a company's guide
Something smells phishy
Phishing attacks are on the rise. Truth be told, it’s really getting out of control. What used to be an annoyance for companies is quickly becoming a major security risk. To make matters worse, phishing attempts are also becoming more complex. Attackers are leveraging social media and hacking to engineer realistic communication schemes designed to engage and trick employees. It’s becoming more difficult to distinguish between fake and legitimate emails. More employees are becoming victims and more companies are losing thousands. The good news is that you can manage the risk. This guide is designed to inform your employees of this growing threat and identify steps to take to protect your company.
What is phishing?
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies or known contacts in order to induce individuals to either reveal personal information (such as passwords and credit card numbers) or to request some form of financial transfer. Pronounced as “fishing”, it’s a digital take of an angler casting a baited hook into the ocean, hoping to get bites. The practice was originally used to cheat AOL users to voluntarily hand over sensitive information. Ultimately, phishing attempts are designed to get your money – either directly or indirectly. Today, phishing attacks leverage spoofing, hacking, and social engineering to maximize the chances of fooling you.
So what is email spoofing? It’s a tactic where scammers forge a sender’s email address or display name so that a message looks like it’s from a legitimate person or organization. The objective of spoofing is to trick the email recipient into thinking that a message is coming from a known contact or reputable source in the hopes that they’ll open and take a specific action. A spoof message will have a legitimate name and email address in the “from” field and a non-matching-bogus name and/or email address in a “reply” field and It can cover a wide range of tactics to make an email look legitimate, including using real logos from a spoofed organization as well creating an email domain name that closely resembles the legitimate one (e.g., [email protected] and [email protected]…. notice an extra “l” in example?). See more on Phishing Scheme illustration below.
Email hacking is different than email spoofing. In spoofing someone sends an email from a fake email account pretending to be a legitimate or reputable account. With email hacking, the perpetrators obtain the username and password of a real account and they send a real email to an unsuspecting colleagues or business contacts in order to trick them. Needless to say that an email coming from an actual account is much stronger than a spoofed email address – it is very difficult for the recipient to identify that message as a phishing message. A common scenario that we see in phishing schemes is a two-pronged attack where spoofing is used to obtain login credentials which are subsequently used to hack an email account and ultimately send a real message to an unsuspected victim requesting some sort of payment.
Phishing campaigns are also using Social Engineering to become more and more targeted. There’s a growing trend where hackers are using publicly available information on social media sites (Linkedin, Facebook, Twitter, Instagram, etc…) to engineer highly targeted and relevant phishing messages. We’ve seen instances where hackers create and organization chart to understand the hierarchy in a company and to identify who the key players are to devise a realistic phishing scheme.
The Phishing Scheme
Let’s put it all together to see how Social Engineering, Spoofing, and Hacking are combined to create a classic phishing scheme. Scammers study various social media sites and company websites to identify key players in an organization. In this case, let’s use an organization called, Example Inc. as a target. Through Social Engineering they identify: Linda (the CEO) & Bill (the CFO).
With a little bit more research they quickly identify their email addresses as [email protected] and [email protected] The scammers then purchase a domain name called, examplle.com – a very close match to the original (noticed the extra “L”?). In turn, they create [email protected], a bogus email account for Bill (CFO) using the fake domain name they purchased. It looks like it’s as authentic enough to send Linda (CEO) a spoofed email pretending to come from Bill’s account; and in the email body, masks itself by sharing a finance spreadsheet with a link to a shared document.
The email appears to be legitimate and Linda is directed to click on the link to view the document. Upon clicking the link, Linda is taken to a fake Office 365 login page and is prompted for her username and password to retrieve the Excel file. The site looks legitimate along with its official Office 365 logo(s), color themes, and typeface. Linda thus enters her username & password and voila…the scammers get the needed information to hack into the CEO’s email account.
Once in control of Linda’s real account, they move in and send a “real message” to Bill’s real account arranging that they pay a bill for a vendor. Bill sees and clicks the link for the invoice payment.
The link sends Bill to a portal where he needs to complete the transaction. With full confidence from his CEO, Bill pays the fake invoice. And just like that, Example, Inc has become a victim of a classic phishing scheme. In this particular example, the loss was a direct financial hit. In other examples, the loss can also affect client data resulting in damaging and immeasurable loss in reputation.
Policies are important because they inform all employees of their responsibilities and they define the recommended best practices to keep the organization secure. It is recommended that companies create a security policy that documents procedures for safeguarding against phishing attempts. If a company does not have formal Policies & Procedures documents, it should be incorporated in the Employee Handbook. At the very least, the policies should define the actions that need to be taken in the event of a phishing attack. This includes whom to notify in the event of a breach and when to notify them. Policies should also include a description of the tools and configurations that the IT service provider needs to setup and maintain in order to protect against phishing attacks.
Think Before You Click
Employees usually have good intuition when it comes to identifying if something’s not right. They need to trust their instincts – and the company needs to remind them of that. Engage in an internal outreach campaign to remind employees to think before they click. If something feels even remotely strange they should raise a flag. If an email message feels out of place, it most likely is. If a colleague, partner, or client sends them an email requesting or sharing something that they are not expecting, then they should take caution. Questions that they should ask themselves include: Do I know the sender? Is this really them? Is their email address correct? Are there any questionable links? Is there anything suspicious about their writing (e.g., spelling, grammar, etc…)? Is the call to action unusual? If they answer “yes” of even “maybe” to any of these questions, they should take caution and contact IT.
Never Give Your Password
You’ve heard it before and we’ll say it again: use a complex password and do NOT share it with anyone. As noted above, a common practice in phishing schemes is to hack somebody’s email account and to use it to send “real” requests to unsuspecting colleagues, partners, or clients. If you’re sharing your password, you could be facilitating the hacking of your account. We have heard of scenarios in which someone pretending to be in IT calls an employee and asks them for a password. Don’t fall for this trick! Your IT Service Provider or IT Department should never ask employees for their password (if they do, there should be an immediate policy change to eliminate that, ASAP). Giving your password by telephone is not the only way to share it – if an email message contains a link that requires a login to retrieve a document, voicemail or what have you – it could be a ruse to get you to share it.
Employees should be reminded to always verify the authenticity of a request involving financial transactions or the release of sensitive information. If an employee receives an email from a colleague, partner, or client requesting an usual call to action such as, wire transfers or gift card purchases – they should call them and have them verify the request. It is important to note that emailing them to verify a request is not recommended because their email account might be hacked. As a matter of good practice, voice verification should always be performed before any financial transactions are made.
If possible, employees should use Multi-Factor Authentication (MFA) to secure their email account. Also known as Two Factor Authentication (2FA) or Two-Step Verification – it’s an authentication method in which an employee must provide two pieces of evidence (or factors) to confirm their identity. A user must claim their identity using a combination of something they know (a password) and something they have (a token, an SMS code, or an authentication software request). MFA almost eliminates the possibility of an email account being hacked. Whereas it will not protect you from spoofing, it will protect you from situations where scammers hack your account to send emails as part of a broader phishing scheme. If you don’t have MFA enabled, you should work with your IT Service Provider or IT Department to see if it can be enabled.
Advanced Threat Protection
If you’re using Office 365, you can set up ATP anti-phishing and anti-phishing policies. ATP anti-phishing protection, part of Office 365 Advanced Threat Protection, can help protect your organization from malicious impersonation-based phishing attacks. It checks incoming messages for indicators that the message may be phishing. Whenever a user is covered by an ATP policy (safe attachments, safe links or anti-phishing) the incoming message is evaluated by multiple machine learning models that analyze the message to determine if the policy applies to the message and the appropriate action is taken, based on the configured policy. With the growing complexity, it’s difficult for even a trained eye to identify some of these sophisticated attacks. This is why cloud security like advanced threat protection is becoming more and more important.
The risk of loss due to phishing attacks is very real. It’s also a growing risk. It should come as no surprise that more and more companies are considering insurance policies to protect themselves against direct and indirect losses caused by cyberattacks. If this is something you are considering, it is important that you discuss it with your insurance broker. Keep in mind, that not all cyberattack insurance policies are equal. Not all cyberattack policies will cover losses specific to phishing. Discuss these details with your broker.
Establish a Training Program
Establishing policies and procedures to safeguard against phishing attacks is one thing – ensuring that all employees are aware of them (and understand them) is another. Beyond policies and procedures, it’s also critical for employees to be well versed in the proper usage of the various tools and software that you have in place to secure the organization. This is where a training program can really help. It provides a structured and consistent approach to ensure that both existing and future employees are properly trained and informed. A training program should not be limited to just phishing attacks and other corporate policies. It should include comprehensive technical training for all of the software and services that your organization uses (i.e., your productivity and collaboration software, telephone usage, IT support process, remote file access, videoconferencing, etc..). Training delivery can be simple – you can create content and assemble a collection of PDF documents in a shared folder. If you want more functionality and if you do not want to create and manage content, we recommend that you invest in a training platform. FSi’s Training & Adoption Management solution – a fully managed web-based platform that’s fully integrated into your Office 365, SharePoint, and Teams interfaces.