It’s Cybersecurity Awareness Month! In honor of the theme — Do Your Part. #BeCyberSmart — we’re doing our part by educating IT teams and organizations on protecting themselves. Throughout October, the JumpCloud blog will focus on top cybersecurity issues, from IT admin best practices to CISO responsibilities. Tune back in throughout the month for new cybersecurity content or check out our archive of existing security articles for cybersecurity insights written specifically for the IT professional.
Unlike many other attack methods, phishing preys on human nature. Further, its low-tech nature is one of the reasons it’s still so popular. It’s easy to implement and casts a wide net that doesn’t often come up empty.
Because even one user who falls victim can let in malware that infects the entire infrastructure, everyone in your organization needs to be able to detect and appropriately respond to phishing.
In keeping with this year’s Cybersecurity Awareness Month theme, this article will help IT admins prepare users to recognize and respond correctly to phishing attacks.
Because phishing is all about hackers infiltrating your organization by pretending to be someone a user trusts, this article will cover some of a phisher’s most common disguises. It will also cover how to best respond to a suspected attack, and how to prevent attacks from taking hold.
Note: If you don’t already have a phishing awareness campaign in place, you can start by sharing these tips with your employees so they know what to look for and what to do if they suspect phishing.
Popular Types of Phishing
The first phishing email was sent in the mid 1990s. The traditional tactic remains in use today, largely for widespread, untargeted attacks. Other, more focused phishing styles have evolved as well, and phishers have learned what worked and how to hone in on their targets. Understanding these attack types will prepare you and your users to spot them.
Email phishing is the most standard form of phishing, which most users are likely familiar with. In a phishing email, a hacker sends an email posing as someone trustworthy to convince the recipient to click a malicious link, download malware, or hand over their credentials.
Smishing (SMS phishing) is similar to email phishing, but it occurs over text.
Vishing is also a variant of email phishing that occurs via voice/phone call.
Spear-phishing takes the traditional phishing email and personalizes it with social engineering, targeting a specific individual. This tactic takes hackers longer to execute, but it is generally more convincing than a standard phishing attempt. Because of the extra time investment, spear-phishing attacks usually target higher-value targets with deep levels of access.
Whaling uses the same tactics as spear-phishing, but it targets senior-level personnel. It’s important for executives to be aware of whaling and understand they aren’t immune to attack. Make sure they take part in any phishing awareness training you implement.
Clone phishing swaps real links or attachments for malicious ones in a legitimate, previously sent email, and then resends it. Often, phishers use an email that was sent to a group, and resend the email to the group. If they have access to the sender’s email account, they may send it from that account under the premise of resending with updated information.
Search Engine Phishing
Hackers are always looking for new ways to reach their targets, and Google searches are now within their vector arsenal. In search engine phishing, hackers forge a legitimate website and optimize it to show up for a common Google search. If they design it up correctly, it would be difficult to spot the site as a fake. Hackers usually do this with account pages, hoping users visit the page and input their credentials, unknowingly giving them away.
Common Phishing Dupes
Now that we’ve established popular types of phishing attacks, it’s important for users to understand who phishers might pose as. This is critical information for the end-user, who needs to know what a phishing email might look like when it pops up in their inbox. These are some of the most popular masks phishers wear when they attack.
A Popular Account
Phishers have gotten pretty good at impersonating big brands, from duplicating their logo to creating fake (but believable) login pages. Phishers often use this tactic to masquerade as brands that use online accounts, like subscription services, banks, credit card companies, and software.
These phishing emails usually pose as one of these brands, alerting the recipient that their account is locked, set to expire, needs review — anything to get them to open the link and log in. Often, the phisher uses a fake login page, captures the credentials, and infiltrates the account.
Someone in Their Organization
If your boss said they urgently needed your help with something for a big meeting they were about to step into, would you say no? Many phishers bet on employees trusting their leaders, sending texts, emails, and other fake correspondences masquerading as an employee’s boss. When the phisher does their research on their target, these can often be quite convincing.
This ruse doesn’t stop at direct superiors. Phishers often pose as someone from HR or IT to gain valuable credentials, as well as a fellow coworker who needs help. Fortunately, while phishers are fairly skilled at researching and impersonating others, humans generally have a trustworthy gut on interpersonal communication. If something feels off about the voice, topic, or channel with which someone contacts an employee, they should check-in with that employee via another channel to verify the communication.
Customers wanting to pay for your company’s services seem pretty routine, which is why this phishing method works. In these attacks, phishers email you as a “customer,” claiming that they’ve attached their payment. (Spoiler alert: the attachment isn’t their payment. It’s likely malware.)
Legal action can scare anyone, even if they haven’t done anything wrong. That’s the thinking behind these attacks, which pose as a government body threatening legal fees, jail time, or other penalties unless the recipient takes action. That action is usually remitting payment or clicking a malicious link, downloading malware.
A New Connection
Social media and remote work have eliminated the discomfort of meeting someone virtually. So a message in your email or LinkedIn saying, “Hey, it looks like we both worked with Amanda at CompanyABC; let’s connect!” sounds fairly benign.
Phishers can find a person, company, club, or other connection in your social media and use it to establish common ground with the recipient. This generates trust, which might assuage the uneasiness of clicking a link or sharing information with them.
When executed correctly, these phishing attacks are some of the most convincing and dangerous. This attack is often the tactic spear-phishers and whalers use, doing their research and targeting someone high up to make their attack count.
Notes on What to Look for:
While grammar and believability used to be a primary factor in catching phishing attempts, they’ve become much more sophisticated. Many no longer contain these mistakes, and they shouldn’t be employees’ sole tip-offs.
Employees should learn to look for context clues when they are asked to click a link, download something, log into an account, or share information, assets, or money. Common context clues that could tip someone off to a phishing attempt include:
- Abnormal communication method. Is the channel or time of day abnormal or out of character?
- Strange voice or tone. If the correspondence is coming from someone you know, does it sound like them? If it’s coming from a brand or someone you don’t know, do the wording and level of formality seem right?
- Strange topic or request. References to projects, accounts, activity, resources, or other topics you’re not aware of can be a red flag. So are urgent, out-of-character, or out-of-the-blue requests. Note that reputable companies will never ask for your credentials over an email, text, or phone call (especially when they initiated the communication).
- Suspicious links and sender information. Phishers often disguise links with tactics like swapping out letters (like “m” for “rn”) or making the URL slightly different (i.e., watchnetflix.com instead of netflix.com). They use similar tactics to disguise sender email addresses. Some email clients display the sender’s name instead of email address — when in doubt, check the sender address.
- Request for sensitive information. As a rule of thumb, investigate any unexpected virtual requests for sensitive information or assets.
- Additional context. Does the message make sense, given any additional context you have? For example, if your boss asks you for help because they’re on the go, does their calendar confirm they’re traveling? Similar red flags would be Amazon telling you your account is locked even though you’re able to log in separately, or a customer emailing you to pay for a service you don’t remember them ordering.
How to Respond to Suspected Phishing
Try Another Channel
When in doubt, users should check with the sender on another channel to confirm that they sent the message. For senders in the organization, a quick chat will often suffice; for companies, contacting customer service, using their chat bot, or emailing an account representative are common methods. (Note: don’t use contact information listed in a suspected phishing email; visit the company’s website manually to find contact info).
Go to the Source
Instead of clicking a link, users should type in the URL manually. This will prevent them from clicking on a malicious site with a URL that uses an “o” instead of a “0.” This also goes for email addresses and phone numbers if you reply to a message: type them in manually instead of replying within the thread.
This is especially true when logging in or changing a password: never do so through an email or other indirect channel. Users should only ever type in credentials when on a website they trust and can validate it is the real thing, and never in an email. Ideally, your users can change their password on their machine (a safe place to change that password) and it is propagated to their other services.
Check the Information
Phishing emails usually make a claim — users should check those claims’ legitimacy if they can. For example, if an email claims a user’s account is locked out, they want to pay for a service, or they have an upcoming meeting they need help with, users can try logging into the account in a separate browser, review the customer’s purchase history, and check the sender’s calendar for upcoming meetings. Phishers can’t control the context clues around them, and real-life deduction can often outwit a phishing attempt.
Never Interact with a Suspicious Message
If users can’t confirm a message’s legitimacy, they should never interact with it. This includes replying, clicking anything, and opening attachments.
When users suspect phishing, they should have a clear set of steps to follow. Usually, this is reporting it to their IT or security team. Organizations often use a designated phishing reporting email address or require users to install a phishing reporting tool in their email.
Preventing Phishing and Minimizing Its Effects
Regular Phishing Awareness Training
Phishing security relies on employees to stay vigilant and do their part. Your IT department should run regular training on phishing awareness — often combined with more holistic security awareness training. Phishing awareness training should include what phishing is, how to detect it, and how to appropriately respond and report suspected phishing attempts.
Consider running phishing simulation tests to gauge how well employees react to phishing. In these tests, employees receive fake phishing emails to see how they respond. These are usually conducted by a third party, and many services include reporting, periodic testing to gauge improvement, help with phishing awareness training, and recommendations for next steps.
Step Up Your Password Game
In today’s environment, passwords are far from safe — in fact, they’re actually quite vulnerable, and no longer considered the best way to protect accounts. Companies are stepping up their authentication to include multi-factor authentication, swapping traditional authentication methods for secure authentication protocols, and combining them through a secure single sign-on (SSO) tool.
The More Holistic Solution
While the above methods are effective to an extent, they don’t completely prevent phishing. Reliably protecting your organization against phishing involves two elements:
- A secure single sign-on solution.
Single sign-on (SSO) solutions use secure protocols instead of passwords to authenticate and authorize users to their resources. This eliminates the need for (and risk of) users typing in their credentials. Because phishing often occurs when a user types their credentials into a falsified website, circumventing this manual login process acts as a defense against phishing.
- A method for changing passwords without using the account’s website.
The most reliable way to defend against phishing is to combine SSO with a means for changing passwords on devices rather than on websites. For example, JumpCloud® stores SSO data in its User Portal; users can change their passwords directly from their device, and the device propagates the changed credentials to the individual services. This way, the user never needs to input their password directly into a website or application that JumpCloud supports (and because JumpCloud takes a multi-protocol approach to authentication and authorization, it supports just about all of them).
To truly defend against phishing, you need a solution that can provide both of the above elements. One of the best ways to do this is with a unifying directory platform like JumpCloud that manages and secures access to all your resources.
JumpCloud is a security-focused cloud directory platform that securely connects employees to virtually all the resources they need, from wherever they are. It accomplishes this with tools like multi-factor authentication, a multi-protocol approach to authentication, and secure single sign-on. Better yet, it’s free for up to 10 devices and 10 users — sign up now to try it in your environment.