Phishing isn鈥檛 what it used to be. Older, popular scams 鈥 like grammatically incorrect love letters and mysterious princes who just need a little money 鈥 have given way to sophisticated and dangerous social engineering attacks. In fact, phishing has become so prevalent and effective that it is one of the hackers compromise credentials.
Fortunately, there are policies and controls that IT administrators can put in place to minimize the threat and consequences of phishing attacks. This article will cover modern phishing, including what it looks like today, how employees should respond to suspected phishing attempts, and how you can help prevent phishing in your organization.
What Is Phishing?
Phishing is a social engineering attack vector where bad actors impersonate reputable sources to trick users into compromising their credentials or downloading malware. It鈥檚 an attack vector that preys on human nature and is relatively low-cost and low-effort to execute. This unique combination makes phishing particularly prevalent and dangerous.
While phishing became infamous in the 始90s through clearly fraudulent emails with poor grammar, attacks have become much more sophisticated and diverse. We鈥檒l cover some of these emerging tactics here.
Popular Types of Phishing
Understanding phishing attack types will prepare you and your users to spot them. The first phishing email was sent in the , when attackers posed as AOL employees to steal credentials via AOL messages and email. This traditional tactic remains in use today, largely for widespread, untargeted attacks.
Other, more targeted phishing styles have evolved as well. The following are some of the most common:
Email Phishing
Email phishing is the most standard form of phishing, which most users are likely familiar with. In a phishing email, a hacker sends an email posing as someone trustworthy to convince the recipient to click a malicious link, download malware, or hand over their credentials.
Smishing
Smishing (SMS phishing) is similar to email phishing, but it occurs over text.
Vishing
Vishing is also a variant of email phishing that occurs via voice/phone call.
Spear-Phishing
Spear-phishing takes the traditional phishing email and personalizes it with social engineering, targeting a specific individual. This tactic takes hackers longer to execute, but it is generally more convincing than a standard phishing attempt. Because of the extra time investment, spear-phishing attacks usually target higher-value targets with deep levels of access.
Whaling
Whaling uses the same tactics as spear-phishing, but it targets senior-level personnel. It鈥檚 important for executives to be aware of whaling and understand they aren鈥檛 immune to attack. Make sure they take part in any phishing awareness training you implement.
Clone Phishing
Clone phishing swaps real links or attachments for malicious ones in a legitimate, previously sent email, and then resends it. Often, phishers use an email that was sent to a group, and resend the email to the group. If they have access to the sender鈥檚 email account, they may send it from that account under the premise of resending with updated information.
Search Engine Phishing
Hackers are always looking for new ways to reach their targets, and Google searches are now within their arsenal. In search engine phishing, hackers forge a legitimate website and optimize it to show up for a common Google search. If they design it correctly, it can be difficult to spot the site as a fake. Hackers usually do this with account pages, hoping users visit the page and input their credentials, unknowingly giving them away.
Who Do Phishing Attackers Impersonate?
Now that we鈥檝e established popular types of phishing attacks, it鈥檚 important for users to understand who phishers might impersonate. This is critical information for the end-user, who needs to know what a phishing email might look like when it pops up in their inbox.
A Popular Account
Phishers often impersonate brands that use online accounts, like subscription services, banks, credit card companies, and software. Under the guise of a familiar brand, they鈥檒l email customers claiming that their account is locked, set to expire, needs review 鈥 anything to get them to open the link and log in. The recipients who follow the link will usually land on a fake login page that captures and exploits their credentials.
Someone on the Inside
If your boss said they urgently needed your help with something, would you say no?
Many phishers bet on employees trusting their leaders. They鈥檒l trick employees into clicking a link or sharing credentials by impersonating the employee鈥檚 boss and making an urgent request, usually via text or email. When the phisher does their research on their target, these attacks can often be quite convincing.
This ruse doesn鈥檛 stop at direct superiors. HR personnel, IT admins, and fellow coworkers are other people phishers impersonate to trick employees into cooperating with an ask.
A Customer
Customers wanting to pay for your company鈥檚 services seem pretty routine, which is why this phishing method works. In these attacks, phishers email you as a 鈥渃ustomer,鈥 claiming that they鈥檝e attached their payment. (Spoiler alert: the attachment isn鈥檛 their payment. It鈥檚 likely malware.)
The Government
Legal action can scare anyone, even if they haven鈥檛 done anything wrong. That鈥檚 the thinking behind these attacks, which pose as a government body threatening legal fees, jail time, or other penalties unless the recipient takes action. That action is usually remitting payment or clicking a malicious link, downloading malware.
A New Connection
Social media and remote work have eliminated the discomfort of meeting someone virtually. Phishers are exploiting this phenomenon by impersonating your connections. They鈥檒l find a person, company, club, or other connection in your social media and use it to establish common ground. After they鈥檝e established trust, they鈥檒l try to get you to click a link or share information with them.
When executed correctly, these phishing attacks are some of the most convincing and dangerous. This attack is often the tactic spear-phishers and whalers use, doing their research and targeting someone high up to make their attack count.
How to Spot a Phishing Attempt
While grammar and believability used to be a primary factor in catching phishing attempts, they鈥檝e become much more sophisticated. Many no longer contain these mistakes, and they shouldn鈥檛 be employees鈥 sole tip-offs.
Employees should learn to look for context clues when they are asked to click a link, download something, log into an account, or share information, assets, or money. Common context clues that could tip someone off to a phishing attempt include:
- Abnormal communication method. Is the channel or time of day abnormal or out of character?
- Strange voice or tone. If the correspondence is coming from someone you know, does it sound like them? If it鈥檚 coming from a brand or someone you don鈥檛 know, do the wording and level of formality seem right?
- Strange topic or request. References to projects, accounts, activity, resources, or other topics you鈥檙e not aware of can be a red flag. So are urgent, out-of-character, or out-of-the-blue requests. Note that reputable companies will never ask for your credentials over an email, text, or phone call (especially when they initiated the communication).
- Suspicious links and sender information. Phishers often disguise links with tactics like swapping out letters (like 鈥渕鈥 for 鈥渞n鈥) or making the URL slightly different (i.e., watchnetflix.com instead of netflix.com). They use similar tactics to disguise sender email addresses. Some email clients display the sender鈥檚 name instead of email address 鈥 when in doubt, check the sender address.
- Request for sensitive information. As a rule of thumb, investigate any unexpected virtual requests for sensitive information or assets.
- Additional context. Does the message make sense, given any additional context you have? For example, if your boss asks you for help because they鈥檙e on the go, does their calendar confirm they鈥檙e traveling? Similar red flags would be Amazon telling you your account is locked even though you鈥檙e able to log in separately, or a customer emailing you to pay for a service you don鈥檛 remember them ordering.
How to Respond to Suspected Phishing
Try Another Channel
When in doubt, users should check with the sender on another channel to confirm that they sent the message. For senders in the organization, a quick chat will often suffice; for companies, contacting customer service, using their chat bot, or emailing an account representative are common methods. (Note: don鈥檛 use contact information listed in a suspected phishing email; visit the company鈥檚 website manually to find contact info.)
Go to the Source
Instead of clicking a link, users should type in the URL manually. This will prevent them from clicking on a malicious site with a URL that uses an 鈥渙鈥 instead of a 鈥0.鈥 This also goes for email addresses and phone numbers if you reply to a message: type them in manually instead of replying within the thread.
This is especially true when logging in or changing a password: never do so through an email or other indirect channel. Users should only ever type in credentials when on a website they trust and can validate it is the real thing, and never in an email. Ideally, your users can change their password on their machine (a safe place to change that password) and have it propagated to their other services.
Validate the Information
Phishing emails usually make a claim 鈥 users should check those claims鈥 legitimacy if they can. For example, if an email claims that a user鈥檚 account is locked out, they could try logging into the account in a separate browser. Phishers can鈥檛 control the context clues around them, and real-life deduction can often outwit a phishing attempt.
Never Interact with a Suspicious Message
If users can鈥檛 confirm a message鈥檚 legitimacy, they should never interact with it. This includes replying, clicking anything, and opening attachments.
Report It
When users suspect phishing, they should have a clear set of steps to follow. Usually, this is reporting it to their IT or security team. Organizations often use a designated phishing reporting email address or require users to install a phishing reporting tool in their email. Make sure users know how to report it without interacting with it 鈥 for example, take a screenshot of a suspicious email rather than forwarding the email itself.
How to Prevent Phishing
Conduct Regular Phishing Awareness Training
Phishing security relies on employees to stay vigilant and do their part. Your IT department should run regular training on phishing awareness that includes what phishing is, how to detect it, and how to appropriately respond to and report suspected phishing attempts.
Not sure where to start with training? Pull from this blog to create a guide!
Run Phishing Simulations
Consider running phishing simulation tests to gauge how well employees react to phishing. These tests send fake phishing emails to employees to see how they respond. They鈥檙e usually conducted by a third party, and many services include reporting, periodic testing to gauge improvement, help with phishing awareness training, and recommendations for next steps.
Step Up Your Password Game
A large portion of phishing attacks attempt to gain access to employees鈥 passwords by tricking them into typing them into the wrong place. So, one of the best defenses against phishing is reducing your organization鈥檚 reliance on passwords altogether. We鈥檒l cover three key ways to do this.
1. Single Sign-On
Single sign-on (SSO) allows users to access many (ideally, all) resources with one set of trusted credentials. With a robust SSO solution, employees should only have to type in their credentials once to access everything they need to do their work.
SSO reduces the risk of phishing by reducing the frequency with which users have to input their credentials. Instead of signing into every resource manually 鈥 by typing in their password 鈥 they would typically only have to do so once per session.
After rolling out an SSO solution, most organizations immediately enforce MFA and password complexity requirements to ensure that the single password each employee uses is secure.
2. Multi-Factor Authentication
Multi-factor authentication (MFA) reduces the risk of phishing by making the password less powerful for authentication. It does this by adding an additional layer to the typical username-password authentication method. With MFA in place, a compromised password does not mean a compromised account. A bad actor could only make use of a compromised password if they also had access to the second factor (like their device).
3. Passwordless Authentication
Because phishing preys on users by tricking them into giving away their credentials, the best way to reduce phishing risk is to remove the need for users to input those credentials. Passwordless authentication is the most effective way to accomplish this.
Passwordless authentication prevents phishing by bypassing password-based authentication altogether. 探花大神 Go鈩, for example, enables users to securely authenticate via their trusted device without typing in their password. It can act as a user鈥檚 SSO login, so users can use a phishing-resistant passwordless login to reach all the resources they need to do their work.
Reduce the Risk of Phishing Damage with 探花大神
The 探花大神 Directory Platform integrates many security features that help protect against phishing, including:
- True SSO鈩, which allows users to securely authenticate to any IT resource they need to do their work with one set of credentials. That includes HRIS systems, web apps, legacy apps, networks, file servers, and more.
- Built-in MFA that can be applied to SSO for layered authentication everywhere.
- 探花大神 Go鈩, a phishing-resistant passwordless authentication method that enables users to bypass their password input by authenticating with biometrics on their trusted device.
Take the first step toward keeping your organization鈥檚 resources safe from successful phishing attacks. of 探花大神鈥檚 secure device and identity management solution today.
