Phishing attacks explained: What they are and how to stop employees from taking the bait

Analysis: One of the most common attacks is actually one of the most mundane and preventable.

The pop culture image of a cyber-attack is a complex hacking operation by a figure sat in a darkened room, with green lines of binary code flashing across the screen and the sound of frenzied typing on a keyboard.

However, one of the most common types of hack is a lot less complex and glamorous than this. In fact, there are probably examples of it sitting in your email Junk Folder right now.

According to Cyber Security Partners (CSP), there are 156 million phishing emails sent every day.

A common scam at the moment, for example, sends an email to all of an affected users’ contacts, claiming to have been stranded at a foreign airport and asking for the money to fly home.

This is spear phishing, which Norton defines as “an email that appears to be from an individual or business that you know. But it isn’t.”

Email has been used for decades and phishing emails have existed in parallel with them. But the growing amount of information that people are putting online is making targeted phishing scams more common.

“Attackers tap this information to profile victims and create email messages crafted to appear to come from a trusted source – like their CEO — in a context that puts the targeted victim at ease,” says John Wilson, Field CTO of Agari.

“The end game is to get the selected employee to share confidential business information, open a viral email attachment or click to a malicious web page.”

Just think how much more effective and dangerous the above example could be if the email dropped in a load of personal information: “I am on holiday in Spain” becomes “I am on holiday in Spain with [spouse’s name] and we have left [child’s name] alone at home.”

This is a common enough problem for consumers, but with enterprises where the prizes are a lot greater, it is one of the key entry points for organisations.

“Phishing is still the weapon of choice for cyber criminals and the entry point for a broad range of attacks as it involves human beings – an organisation’s weakest link. It is one of the easiest and most common ways to infiltrate and get malware into an organisation,” says Rashmi Knowles, Chief Security Architect for EMEA at RSA, the security division of EMC.

This is why a phishing attack was used in the attack on Snapchat on 26 February, when a scammer impersonatedSnapchat CEO Evan Spiegel in a request for employee information.

One employee fell for the scam, providing the payroll information of around 700 current and former employees.

However, in many ways some of the biggest companies still seem to be unaware of the risk of phishing. According to CSP, only 17 companies in the FTSE 250 are using the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard to prevent email scams. This authentication protocol enables senders to monitor and protect a domain from fraudulent email.

Of these 17 companies in the FTSE 250 using the standard, only six are using the standard to quarantine or reject malicious email, leaving 97 percent of FTSE 250 companies exposed.

The threat is not just inside your own organisation, says Knowles:

“Usually, if a business works with a third party using outside contractors, employees generally assume that when receiving emails from that business they are legitimate – which may not always be the case.

This means that trusted third parties are actually one of the most common entry points into an organisation, particularly if they have weaker security.

“Even though a larger enterprise might have good security measures in place, smaller organisations they work with might not have the most appropriate controls, allowing cybercriminals to gain access through to the larger organisation,” Knowles says.

Wherever the threat is coming from, the preventative measures are the same: “people, process and technology”, according to Knowles.

The first and most basic step has nothing to do with technology, and is to do with what Knowles calls a “human firewall”.

“Businesses must make sure employees can recognise what a phishing scam looks like, and if they see something suspicious, what the next steps they should take to prevent a further attack from happening are,” she says.

This can only be done through employee training. Knowles says that a strong application of this would be a “cybersecurity awareness site” that employees can go to. It would also pay dividends to show them examples of what phishing looks like.

On the technology side, having tools in place to identify malicious content and behaviour are positive steps, but Agari’s John Wilson says that this does not tackle the issue of identify deception which lies at the core of spear phishing.

“Clearly, more must be done to restore trust to the email ecosystem and prevent fraudulent emails from ever making it into the inbox.

“Enterprises must therefore ensure that their employees receive and interact with only authentic and trustworthy messages – and only by establishing per-message authenticity can the risk of targeted email attacks be mitigated.”

In addition to this, data loss protection offered by vendors such as Symantec and Clearswift can protect organisations against themselves.
These solutions can block critical information if an employee tries to send it out through email, using context to work out which information is sensitive.

Ultimately, though, these technological solutions should be in addition to ensuring that employees know what a phishing email looks like and why they should not respond to it.