Every organization has sensitive data it wants to protect. Whether this is intellectual property, research and development data, or the personal information of their clients and employees, ample incentives exist for organizations to make the effort to secure their systems from attack.
One of the most common cyberattacks is called phishing. This occurs when someone lures an employee or volunteer into providing sensitive data such as a password or banking and credit card details. This post will describe what phishing techniques are commonly used nowadays and what you can do about them.
Securing Your IT Is Not Enough
Many organizations put a significant amount of money and effort into securing their networks. By deploying firewalls and other detection and protection solutions at the network perimeter, they raise the bar for attackers that attempt to breach the organization's network. Fortunately, these systems are often effective at protecting against conventional cyberattacks.
Unfortunately, these systems are also often ineffective at protecting against in-person phishing attacks. Hacking has become a business, and a core part of a good business is ensuring that things are done in the most efficient way possible. By raising the difficulty of successfully performing fully technical attacks, cyber defenders have forced hackers to look for easier ways in.
And they've found them: the human behind the keyboard. Phishing attacks are simple but very effective. As a result, organizations now need to focus their cybersecurity resources on teaching their employees how to prevent phishing attacks from compromising their systems.
The Phishing Threat
In the beginning, phishing attacks were fairly unsophisticated. The Nigerian Prince email scam is a fairly well-known one where someone claiming to be a Nigerian prince promises massive rewards for aid in moving their money out of the country. However, they need you to make a small payment to get the process started …
These scam emails deliberately included unbelievable pretexts and misspellings to help weed out unlikely targets. If someone actually replied to the email, there was a good chance that they'd fall for the entire scheme. As a result, there have been massive efforts to educate people about phishing attacks and what to look for.
And these efforts have mostly worked. To counter, attackers have begun developing and deploying increasingly sophisticated phishing and spear phishing attacks. Modern phishing attacks are designed to fool even the most cautious reader and to slip past email detection systems. Identifying these phishing emails often requires knowing about the latest methods used in phishing.
The Modern Phishing Attack
Phishing has become a cat-and-mouse game between cyber defenders building new tools to detect and block potential attacks and hackers finding ways to defeat these protections. Modern hackers use a variety of different techniques in order to trick the end user into giving up sensitive information.
Spoofed Login Pages
Fake login pages are nothing new in the phishing space. If a hacker can successfully steal a user's login credentials, they have complete access to the account (and all accounts where that password is reused). However, the main focus of these attacks has shifted from finance to software as a service (SaaS) offerings like Office 365. If an attacker can gain access to these accounts, they have access to all of the documents stored on that service and the user's associated email account. Both of these likely hold a wealth of valuable data, and compromised email accounts can be used to infect other users as well.
An extremely effective tactic used by phishers in business contexts is impersonation of a trusted party in the business. These attackers may send a fake invoice from one of the company's suppliers or an email impersonating the CEO and ordering a transfer to seal a recently made deal. If the recipient falls for the scam, the hackers immediately get paid for their phishing efforts.
Malicious attachments are an extremely common method of delivering malware via phishing emails. The malicious document might include Microsoft Office macros, exploit vulnerabilities in PDF parsing software, or take advantage of some other vulnerability in the program that reads the attachment. Some email scanning programs only check links listed in the Microsoft Office relationship file. These can easily be removed, which makes it easy for an attacker to slip a malicious link through via an attachment.
Most people only think of phishing in the email context; however, attackers are increasingly making use of messenger apps like Telegram or Facebook Messenger. On these apps, users may be less on their guard than when using email (which their cybersecurity awareness training has warned them about). This increases the probability of a successful attack for the phisher.
Phishing with Shared Files
Cloud data storage is extremely useful for collaboration, but it's also useful for performing phishing attacks. Most email programs will verify that the link to a document is not malicious, but neither the email program nor the cloud storage program will scan for malicious links within the document itself. As a result, phishers can use cloud storage as a steppingstone in an attack designed to lead victims to a credential-stealing fake site.
Protecting Your Organization
Phishing emails are a simple yet highly effective means for hackers to bypass security defenses and gain initial access to a target organization. The examples described above represent only a small sample of the methods used by hackers to trick users and anti-phishing software.
The sad truth of phishing is that it often works, and user credentials get compromised. What organizations need to do is protect themselves against the results of these compromises. Here are some tools that can help.
Deploy two-factor authentication (2FA) on your important accounts. Two-factor authentication adds a second level of authentication to an account login. Users enter their username and password. Then they need to enter another credential, often a code that is sent to their phone before being able to access an account. Cloud-based applications like Office 365 allow 2FA to be added to the login procedure.
A modern web application firewall (WAF) can help protect against attackers that attempt to gain access to protected resources with stolen credentials. A WAF is an appliance, server plug-in, or filter that monitors the incoming and outgoing traffic from an application or service and filters them according to predefined rules.
Staff and volunteer training is a must for organizations. Free services like Phishing.org have great training resources like their 10 Ways to Avoid Phishing Scams and their basic phishing quiz.
About the Author
Benjamin Campbell is an accomplished and experienced freelance writer who has featured in a number of high profile-publications and websites. If he's not reading the Financial Times, you'll find him listening to live music or at the coast surfing.
Additional Resources: IT Security
- TechSoup Courses' Cybersecurity Bundle
- Article: Nonprofits Beware: You Can Get Hacked Too
- Blog post and guide: Get the Guide: 12 Steps to Internet Safety for Nonprofits
- Webinar: Security and Privacy: What Nonprofits Need to Know