I’m willing to bet that you or someone at your company has already been the victim of a phishing attack. With email surpassing in-person and telephone conversations, particularly now that everyone is working remotely, email has become the preferred attack vector for many criminal organizations. So, I feel pretty confident that the odds are in my favor for winning the bet. Let’s take a look at what phishing is, how it’s done, why and what you can do to keep you, your employees, and your company safe.
In fact, email related cyber-attacks have been on the rise year after year with the United Nations reporting a 600% increase in malicious emails during the COVID-19 pandemic. Threat actors have taken notice that employees are more vulnerable to cyber-attacks while working from home as some of the security controls implemented in the workplace are not available at the individual computer level.
What is phishing?
According to the US Cybersecurity & Infrastructure Security Agency (CISA), phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques. Phishing emails are crafted to appear as if they have been sent from a legitimate organization or known individual.
It’s scary at how easy it is to fall victim to these attacks. There are two common phishing methods. One entails the victim clicking on a link that takes them to a fraudulent website or landing page that looks legitimate. The attacker uses the page to steal username and password, personal identifiable information (PII), credit card numbers, among other information. The second technique commonly used is to include a file attached to the email that installs malware in the victim’s computer when opened. Attackers then use this malware to gain remote access to the victim’s computer. The attackers can then use such access to pivot to other systems in the network or to steal documents and other information from the compromised system.
What is the attacker’s goal?
They want control of your system. According to MITRE ATT&CK, a globally-accessible knowledge base of adversary tactics and techniques, attackers use phishing to gain a foothold into an organization’s ecosystem and make their way acquiring access to the administrator level. Once there, they can launch a ransomware attack, exfiltrate confidential data, and cause business disruption and financial loss. Security organizations such as Abacode utilize the framework to understand an attack kill chain and stop it as early as possible.
Here’s one scenario to illustrate how quickly this can happen. An attacker, impersonating a provider using a similar email domain, sends a phishing email to the finance department requesting changes to the payment options to the existing account. If the attack is not detected and the provider account payment options are changed, the next time the provider is paid, the money will be sent to the attacker’s bank account and not to the provider’s back account.
Seven controls you can implement to mitigate the risk associated to phishing emails
There is no silver bullet to eliminate the cyber risk associated to phishing email attacks. However, with the implementation of mitigating controls as part of a comprehensive cybersecurity program, the risk of compromise due to phishing attacks can be greatly reduced.
The following seven controls are critical to protect your organization from phishing attacks:
- Email Security Gateway: The first line of defense recommended is an Email Security Gateway solution to monitor inbound and outbound emails, prevent unwanted emails from landing, scan emails for malware and block emails from suspected sources. Top market solutions include Microsoft Advanced Threat Protection (ATP) for Office 365, Mimecast, Barracuda, and Proofpoint among many others. These solutions are not the kind of solution that can be set up and forgotten. These solutions require constant monitoring and administration to be effective.
- Cybersecurity Awareness Training: Even with the best email security gateway solution, some phishing emails are going to land, and the users are going to have to deal with them. Some experts in the industry say that humans are the weakest link when it comes to cybersecurity. Quite for the contrary, I believe that humans are the biggest opportunity for organizations to improve their cybersecurity. Well-trained employees are able to properly identify and respond to phishing emails reducing the risk of falling for the attacker’s covert demands.
- Regular Phishing Campaigns: Validating the knowledge acquired through formal cybersecurity awareness training is critical to identify team members that need additional training and attention. Additionally, regular phishing campaigns help keep employees alert and engaged in their role as security agents of the organization.
- 24/7 Cybersecurity Monitoring: As mentioned before, there’s no silver bullet to stop phishing emails. Consequently, the email platform, network and endpoints that are used to access email need to be monitored. If a phishing email lands and the user falls for the email by clicking the link, downloading the attachment and providing credentials, it is critical to identify the incident as early in the MITRE ATT&CK stages as possible. With a proper monitoring solution, phishing attacks could be detected based on the network traffic to the landing page, malware installation, communication out to a command and control site, logons from unusual locations and geographies, etc.
- Enhanced Financial Controls: Financial controls need to consider the scenario in which the email platform is compromised and email communication that looks legit is actually incoming from threat actors. For instance, any email requests to modify payment options, payroll or any other transactional system should be validated through other means of communication such as a telephone call to the number on record, not the one provided in the email. Similarly, ACH and wire transfer transactions should include financial controls with a properly established approval chain for transactions in excess of a set amount, for instance, $10,000. Lastly, bank accounts need to be monitored on a daily basis and all levels of security notifications should be enabled.
- Multi-Factor Authentication (MFA) Everything: Phishing emails take advantage of systems that do not have MFA implemented in most cases. Yes, there are techniques to compromise accounts that have MFA enabled but those are very rare at the moment. Starting with the email platform, all systems accessible from the Internet should require MFA, in the form of a code sent via text message, using an authentication mobile app, or a physical MFA token.
- Email Policy: An email policy defines what is acceptable use for the email platform according to your business and security requirements. Without a properly established and disseminated email policy, team members will make assumptions of what acceptable use is, what in some cases could leave the organization exposed from the cyber risk standpoint.
Phishing attacks and other cybersecurity threats are only going to increase. It’s essential to stay one step ahead. That’s not easy when that’s not your business. It’s our business though and we’d welcome a conversation on how we can help.