How to Defend Against Modern Phishing Attacks

Phishing isn’t what it used to be. Older, popular scams — like grammatically incorrect love letters and mysterious princes who just need a little money — have given way to sophisticated and dangerous social engineering attacks. In fact, phishing has become so prevalent and effective that it is one of the three primary ways hackers compromise credentials. 

Fortunately, there are policies and controls that IT administrators can put in place to minimize the threat and consequences of phishing attacks. This article will cover modern phishing, including what it looks like today, how employees should respond to suspected phishing attempts, and how you can help prevent phishing in your organization. 

What Is Phishing?

Phishing is a social engineering attack vector where bad actors impersonate reputable sources to trick users into compromising their credentials or downloading malware. It’s an attack vector that preys on human nature and is relatively low-cost and low-effort to execute. This unique combination makes phishing particularly prevalent and dangerous.

While phishing became infamous in the ʼ90s through clearly fraudulent emails with poor grammar, attacks have become much more sophisticated and diverse. We’ll cover some of these emerging tactics here.

Popular Types of Phishing 

Understanding phishing attack types will prepare you and your users to spot them. The first phishing email was sent in the mid-1990s, when attackers posed as AOL employees to steal credentials via AOL messages and email. This traditional tactic remains in use today, largely for widespread, untargeted attacks. 

Other, more targeted phishing styles have evolved as well. The following are some of the most common:

Email Phishing

Email phishing is the most standard form of phishing, which most users are likely familiar with. In a phishing email, a hacker sends an email posing as someone trustworthy to convince the recipient to click a malicious link, download malware, or hand over their credentials. 

Smishing

Smishing (SMS phishing) is similar to email phishing, but it occurs over text. 

Vishing

Vishing is also a variant of email phishing that occurs via voice/phone call.

Spear-Phishing

Spear-phishing takes the traditional phishing email and personalizes it with social engineering, targeting a specific individual. This tactic takes hackers longer to execute, but it is generally more convincing than a standard phishing attempt. Because of the extra time investment, spear-phishing attacks usually target higher-value targets with deep levels of access.

Whaling 

Whaling uses the same tactics as spear-phishing, but it targets senior-level personnel. It’s important for executives to be aware of whaling and understand they aren’t immune to attack. Make sure they take part in any phishing awareness training you implement.

Clone Phishing

Clone phishing swaps real links or attachments for malicious ones in a legitimate, previously sent email, and then resends it. Often, phishers use an email that was sent to a group, and resend the email to the group. If they have access to the sender’s email account, they may send it from that account under the premise of resending with updated information. 

Search Engine Phishing

Hackers are always looking for new ways to reach their targets, and Google searches are now within their arsenal. In search engine phishing, hackers forge a legitimate website and optimize it to show up for a common Google search. If they design it correctly, it can be difficult to spot the site as a fake. Hackers usually do this with account pages, hoping users visit the page and input their credentials, unknowingly giving them away.

Who Do Phishing Attackers Impersonate?

Now that we’ve established popular types of phishing attacks, it’s important for users to understand who phishers might impersonate. This is critical information for the end-user, who needs to know what a phishing email might look like when it pops up in their inbox. 

A Popular Account

Phishers often impersonate brands that use online accounts, like subscription services, banks, credit card companies, and software. Under the guise of a familiar brand, they’ll email customers claiming that their account is locked, set to expire, needs review — anything to get them to open the link and log in. The recipients who follow the link will usually land on a fake login page that captures and exploits their credentials.

Someone on the Inside

If your boss said they urgently needed your help with something, would you say no? 

Many phishers bet on employees trusting their leaders. They’ll trick employees into clicking a link or sharing credentials by impersonating the employee’s boss and making an urgent request, usually via text or email. When the phisher does their research on their target, these attacks can often be quite convincing. 

This ruse doesn’t stop at direct superiors. HR personnel, IT admins, and fellow coworkers are other people phishers impersonate to trick employees into cooperating with an ask. 

A Customer

Customers wanting to pay for your company’s services seem pretty routine, which is why this phishing method works. In these attacks, phishers email you as a “customer,” claiming that they’ve attached their payment. (Spoiler alert: the attachment isn’t their payment. It’s likely malware.)

The Government

Legal action can scare anyone, even if they haven’t done anything wrong. That’s the thinking behind these attacks, which pose as a government body threatening legal fees, jail time, or other penalties unless the recipient takes action. That action is usually remitting payment or clicking a malicious link, downloading malware.

A New Connection

Social media and remote work have eliminated the discomfort of meeting someone virtually. Phishers are exploiting this phenomenon by impersonating your connections. They’ll find a person, company, club, or other connection in your social media and use it to establish common ground. After they’ve established trust, they’ll try to get you to click a link or share information with them. 

When executed correctly, these phishing attacks are some of the most convincing and dangerous. This attack is often the tactic spear-phishers and whalers use, doing their research and targeting someone high up to make their attack count. 

How to Spot a Phishing Attempt 

While grammar and believability used to be a primary factor in catching phishing attempts, they’ve become much more sophisticated. Many no longer contain these mistakes, and they shouldn’t be employees’ sole tip-offs.

Employees should learn to look for context clues when they are asked to click a link, download something, log into an account, or share information, assets, or money. Common context clues that could tip someone off to a phishing attempt include: 

• Abnormal communication method. Is the channel or time of day abnormal or out of character? 
• Strange voice or tone. If the correspondence is coming from someone you know, does it sound like them? If it’s coming from a brand or someone you don’t know, do the wording and level of formality seem right?
• Strange topic or request. References to projects, accounts, activity, resources, or other topics you’re not aware of can be a red flag. So are urgent, out-of-character, or out-of-the-blue requests. Note that reputable companies will never ask for your credentials over an email, text, or phone call (especially when they initiated the communication).
• Suspicious links and sender information. Phishers often disguise links with tactics like swapping out letters (like “m” for “rn”) or making the URL slightly different (i.e., watchnetflix.com instead of netflix.com). They use similar tactics to disguise sender email addresses. Some email clients display the sender’s name instead of email address — when in doubt, check the sender address. 
• Request for sensitive information. As a rule of thumb, investigate any unexpected virtual requests for sensitive information or assets.
• Additional context. Does the message make sense, given any additional context you have? For example, if your boss asks you for help because they’re on the go, does their calendar confirm they’re traveling? Similar red flags would be Amazon telling you your account is locked even though you’re able to log in separately, or a customer emailing you to pay for a service you don’t remember them ordering.

How to Respond to Suspected Phishing

Try Another Channel

When in doubt, users should check with the sender on another channel to confirm that they sent the message. For senders in the organization, a quick chat will often suffice; for companies, contacting customer service, using their chat bot, or emailing an account representative are common methods. (Note: don’t use contact information listed in a suspected phishing email; visit the company’s website manually to find contact info.) 

Go to the Source

Instead of clicking a link, users should type in the URL manually. This will prevent them from clicking on a malicious site with a URL that uses an “o” instead of a “0.” This also goes for email addresses and phone numbers if you reply to a message: type them in manually instead of replying within the thread.

This is especially true when logging in or changing a password: never do so through an email or other indirect channel. Users should only ever type in credentials when on a website they trust and can validate it is the real thing, and never in an email. Ideally, your users can change their password on their machine (a safe place to change that password) and have it propagated to their other services.

Validate the Information

Phishing emails usually make a claim — users should check those claims’ legitimacy if they can. For example, if an email claims that a user’s account is locked out, they could try logging into the account in a separate browser. Phishers can’t control the context clues around them, and real-life deduction can often outwit a phishing attempt.

Never Interact with a Suspicious Message

If users can’t confirm a message’s legitimacy, they should never interact with it. This includes replying, clicking anything, and opening attachments. 

Report It

When users suspect phishing, they should have a clear set of steps to follow. Usually, this is reporting it to their IT or security team. Organizations often use a designated phishing reporting email address or require users to install a phishing reporting tool in their email. Make sure users know how to report it without interacting with it — for example, take a screenshot of a suspicious email rather than forwarding the email itself. 

How to Prevent Phishing

Conduct Regular Phishing Awareness Training

Phishing security relies on employees to stay vigilant and do their part. Your IT department should run regular training on phishing awareness that includes what phishing is, how to detect it, and how to appropriately respond to and report suspected phishing attempts. 

Not sure where to start with training? Pull from this blog to create a guide!

Run Phishing Simulations

Consider running phishing simulation tests to gauge how well employees react to phishing. These tests send fake phishing emails to employees to see how they respond. They’re usually conducted by a third party, and many services include reporting, periodic testing to gauge improvement, help with phishing awareness training, and recommendations for next steps. 

Step Up Your Password Game

A large portion of phishing attacks attempt to gain access to employees’ passwords by tricking them into typing them into the wrong place. So, one of the best defenses against phishing is reducing your organization’s reliance on passwords altogether. We’ll cover three key ways to do this.

1. Single Sign-On

Single sign-on (SSO) allows users to access many (ideally, all) resources with one set of trusted credentials. With a robust SSO solution, employees should only have to type in their credentials once to access everything they need to do their work. 

SSO reduces the risk of phishing by reducing the frequency with which users have to input their credentials. Instead of signing into every resource manually — by typing in their password — they would typically only have to do so once per session.

After rolling out an SSO solution, most organizations immediately enforce MFA and password complexity requirements to ensure that the single password each employee uses is secure. 

2. Multi-Factor Authentication

Multi-factor authentication (MFA) reduces the risk of phishing by making the password less powerful for authentication. It does this by adding an additional layer to the typical username-password authentication method. With MFA in place, a compromised password does not mean a compromised account. A bad actor could only make use of a compromised password if they also had access to the second factor (like their device). 

3. Passwordless Authentication

Because phishing preys on users by tricking them into giving away their credentials, the best way to reduce phishing risk is to remove the need for users to input those credentials. Passwordless authentication is the most effective way to accomplish this.

Passwordless authentication prevents phishing by bypassing password-based authentication altogether. JumpCloud Go™, for example, enables users to securely authenticate via their trusted device without typing in their password. It can act as a user’s SSO login, so users can use a phishing-resistant passwordless login to reach all the resources they need to do their work. 

Reduce the Risk of Phishing Damage with JumpCloud

The JumpCloud Directory Platform integrates many security features that help protect against phishing, including: 

• True SSO™, which allows users to securely authenticate to any IT resource they need to do their work with one set of credentials. That includes HRIS systems, web apps, legacy apps, networks, file servers, and more. 
• Built-in MFA that can be applied to SSO for layered authentication everywhere. 
• JumpCloud Go™, a phishing-resistant passwordless authentication method that enables users to bypass their password input by authenticating with biometrics on their trusted device.

Take the first step toward keeping your organization’s resources safe from successful phishing attacks. Start your free trial of JumpCloud’s secure device and identity management solution today.