If you work in corporate America, you’ve probably taken a cybersecurity awareness course and are familiar with the term “phishing.” Maybe you’ve even participated in mock phishing campaigns. Still, it’s hard to imagine just how devastating the effects of a sophisticated phishing attack can be on a company’s reputation and bottom line.
Last year, the FBI had 241,342 complaints that resulted in adjusted losses of over $54 million. And over the past ten years, some of the most prominent phishing attacks cost individual companies double that amount. Because of the potential for enormous negative impact, phishing prevention should be a top priority for any company, big or small. But where do security teams start?
To understand how to prevent phishing attacks, you have to know what they are and how they work. In this article, we’ll define phishing and explain how cybercriminals leverage social psychology before diving into some useful tips to help you Fight the Phish at your company.
What is phishing?
Phishing is a cybercrime in which attackers pose as colleagues, reputable companies, or other known institutions with the intent of coercing victims into disclosing sensitive information, with email acting as the primary vector of attack. The term “phishing” comes from the way attackers “fish” for information, dangling a baited hook (an urgent, seemingly legitimate request) in front of an unsuspecting person. When phishing, attackers disguise their true identity by masking their email addresses or making very slight modifications to real email addresses employees recognize. Masquerading as someone victims know and trust, attackers lure victims into exposing bank or credit card details, employee PII, intellectual property, or account passwords.
How does phishing work?
Most phishing attacks happen over email and usually operate within a distinct framework. Cybercriminals start the process by claiming to be a third-party (sometimes a vendor, like Dropbox, Google, or AWS, or another legitimate organization), or they masquerade as an employee the victims are familiar with. Then, attackers make victims feel pressured to act; for example, they may claim a bill has been overdue for months or that they expected to receive a .csv file of employee information for an audit that started last week. Typically, phishing emails contain links for victims to “pay” those bills, upload requested files, or reveal their account credentials. Other times, links infect victims’ computers with malware.
The underlying goal of a phishing attack is to take advantage of the victim’s inability to decipher a legitimate request from a malicious one. Using a medium that regularly delivers people an exorbitant amount of information and requests to act, attackers and banking on the fact that we do not often question the legitimacy of the requests we receive, especially when it looks and sounds the part. When done right, most victims may never even realize they have been attacked.
Different types of phishing
Over time, companies have paid more attention to phishing, implementing stricter security to prevent attacks, and email providers have gotten better at automatically classifying these kinds of attacks as spam. Although these practices have minimized many phishing attempts, they have also prompted attackers to get smarter. Let’s look at just a few forms of phishing that have cropped up in the past few years. Each differs by either mode of attack or victim type:
- Smishing – Smishing, short for “SMS phishing,” occurs when an attacker fishes for information over a text message. For example, they may pose as a data plan provider asking you to pay an overage fee or pretend to be an eCommerce company letting you know you’ve won their latest giveaway. In addition, smishing texts often include a link that attackers use to collect victims’ information or release malware onto victims’ phones.
- Vishing – Have you ever received a spam phone call? Then you’ve likely experienced vishing. In vishing, attackers call victims on their cell phones or work phones and use various techniques to weasel out account numbers, financial information, or even IP.
- Spear phishing – Attackers want to get the most bang for their buck, and they do so by victimizing upper management. Of course, spear phishing requires some pre-work. Attackers pore over LinkedIn and company websites to figure out who the big-wigs are at an organization, who they work with daily, and their job functions. Equipped with these details, attackers craft highly-tailored emails that seem like they are coming from another employee or a trusted source to get victims to respond with confidential information or click on malicious links.
- Angler phishing – In angler phishing, attackers impersonate a customer service agent. They wait until an upset customer complains on social media, then send a link that promises to connect them to a customer service agent. Instead, that link releases malware on the victim’s computer or gathers personal information about the victim.
Why is phishing the most common attack vector?
Phishing leverages a tactic known as social engineering to convince people to give up information一it’s human nature to want to help people we think we know. On top of that, phishing techniques are repeatable in multiple vectors. If an attacker finds out that email is already relatively secure at an organization, they can switch to a different medium or even target the victims over their personal accounts.
When attackers play their cards right, they can use phishing to wreak havoc within an organization. Even employees at Facebook and Google have fallen for phishing. From 2013 to 2015, both companies succumbed to a phishing campaign centered around a third-party vendor, Quanta. Phishers sent fake invoices posing as Quanta’s accounts receivable team, and employees ended up paying those invoices, costing Google and Facebook hundreds of millions of dollars.
While those attacks were destructive, other phishing attacks have been worse, exposing precious IP or even customer data. For instance, in 2014, Sony suffered from an egregious spearphishing attack. After attackers researched employee names and titles on LinkedIn, they pretended to be colleagues and sent employees emails containing malware. These criminals won big, scoring Sony’s most recent financial records, customer data, and new release files. Ultimately, this attack cost Sony over $100 million.
Although phishing dates back to the 1990s, it is still used in full force today. Attackers default to phishing attacks simply because they work. Victims feel the need to respond to someone they know or address a seemingly important personal account issue, but they walk straight into attackers’ traps by being polite and human. In fact, phishing attacks have gotten even more pervasive during the pandemic. According to Verizon’s 2021 Data Breach Investigations Report, phishing accounts for 36% of breaches一up 11% from last year. This is a big concern for security professionals everywhere.
What are some ways to prevent phishing?
Now for the hundred million dollar question: How do you stop phishers in their tracks? There are several tried and true methods for filtering out potential phishing attacks, both manual and automatic. Here are a few examples:
- Email tools – Today’s anti-phishing platforms automatically flag malicious inbound and outbound messages and send them to spam folders or security teams for triage. Modern solutions may use machine learning or artificial intelligence to detect and triage incidents even more quickly and efficiently. The best platforms also include advanced malware and URL protection and come with emulation capabilities to keep everyone on their toes.
- End-user education – Your employees can be some of the best gatekeepers. Teach them to verify that links start with “https,” look for punctuation or grammar mistakes in copy, and confirm the sender address. Once employees know what to look out for, they can help IT teams surface phishing attacks that have slipped through the email filter cracks. Making phishing awareness training part of new employee onboarding, hosting quarterly workshops to highlight newly emerging phishing techniques, and running fake phishing campaigns can be great ways to refresh your employees’ education.
- Multi-factor authentication – Many applications use MFA, or multi-factor authentication, to guarantee that the people logging into a tool are truly who they say they are. When employees want to log into their employer’s VPN, for instance, they’d input their username and password, then use an authenticator app on their phone to guarantee their identity. MFA adds an extra layer of protection and security that’s difficult for cybercriminals to circumvent.
- Use browsers that block phishing attempts – Browsers like Chrome and Firefox have built-in malware and phishing site detection that alerts users to potential phishing attacks as they are happening in real-time. Encouraging employees to utilize these browsers over others can impede phishing attempts.
Is it possible to stop phishing before it even starts?
People are conditioned to log in to websites and change their passwords through webpages. This makes complete sense: most of the accounts used today are online. It is this very behavior, however, that makes people a target for phishing:
- The use of stolen credentials to penetrate an organization continues to be one of the most successful methods of attack
- Social engineering continues to be one of the most successful means to obtain stolen credentials
- Phishing continues to be a popular, low-effort, and scalable means to social engineer
How do we eliminate this vulnerability?
One method is by implementing multi-factor authentication in front of every possible access transaction. MFA is an extremely effective way to reduce the potential for stolen credentials to be a valuable asset for an attacker, as it hampers or outright denies entry to the systems it protects unless the attacker has gone out of their way to obtain the additional factors needed.
In addition, implementing a central, cloud directory can create a secure method of password change that negates the intent of phishing altogether. Instead of employees changing passwords on websites, password changes can occur on a native, operating system-based application which subsequently propagates the change where needed through API calls. This modern approach to effectively prevent phishing eliminates the need for credentials to be updated on a website as well as the need to access applications via web links.
Instead, end users go to a safe, secure portal, sanctioned by the organization, ideally with passwordless entry into the end user’s web applications. This enables end users to simply ignore emails asking them to update their password or access their applications via links and emails. IT admins can even force changes within a secure environment by disabling password updates on Google Workspace, for example. The risk of human error is significantly lower, and admins can rest easy without fearing users might miss a critical clue that they’re being targeted.
Or course, nothing is fool-proof and regular employee education is essential. Phishing attacks come in so many flavors, and with so many different intentions, that vigilance is the most important tool one can have to protect themselves and their organization from attack. When effective training is combined with foundational security tools, phishing can become a fringe threat that, if successful, can be mitigated quickly.
Ready to try the top anti-phishing solution for yourself?
Admins can stop phishing before it starts by managing identities, access, and devices all from the JumpCloud Directory Platform. The powerful password management capabilities combined with True Single-Sign On can help free you from worrying about how phishing attacks could threaten your organization.
Create a JumpCloud Free account today. You can add up to 10 users and 10 devices to experience the full functionality of our cloud directory platform without paying a cent. Plus, you get 10 days of premium 24×7 in-app chat support to answer any questions you may have while getting your account set up.