The modern organization has a plethora of cyber security tools available for use: forced updates, multi-factor authentication, firewalls, VPNs, and more. Unfortunately, however, you can get all the technical stuff right and still remain vulnerable. While the technical controls continue to improve, the most reliable path towards compromise is, and always will be, hacking the human.
The most prevalent human-hacking technique today is phishing, and there’s no sign of it slowing down. Phishing, like its namesake, involves dangling some bait, usually in the form of a spoofed communication, and waiting for someone to bite, by mistaking it as legitimate and acting upon it. Because the victim initiates the malicious action, traditional security controls are never even engaged, and the victim essentially hacks themselves! Phishing gets its effectiveness from attacking a large number of people simultaneously, which inevitably results in some individuals falling victim purely by accident. Spear-phishing is a common variation on this attack that targets a specific individual, usually someone with greater access and authority (to abuse) than a regular user, like system administrators or executives.
Commonly phishing attacks attempt to redirect users to malicious URLs. These URLs may be clones of real sites to harvest credentials. Others execute forged requests with a valid cookie, and possibly even download malicious files and launch exploits to gain access to the victims’ workstation. Once even a single workstation is compromised, its position inside the network and additional access and information allow it to be used as the starting point for further recon and attacks against the individual or organization.
Phishing is a relatively simple attack that can have profound consequences, and as such, we must take defending against it seriously. A common and effective way of addressing cyber security risks is to apply the principle of defense in depth, where multiple mitigations are used simultaneously to achieve a greater total effect. We can achieve that with the prevent-detect-respond framework for a human-centered attack like phishing where technical controls won’t work.
The best way to avoid becoming a victim is never to be a target. Become a “hard target” by increasing anonymity and becoming “harder to reach.” Avoid publishing your email address, company directory, and other contact information to reduce the risk of becoming a target of opportunity for a phishing campaign. Avoid publishing personal information in general, increase privacy settings where possible, and make account profiles private to reduce the available information that can be used against you in a spear-phishing attack. Consider using allow-listing to block unknown senders from communicating with you at all.
To detect a phishing attack, you have to know what one looks like. Spoofed sites and emails may look real because often they are cloned from original sources, but the details give them away, so mind the details. Be suspicious of unsolicited inbound communications, mainly if they include sensitive or unusual requests. Verify that web links refer to the correct location by inspecting URLs for misspellings (i.e., typo-squatting; e.g., g00gle.com) and for correct base domains (i.e., domain-spoofing; e.g., google.com.xyz or google.abc.com). Alternatively, you can manually navigate to target sites to perform any work instead of using links. Assess the nature of the communication. Watch out for manipulative social engineering tactics, such as the simultaneous use of authority and urgency in a request (e.g., “I’m your boss, and I need it now!”), or favors shortly followed by requests. When in doubt, verify the sender and request via a trusted 3rd party or through an alternate communication channel, preferably by initiating the communication yourself using the known good contact information.
Responding to phishing is perhaps the easiest part. Since a successful attack relies on you to initiate some malicious action, having done the hard work of detecting a phishing attempt, all that’s left is for you to do is stop, drop, and Rolodex.
Don’t do anything else. Don’t complete any transactions. Don’t download any files. Don’t click any links. Even the “unsubscribe” link in an email can be malicious, so stop interacting with the threat entirely.
Immediately drop all communications with the attacker. Do not reply to the email. Do not respond to the text. Hang up the phone. No explanation is needed. Just go silent and cease any further contact immediately.
Contact relevant security personnel to report the attack, notify any acquittances who are also affected, and begin any cleanup required. Reporting information is used to analyze threats, improve defenses, and train others. Notifying acquaintances allows them to begin their response. Initiating a cleanup by canceling transactions, updating passwords, and scrubbing personal information prevents further compromise and starts to fix any damage.
Phishing isn’t going away. It’s a simple but effective human-hacking technique, and as long as people continue to take the bait, phishing will be with us. In fact, with the rise of deep fakes enabling voice and video spoofing, it’s likely only going to get worse. So act now to protect yourself and your organization for the future. Prevent phishing by limiting public information. Detect phishing through ongoing awareness training. Respond to phishing attacks using the stop-drop-Rolodex method. Even a single successful attack can lead to full compromise of your organization, so stay vigilant. When in doubt, check it out. Verify, then trust.
2900 Presidential Drive, Suite 155
Beavercreek, OH 45324
(833) 694 8496