Have you ever received an email that looks totally legitimate, links to a website that looks real, and asks for personal information? It is becoming harder and harder to know who and what can be trusted. Phishing is the practice of trying to get an unsuspecting email user to engage with an email in some way (opening, clicking, downloading an attachment, sending money, etc.).
More precisely, the FTC defines phishing as the act of using fake emails, texts or calls to get users to share valuable personal information or otherwise engage with emails. This valuable information can include account numbers, social security numbers, login IDs, passwords or payment information. Phishing attacks can target all types of individuals and all types of information. To understand how to best protect against phishing, it is important to first understand how phishing has evolved and the different forms it can take.
As the large majority of phishing schemes are executed over email, email security has been at risk for almost as long as we’ve sent messages online. To contextualize phishing, phishing prevention and email security, let’s look at how it has changed throughout the years. The first types of phishing attacks occurred in the early 90s over the messaging platform America Online (AOL). As the 90s progressed and people became savvier at identifying internet and messenger schemes, hackers switched to attacking email communications. Not long after, hackers increased the sophistication level of email phishing by including domain spoofing, where they recreate websites to look similar to a real company site. Luckily, phishing prevention has evolved with the new security threats. Now, with the right anti-phishing software and anti-phishing training, companies can protect themselves from exposure to attacks.
Today, credential harvesting is the most common type of phishing attack and has been around the longest. The practice started in 2003 with pages that resembled those of Yahoo and eBay to get user credentials. Hackers use login mimicry in phishing campaigns to capture the personal information of internet and email users. These scams take users to a page that is a near perfect replica of other log-in pages users have seen many times before. When an individual inputs their personal information in the log-in form, the webpage captures the info and, in most cases, can actually send the user to the log-in page of the actual website; this means, in many cases, users don’t even know that their information has been compromised.
For example, although LinkedIn accounts are typically linked to personal emails, an email phishing scam from ‘LinkedIn’ was sent to a RevBits employee’s RevBits email, meaning the hackers had to do research to find what they thought was a LinkedIn account email. Luckily, we were using RevBits Email Security, a next-generation anti-phishing software, which indicated the link was a scam. For our own interest, we decided to investigate the link further, which took us to a web page that looked exactly like the real LinkedIn log-in page. Phishing emails, like this LinkedIn phishing scam, put companies at risk if they don’t have sophisticated anti-phishing tools like RevBits Email Security. To protect every company's future, it is vital that teams are outfitted with the latest email security and phishing prevention software.Whaling
Like spear phishing, whaling uses specific information from within an organization to trick others into engaging with an email or message. However, whaling, unlike spear phishing, is used specifically to target high-level employees like CEOs, COOs or CFOs with emails that appear to be from other members of the C-suite. The term whaling comes from falsified sender of the emails, which are typically high level executives or “whales”. Since these attacks are specific, they are even more difficult to detect.
For example, in 2016, an executive at Snapchat received an email that they believed was from the company’s CEO. As a result, this high-level Snapchat employee divulged payroll information to a hacker, forcing the FBI to get involved. Although it can appear these emails are coming from a person within the organization, the actual email address typically has some sort of minor misspelling or clue in it that belies its falsity. Security awareness training can help keep employees from sending along emails or information that may be harmful.Spear Phishing
Another common type of phishing attack is spear phishing. Although not as common as credential harvesting, spear phishing scams are more sophisticated. Like the LinkedIn phishing example, these email scams are sent from a seemingly known or trusted source. To make the attack more personalized and increase the likelihood of tricking the recipient, spear phishing scams often include the recipient's name, company, phone number or other personal information. Social media sites are frequently used for these types of attacks because they include personal information (such as education or personal email) along with professional information (such as job title or organization).
Although it may seem difficult to detect these ‘legitimate’ phishing emails, the best phishing detection software can alert users to spear phishing. In addition to quality phishing detection tools, anti-phishing training sessions are another great way for employees to learn the warning signs of spear phishing.
While phishing is still very prevalent and methods continue to grow in sophistication, so do phishing prevention techniques and technologies. There are two main elements to keeping companies safe: anti-phishing training and anti-phishing tools.Security Awareness Training (Anti-phishing Training)
Security awareness training is typically a requirement among large and mid-sized companies. A little bit of training can go a long way when it comes to phishing prevention. It is extremely easy for hackers to make convincing fakes that even the savviest of email users would fall for. This is where anti-phishing training can help. These training sessions encourage employees to examine emails before shooting off responses or sharing sensitive information. They guide users on appropriate actions if they aren’t sure of a source’s legitimacy.Email Security Technology (Anti-phishing tools)
Email security technology should work on multiple levels to keep companies safe. To test RevBits Email Security, we set up our own phishing campaign. With just a few clicks, we created a convincing login page for harvesting credentials that could fool even the most ‘sophisticated’ programs like McAfee’s Trusted Source. RevBits Email Security immediately detected the fraudulent campaign. To further secure our inboxes, RevBits Email Security obscured the URLs so we were unable to click them.
Phishing detection should scan all content from email addresses, links, URLs and attachments to detect the latest threats and report them to the user. Like RevBits Email Security, email security software should also have functionality that allows users to manually report suspicious emails, so users can continue to educate themselves on what to look for. RevBits advanced technology makes it easy for companies to not only avoid the latest threats, but also know how to recognize them when they arise.
RevBits Email Security is a next generation security solution which performs the deepest analysis of emails looking for the most sophisticated of email schemes. Current email security solutions operate out on the gateway server of a company’s network and to prevent latency in the company’s email delivery system, only a certain level of depth of analysis can be conducted on each email. However, by operating at the endpoint, RevBits Email Security utilizes the power of the individual client machine to conduct a deep, thorough analysis without creating latency in email delivery.