless you are sure it is legitimate, safe and expected. Be cautious with any unexpected invoices from companies you’re not familiar with, as attachments might contain malware that installs upon opening.
  • Spoofed Sender: Makes it easier for a hacker to impersonate someone you’d normally trust (e.g., coworker, bank, government agency)

Take the Phishing IQ Test

Interested in seeing how well you are at telling the difference between a legitimate website and one that is a phishing attempt? Take the SonicWall Phishing IQ Test to find out.