This weekend in the InfoSec headlines we noticed a common theme: the proliferation and success of phishing and spearphishing campaigns across the globe. These headlines speak to a common misconception about insider threats. Popular imagination holds that insider threats are conducted by malicious ex-employees, disgruntled and deliberately seeking to ruin their former employers. Although those kinds of actors do exist and are a threat, the vast majority of insider threats come from everyday employees acting negligently or ignorantly. But make no mistake: an insider threat from human error can be just as damaging as one from a malicious actor. And phishing is the best way for hackers to take advantage of human error.
According to a recent Forbes article, 9 out of 10 InfoSec professionals feel their enterprise is vulnerable to an insider attack, and half of them have already suffered such an attack in the past year. According to SIEM vendor Barkly, the average phishing costs the victim enterprise $300,000.
Therefore, we’ve decided to break down phishing tactics and share the hygiene policies that can help keep your credentials and data safe.
What is Phishing?
Phishing is the umbrella term for hacking tactics that aim to deceive users into handing over their information willingly. The most well-known phishing tactic is to send an email or direct message posing as a trusted institution such as a bank or even as the IT department of your enterprise. This spoofed message will ask the user to verify their account information, providing a link to do so. If the user clicks on the link, they will be taken to a website designed to imitate the legitimate website down to the proper logo, style, and names of legitimate employees. The user will be prompted to input their credentials or information into this site, allowing the hacker to steal it with little effort.
The most common variation of phishing is spearphishing— a phishing tactic that tries to deceive a user directly rather than sending out a more generic, mass message. Spearphishing messages will reference user information to make their request seem more legitimate. For example, a spearphishing email posing as your IT department might reference your recent company outing. The details of these false messages will always be publicly available—pictures of your company outing may have appeared on your blog, as per the example above—but will often be enough to lull users into a false sense of security.
The good news that tactics that counter phishing attempts can counter spearphishing too. All it takes is to educate your employees and privileged users in some common sense digital hygiene practices.
Watch for Unusual Errors
The most common sign of phishing is poor writing. No institution and no writer is perfect 100% of the time, even the most distinguished institution. However, users should be on alert for messages from banks, websites, or their IT departments that have persistent spelling errors, stifled language, or grammatical and punctuation errors. This is often a sign that a hacker for whom English is not their first language is trying to pose as the legitimate party (a far more common occurrence than may be expected). Your employees should read all of their emails carefully, and should not respond to emails with these kinds of errors.
These errors will also extend to the spoofed website, so employees should keep a sharp eye out there as well.
Never Trust a Link
Phishing attempts hinge on their links; some of the links lead to the credential-stealing spoofed sites and other links instantly download malware when clicked to start taking advantage of your network’s security holes. In every instance, the link will be spoofed to look legitimate (although some of them may have spelling errors in them as well). You should train your employees and users to never go to websites via emailed links; they should instead type URLs into the browser address bar or use bookmarks to legitimate sites to navigate.
You can also hover over a link to see where it will take you—while these can also be spoofed it is much harder to do. Employees should watch to see if the link will actually take them to where the link states it will, and not click on links that don’t match up.
Additionally, any legitimate institution, social media site, or website will have https in front of their address and the closed lock icon next to the URL. This is a signal that their sites are secure from unauthorized users. If a seemingly legitimate website does not have https or a closed lock symbol, employees should not trust it.
Unusual Requests, Be Warned
The best rule of thumb in preventing phishing techniques is that banks, social media platforms providers, HR departments, etc., will never ask for a user’s password or personal information over email, direct message, or text message. Nor will any such institution send an unsolicited gift, especially not one that requires a login or verification to obtain. In fact, no credible website will do this. Such emails should be deleted instantly. If your employee is truly in doubt, they should contact the institution in question directly over the phone.
Make Sure Your Privileged Users Are Also Trained
Privileged users are not immune to phishing tactics. Indeed, hackers desire their credentials above all, and will try to deceive them into compromising the network. But while the target may change (in these cases the campaigns are called whale phishing), and the spoofed sites may be different, the overall tactics do not. Make sure they are also aware of best practices in digital hygiene, and keep them from getting arrogant about their privileges.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021