Nothing personal: Training employees to identify a spear phishing attack
Phishing attacks began years ago as simple spam, designed to trick recipients into visiting sites and becoming customers. In the meantime, they have morphed into a worldwide criminal industry. In recent years, threat actors have refined their methods of phishing, becoming increasingly more sophisticated as people have become wise to the traditional, obvious and unrealistic emails, which now often trigger suspicion.
An increase in employee training and improved general awareness of cybersecurity has forced cybercriminals to change their tactics and take a more personal approach, known as spear phishing.
According to The Cyber Security Breaches Survey, phishing is the most commonly identified cyberattack amongst businesses that have identified any breaches or attacks, with 83% experiencing this in 2021.
Organizations need to understand what to expect from future phishing attacks. By taking advantage of the right digital security tools, organizations can reduce the number of phishing emails reaching users inboxes. To stay in front of new phishing attack techniques, it’s also essential that employees are equipped with all the knowledge they need to spot a potential phishing attack that goes undetected, including how attack content differs from legitimate emails.
Keeping up with sophisticated attacks
Much of the information that circulates about phishing attacks becomes quickly out of date. Cybercriminals are continuously inventing new strategies to penetrate organizational defenses and gain victims’ trust. For example, social media platforms such as LinkedIn can provide a range of information that allows cybercriminals to imitate colleagues and discuss recent company news – all adding to the realism of the spear phishing attempt.
There are various types of malicious content that users need to be aware of:
- Malicious attachments: The common goal of malicious attachments is to install malware on the target’s machine. This could be malware that provides remote access to the victim network or steals information, ransomware, malware that sends emails on behalf of the logged-on user, etc.
- Malicious links: Links can lead to malware or spoofed login pages – most often for Office 365, accounting platforms, and other cloud-based applications – designed to capture the entered login credentials.
- Malware-less emails: Some phishing emails rely purely on social engineering and use no actively malicious content. Fraudsters attempting business email compromise (BEC) and CEO fraud often take this approach, and attempt to convince the victim to take actions such as: modifying banking details, wiring money, purchasing and sharing gift cards, and providing confidential company details.
For organizations to best protect their operations, it’s critical they have centralized visibility of all activity and changes within their entire environment to understand when and how attacks are occurring.
No security solution can provide 100% protection against any type of cyberattack. What’s needed is a concentrated effort in strengthening the weakest point in a security strategy – the human factor.
Hardening the human attack surface
An email-borne spear phishing cyberattack is designed to get the targeted recipient to act in the desired way — whether it’s clicking a link, opening an attachment, giving up information in a reply, or performing a business-related action (e.g., initiating a wire transfer). In almost all cases, the attack is solely dependent upon the recipient’s engagement with the email’s content.
Regardless of whether malicious attachments or links are used, social engineering plays a significant role in spear phishing to convincingly fool the user. Cybercriminals are continuously getting better at their craft, making phishing emails and web pages look, sound, and feel increasingly legitimate.
One way for organizations to ensure their users can spot a potential phishing attempt is to implement security awareness training. Training is a vital tool to teach users the importance of secure daily habits, as well as how to spot the key elements of an attack.
In addition to suspicious links and attachments, users need to be aware of the following elements that attackers might use in a spear phishing campaign:
- Sender/sending details: Users should check who is sending the email in the first place: look closely at the domain the email has apparently sent from. Look at the spelling and the use of homographic characters to impersonate a company or an individual. Also, take note of the email address and name of the sender. The misalignment of sender details is a good first indicator that something may be wrong. IT and security teams can additionally look at the IP address of the server sending the email, the age of the domain, DNS servers, domain registrar, and SSL certificate authorities as ways of validating authenticity.
- Recipient: Threat actors will often target a recipient in a higher-risk category, such as someone with access to financial information, intellectual property, customer data, etc.
- Subject: Looking at the subject can help determine legitimacy. Misspellings, incorrect grammar, and any other signs that the email is unusual or abnormal from those emails usually received is an indication of a phishing attempt.
- Body content type: While most emails are HTML these days, it’s important to note whether the email supports tags and links that are used commonly in phishing emails.
On top of educating users and implementing training to recognize these elements, organizations can also take a more active approach by periodically attempting to phish their users. Phishing testing provides IT and security teams with a feedback loop on where their security is weakest. Testing also helps to reinforce the security culture of the organization.
Despite these measures to educate users about the risks, detecting a phishing email takes more than just scrutiny. It often requires a layered approach to provide greater insight into the series of actions being taken before it’s recognized as being malicious. The activity created by the simple clicking of a malicious attachment or link may only be partially recognized by a given security solution. What may be needed is an ability to centralize and review disparate data from a variety of network environment sources and security solutions to understand whether the suspicious activity is malicious. This means if users fail to identify a suspicious email, security teams can detect phishing attacks themselves.
Phishing attacks can have a significant impact on organizations, including loss of data, credential compromise, ransomware infection, other types of malware infections, reputational damage, and financial loss. With the cost of a data breach reaching a massive $4.24 million on average in 2021, organizations cannot afford to overlook the importance of deploying a solid security strategy.
Deploying a layered strategy built on detection, hardening the human factor, and complete visibility will minimize the risk of successful phishing attacks while improving the ability to detect and remediate them.