Lookalike Login Pages Pose a Serious Cyber Risk
Although email phishing has taken many forms throughout the years, the most common type of email scam is also the oldest. Since 2003, black-hat hackers have created domain names and web pages that look virtually identical to actual websites and have linked these copycat sites to vulnerable users via emails. It is increasingly difficult to tell the difference between a real web page and a fake one, especially for companies without sophisticated anti-phishing tools. For all companies, it's important to have the best anti-phishing solutions in place to ensure all data is protected and downtime is avoided.
LinkedIn Login Mimicry
Cybercriminals often attempt credential harvesting by creating fake social media login pages to get individuals to re-enter information like usernames, passwords and emails. Recently, a member of the RevBits team was the subject of one such LinkedIn login mimicry phishing scam. This scam, however, was instantaneously detected by RevBits Email Secuirty, an advanced anti-phishing software. Without proper email security, this email could have gone completely undetected, as the HTML/CSS of the email and the webpage appeared exactly like LinkedIn’s.
To add another layer of sophistication, malicious hackers will spear phish in an attempt to increase an emails apparent legitimacy. To spear phish, cybercriminals research a recipient, so they can include personal information in the email. Cybercriminals include these details to trick consumers into overlooking possible irregularities of the email to engage with the links, attachments or login pages.
The Simplicity of Creating a Fake Webpage
While this level of sophistication in phishing scams may seem rare due to the apparent required effort, it’s neither unique nor difficult to set up. It’s so easy, we created our own lookalike web pages for a phishing campaign. In under an hour, we set up credential harvesting pages, exactly mimicking PayPal and Microsoft login pages with realistic URLs. 1,500,000 new phishing webpages are created per month, so it’s clear this problem is not slowing down anytime soon.
How to Avoid These Risks
While phishing is still very prevalent and methods continue to grow in sophistication, so do phishing prevention techniques and technologies. There are two main elements to maintaining enterprise security: anti-phishing software and anti-phishing training. Neither of these should work independently of one another – but instead work together.
Security awareness training is typically a requirement among large and mid-sized companies and for good reason. A little bit of training can go a long way when it comes to phishing prevention. However, it can’t be the only method of email security that a company uses. It is extremely easy for hackers to make convincing fake pages, like our PayPal and Microsoft sites, that even the savviest of email users would fall for.
In addition to cybersecurity education, email security technology should work on multiple levels to keep companies safe. It should scan all content, such as addresses, links, URLs or attachments for the latest threats and report them to the user and allow users to manually report suspicious emails. RevBits Email Security does both of those things and more, making it easy for companies to not only avoid the latest threats, but also know how to recognize them when they arise.
RevBits Email Security is a next generation security solution which performs the deepest analysis of emails looking for the most sophisticated of email schemes. Current email security solutions operate out on the gateway server of a company’s network and to prevent latency in the company’s email delivery system, only a certain level of depth of analysis can be conducted on each email. However, by operating at the endpoint, RevBits Email Security utilizes the power of the individual client machine to conduct a deep, thorough analysis without creating latency in email delivery.
It’s a common misconception that the only threats to an enterprise’s security come from external actors. Whether intentional or not, 47% of organizational data breaches are the result of internal human error, such as a misplaced device or document. Moreover, some employees present an even larger risk than others. According to recent reports, younger employees are more likely to bypass security protocols that are viewed as an impediment to their productivity. When it comes to onboarding new employees, young or old, enterprises must have proper security awareness & anti-phishing training, in addition to a strong privileged access management solution, to guard against the different types of human error that could create security vulnerabilities.
Have you ever received an email that looks totally legitimate, links to a website that looks real, and asks for personal information? It is becoming harder and harder to know who and what can be trusted. Phishing is the practice of trying to get an unsuspecting email user to engage with an email in some way (opening, clicking, downloading an attachment, sending money, etc.).