What Are Phishing Attacks and How to Stop Phishing Attacks
Have you ever received an email that looks totally legitimate, links to a website that looks real, and asks for personal information? It is becoming harder and harder to know who and what can be trusted. Phishing is the practice of trying to get an unsuspecting email user to engage with an email in some way (opening, clicking, downloading an attachment, sending money, etc.).
More precisely, the FTC defines phishing as the act of using fake emails, texts or calls to get users to share valuable personal information or otherwise engage with emails. This valuable information can include account numbers, social security numbers, login IDs, passwords or payment information. Phishing attacks can target all types of individuals and all types of information. To understand how to best protect against phishing, it is important to first understand how phishing has evolved and the different forms it can take.
Evolution of Phishing Campaigns
As the large majority of phishing schemes are executed over email, email security has been at risk for almost as long as we’ve sent messages online. To contextualize phishing, phishing prevention and email security, let’s look at how it has changed throughout the years. The first types of phishing attacks occurred in the early 90s over the messaging platform America Online (AOL). As the 90s progressed and people became savvier at identifying internet and messenger schemes, hackers switched to attacking email communications. Not long after, hackers increased the sophistication level of email phishing by including domain spoofing, where they recreate websites to look similar to a real company site. Luckily, phishing prevention has evolved with new security threats. Now, with the right anti-phishing software and anti-phishing training, companies can protect themselves from exposure to attacks.
Most Sophisticated Types of Phishing Attacks
Today, credential harvesting is the most common type of phishing attack and has been around the longest. The practice started in 2003 with pages that resembled those of Yahoo and eBay to get user credentials. Hackers use login mimicry in phishing campaigns to capture the personal information of internet and email users. These scams take users to a page that is a near-perfect replica of other log-in pages users have seen many times before. When an individual inputs their personal information in the log-in form, the webpage captures the info and, in most cases, can actually send the user to the log-in page of the actual website; this means, in many cases, users don’t even know that their information has been compromised.
For example, although LinkedIn accounts are typically linked to personal emails, an email phishing scam from ‘LinkedIn’ was sent to a RevBits employee’s RevBits email, meaning the hackers had to do research to find what they thought was a LinkedIn account email. Luckily, we were using RevBits Email Security, a next-generation anti-phishing software, which indicated the link was a scam. For our own interest, we decided to investigate the link further, which took us to a web page that looked exactly like the real LinkedIn log-in page. Phishing emails, like this LinkedIn phishing scam, put companies at risk if they don’t have sophisticated anti-phishing tools like RevBits Email Security. To protect every company's future, it is vital that teams are outfitted with the latest email security and phishing prevention software.
Like spear phishing, whaling uses specific information from within an organization to trick others into engaging with an email or message. However, whaling, unlike spear phishing, is used specifically to target high-level employees like CEOs, COOs or CFOs with emails that appear to be from other members of the C-suite. The term whaling comes from the falsified sender of the emails, which are typically high-level executives or “whales”. Since these attacks are specific, they are even more difficult to detect.
For example, in 2016, an executive at Snapchat received an email that they believed was from the company’s CEO. As a result, this high-level Snapchat employee divulged payroll information to a hacker, forcing the FBI to get involved. Although it can appear these emails are coming from a person within the organization, the actual email address typically has some sort of minor misspelling or clue in it that belies its falsity. Security awareness training can help keep employees from sending along emails or information that may be harmful.
Another common type of phishing attack is spear phishing. Although not as common as credential harvesting, spear-phishing scams are more sophisticated. Like the LinkedIn phishing example, these email scams are sent from a seemingly known or trusted source. To make the attack more personalized and increase the likelihood of tricking the recipient, spear-phishing scams often include the recipient's name, company, phone number or other personal information. Social media sites are frequently used for these types of attacks because they include personal information (such as education or personal email) along with professional information (such as job title or organization).
Although it may seem difficult to detect these ‘legitimate’ phishing emails, the best phishing detection software can alert users to spear phishing. In addition to quality phishing detection tools, anti-phishing training sessions are another great way for employees to learn the warning signs of spear phishing.
Use Anti-phishing Solutions to Keep Safe
While phishing is still very prevalent and methods continue to grow in sophistication, so do phishing prevention techniques and technologies. There are two main elements to keeping companies safe: anti-phishing training and anti-phishing tools.
Security Awareness Training (Anti-phishing Training)
Security awareness training is typically a requirement among large and mid-sized companies. A little bit of training can go a long way when it comes to phishing prevention. It is extremely easy for hackers to make convincing fakes that even the savviest of email users would fall for. This is where anti-phishing training can help. These training sessions encourage employees to examine emails before shooting off responses or sharing sensitive information. They guide users on appropriate actions if they aren’t sure of a source’s legitimacy.
Email Security Technology (Anti-phishing tools)
Email security technology should work on multiple levels to keep companies safe. To test RevBits Email Security, we set up our own phishing campaign. With just a few clicks, we created a convincing login page for harvesting credentials that could fool even the most ‘sophisticated’ programs like McAfee’s Trusted Source. RevBits Email Security immediately detected the fraudulent campaign. To further secure our inboxes, RevBits Email Security obscured the URLs so we were unable to click them.
Phishing detection should scan all content from email addresses, links, URLs and attachments to detect the latest threats and report them to the user. Like RevBits Email Security, email security software should also have functionality that allows users to manually report suspicious emails, so users can continue to educate themselves on what to look for. RevBits advanced technology makes it easy for companies to not only avoid the latest threats, but also know how to recognize them when they arise.
RevBits Email Security is a next-generation security solution that performs the deepest analysis of emails looking for the most sophisticated of email schemes. Current email security solutions operate out on the gateway server of a company’s network and to prevent latency in the company’s email delivery system, only a certain level of depth of analysis can be conducted on each email. However, by operating at the endpoint, RevBits Email Security utilizes the power of the individual client machine to conduct a deep, thorough analysis without creating latency in email delivery.
It’s a common misconception that the only threats to an enterprise’s security come from external actors. Whether intentional or not, 47% of organizational data breaches are the result of internal human error, such as a misplaced device or document. Moreover, some employees present an even larger risk than others. According to recent reports, younger employees are more likely to bypass security protocols that are viewed as an impediment to their productivity. When it comes to onboarding new employees, young or old, enterprises must have proper security awareness & anti-phishing training, in addition to a strong privileged access management solution, to guard against the different types of human error that could create security vulnerabilities.
Although email phishing has taken many forms throughout the years, the most common type of email scam is also the oldest. Since 2003, black-hat hackers have created domain names and web pages that look virtually identical to actual websites and have linked these copycat sites to vulnerable users via emails. It is increasingly difficult to tell the difference between a real web page and a fake one, especially for companies without sophisticated anti-phishing tools. For all companies, it's important to have the best anti-phishing solutions in place to ensure all data is protected and downtime is avoided.