SPAM/Phishing emails arrive in most people’s mailboxes daily and are a well-known phenomenon that is on the rise – but people still fall victim to these emails on a regular basis. The sophistication of these emails is increasing and they look more and more realistic, so how do you avoid becoming another statistic of cyber-crime and keep your and your users data and credentials safe?
What are SPAM and Phishing emails?
SPAM emails are classed as unsolicited bulk email that can be sent for commercial, fraudulent or malicious intent – in the most part they are annoying, but harmless. Phishing emails, however, are a nasty sub-genre of spam email which normally try to direct you to a large, well-known, website such as a bank or email service provider and ask you to log in and for data to be updated. These would be details that the organisation would normally hold about you which assists in adding credibility to the email, e.g. card details for a bank.
The intent is for you to unwittingly enter your username and password, and other sensitive and private information, into a replica of a well-known website under the control of fraudulent criminals who will they use these credentials for a variety of purposes; simple theft, extortion or to quietly gain access to secured systems for other nefarious activities including hacking, data theft or as a platform for further cyber-attacks on other systems.
Recent reports suggest that up to 50% of UK businesses have been affected by phishing and its consequences, whether that be financial or reputational loss, or loss of data.
How to Protect against phishing attacks
Luckily there are many ways you can protect against these emails affecting you and your organisation.
- Make it difficult for these malicious users to reach your users in the first place. To help prevent the emails reaching your organisation, implement anti-spoofing tools such as DMARC, SPF and DKIM. Attackers trying to “spoof” legitimate email addresses to add credibility to their email will find that the above tools will flag any email that is faking the senders email address. This technical configuration is available for most email systems – ask us, your current IT service provider or your IT department how to implement this.
- Most email tools will now have a way to block/filter out any incoming SPAM/Phishing emails, however this can sometimes provide false positives and block legitimate emails if they contain multiple images, or have many website links, for example.
- User training - ensure that users are advised to report any suspicious emails and are educated that it is better to report the email and find it is legitimate than click on a malicious email. To help train users you can show them some real-world examples of the type of email they may expect to receive. The main points to watch out for in a Phishing email are urgency or applying pressure from higher up the management chain to get something done, or as below emails from external sources that look credible but which fail certain key tests.
- Implement some common-sense protocols around things like setting up and authorising payments from your organisation - this will save many headaches. An urgent email from the MD to accounts to pay an overdue, and very critical, invoice should always be followed up with person-to-person confirmation. No non-routine payment is that critical that its needs to be made “in real time” without real human contact.
Many companies are also implementing two factor authentication on their payment workflows, such that no significant payment is made by the organisation without all of the key personnel involved being aware of the size, nature and destination of the payment and all approving it. Applications can be placed on people's computers or phones so that several key personnel need to additionally authenticate payments, with full oversight of each one.
How to spot Phishing emails
It is increasingly difficult to spot phishing emails as cyber criminals are becoming more refined and skilled at creating content which to all intents and purposes looks legitimate. The level of sophistication that they employ is truly amazing - even seasoned IT professionals can be easily caught out by seemingly innocuous and genuine communications from household name companies, whether that be banks, software houses or cloud services.
Depending on the nature and scale of particular targets, some phishing attacks are even crafted and tailored to a select group of people in an effort to make the attack as convincing and successful as possible. Some examples of these attacks netted the criminals involved tens of millions of pounds such as when the Austrian aerospace firm FACC AG was defrauded of 42 million euros, leading to the firing of its CFO and CEO. For the competent and skilled cyber criminal Phishingcan be very lucrative.
In certain situations. The technological complexity of certain attacks can make it nearly impossible to avoid, however, these are rare, and again tend to be targeted at specific organisations or individuals. On a day-to-day basis the best you can do is to educate yourself and your staff to enable you to spot and avoid drive-by phishing attacks and keep your credentials and data secure.
Most basic attacks ask you to carry out some form of authentication like logging in to a website to either address some critical, though bogus, issue which they present with your account or to view or reply to some urgent message.
These emails always provide you with a link to click on for your convenience to take you straight to the login page for the particular service. This is the first point of reference for when you should stop, check the authenticity of the email, and most importantly, check the link you have been given to click on. No credible service, whether that be your bank, your cloud services or any other system which requires you to login to access online services would ever contact you in this way. Simply hovering your mouse over the link can often be a giveaway if the email if legitimate or not. If the address displayed when hovering over the link doesn’t match the typed link then this should instantly cause alarm bells.
All reputable service providers and banks are aware of the threat that phishing poses and none would contact you in this manner to ask you to provide your credentials. Similarly, you should never provide this information over the phone if cold-called. Phishing attacks, especially the more sophisticated ones, are rarely carried out by email alone. Often they employ techniques such as social engineering or spear phishing to gather additional information to enable them to make their attacks more successful.
A useful tip is that if ever you believe you need to login to your account in response to one of these emails, even if the pointers to help you identify phishing emails below lead you to believe that the email may be credible, is that you independently browse to the service front page as a matter of habit and never click on any links inside unsolicited emails. This ensures your best chance of arriving at the authentic webpage, and not an identical clone setup purely to capture your login details for further misuse.
Useful things to look out for when you receive an email which you are unsure about to help identify them as a potential phishing attempt:
- Check the real “from” or senders address, even though these days this can be faked it is made harder to spoof by employing the previously mentioned email security protocols. Checking the actual from address of an email is never completely reliable, however it will quickly throw up any poorly crafted suspects and allow you to confidently delete the email. Viewing the emails “meta data”, which shows you all of the under the hood information about the sender and the sender's location, will give you more information about where the email actually came from. As mentioned, this isn't always reliable, however, is a good first port of call.
- Check the actual URL pointed to by any links provided within the email. Hovering the mouse cursor over any links contained within an email, but without clicking on it, will reveal a small pop-up box with the actual destination of the link rather than what is displayed in the email. It is important to realise that you can type any text into an email and then assign to this any destination URL, but only the text of the email is visible. Therefore, it is easy to type the URL of a known bank or online service provider in the body of the email and then have the actual destination of the link bring you to an attackers own website under their control, which may look identical to the one referenced in the email body. However, as ever, the safest thing to do is delete any email that you receive and independently browse to any login page.
- Make sure that the links begin with the secure browsing prefix, HTTPS, and not HTTP as the secure version is more likely to be easily verifiable as the correct website address. This is accompanied by a closed padlock icon beside the URL in the browser bar. Again, if the URL looks unfamiliar, then you can safely delete the email. Anything urgent from your bank will be notified to either via a phone call or in writing, and any inter departmental issues or payments that are urgent should never be left to a single email to action.
- The salutation used in an email is often unnecessarily generic. Often phishing emails, particularly the more indiscriminate ones, don't know who the ultimate recipient of the email is. As such, they rarely carry a personalised salutation. Your bank, etc. know who you are and will often use your first name in any correspondence. However, phishing emails are often sent out to hundreds of thousands of recipients on lists of email addresses purchased in bulk expressly for this purpose, and often they are poorly formatted and don't carry any personal information. They are usually just harvested from websites or aggregated over time and exchanged between cyber criminals
- Grammar and punctuation aren't high on the list of many cyber criminals priorities - many fake emails often have appalling spelling and structure, yet because they purport to originate from well known websites they are still effective in duping many people
- Be wary of the sense or emergency and panic they try to create - they want you to take action before thinking things through clearly. Whatever the emergency may be, it can wait another 60 seconds while you evaluate the safest and most sensible course of action.
Phishing is not just fake emails and fake websites
It's important to realise that phishing isn't just restricted to indiscriminate batches of bogus emails. Often, depending on the size of the prize, a lot of effort goes in to the overall phishing campaign using different techniques to gain access to systems.
- One of the most common that we have mentioned in many other articles is that of “social engineering” where people call multiple times and contact different people to glean little bits of information which they put together to form an increasingly convincing back-story to gain people's trust. From this further detailed information is harvested which builds a composite picture which can be used to either breach systems or target certain individuals and gain their trust as often, especially in larger organisations, you may never meet certain people you deal with face-to-face.
- Another technique is that of spear phishing, whereby individuals are targeted and researched, and a combination of attacks used to gain trust or further information. This can be anything from leaving USB drives carrying malicious payloads, to infect users computers, in places where certain employees may find them and use them unsuspectingly, thinking they've had some good fortune, to sending personalised phishing emails carrying malicious payloads to gain access to key individuals computers.
- Whale phishing is a particular phenomenon where certain senior personnel, who often place key biographical details online on corporate websites or publicly accessible intranets, are targeted and whose identities are used to push through attacks as subordinates often don't question emails they receive from much further up the command chain, particularly if the content is aggressive or urgent.
Phishing awareness and readiness tests
A common and very useful practice among proactive organisations is to carry out tests on staff to identify those who may need training, both in awareness and how to deal with phishing attacks, by carrying out a controlled phishing attack. A company such as EC2 IT can replicate the endeavours of the cyber criminal, obviously without the consequences, and report back to senior management any findings to do with workflow, awareness training needed or physical systems that require upgrading in order to make the business more resilient to this form of attack.
It is important to recognise that this kind of exercise should purely be to assess those that require training and support, and not to punish those that fail any particular phishing test. It is essential to have an atmosphere within the organisation that makes people feel comfortable to report when they believe they are either the subject of or have fallen foul to a phishing attack, so that urgent remedial action can be taken, rather than have an organisational culture of fear of the implications of admitting a shortcoming or admitting to having been the victim of an attack, as then the consequences may run unchecked.
Create an environment where a user can report this issue without a fear of punishment or blame as this could put other users off coming forward in the future. You should ask the user what they clicked and what information was disclosed. Any information disclosed should be changed as soon as possible to ensure this isn’t used by a malicious user.
One of the easiest ways that you can ensure a solid defence against phishing attacks is to ensure your organisation has the appropriate software installed at every vulnerable point, i.e. on every computer, laptop and mobile device that users are allowed use for corporate activities or join to the corporate network, and make sure that the software is up-to-date and has the functionality built in to detect and block any malicious websites.
Most competent software packages these days has this functionality baked in already, if not you should consider switching urgently. Also, most browsers these days such as Chrome, Firefox and Internet Explorer have some rudimentary filtering and blocking built-in but nothing can replace a corporate grade solution through which all web traffic should be forced. Many more advanced firewalls (the devices that sit at the edge of the network between your users and the Internet) additionally have this functionality built-in which allows the examination and filtering of websites that users access, and many have the ability to filter out clones or phishing websites just as they have the ability to detect viruses or other malware.
As cyber criminals attacks become more realistic and sophisticated, the single most important thing any organisation can do to protect itself is to train and educate its users. This will be far more effective in the long run than any technological solution you can implement. Together with an effective IT Policy and documented procedures as to what to do in the event of a breach you will minimise the chances of anything happening, and its impact when, not if, it does.
The pace of innovation that cyber criminals display is truly impressive. And, unfortunately, it seems, it will always slightly outpace the ability of software and security companies to meet these emerging threats. However, a well educated and enabled workforce can be the first and most effective line of defence.
Make sure you have the best tools available to safeguard against malicious activity and make sure you invest to keep these patched and up to date. The best defence is a combination of technical and non-technical approaches, as the volume and pace of threats doesn’t look like its slowing anytime soon.
For further reading please visit: https://www.ncsc.gov.uk/phishing