Some cybersecurity challenges can be managed with technology and expertise. But even the best-defended organizations must make sure their employees are part of the solution. An employee that falls for a phishing email can provide an attacker with the keys to the kingdom: Valid access to the organization’s internal network.
The cybersecurity industry is replete with industry reports and surveys published throughout the year. The numbers differ from one to the other regarding the details but major trends stand out clearly. One of these is the ubiquity and effectiveness of the various kinds of phishing and other social engineering attacks in gaining access to an organization’s networks.
*Microsoft 2020 Digital Defense Report
** Proofpoint 2020 State of the Phish Report
^ KnowBe4 2020 Phishing Benchmarking Report
Phishing attacks are the most well-publicized form of social engineering – an attempt to manipulate a victim to perform an action that furthers an attacker’s goal. Getting someone to act against their own self-interest in the digital world has become a highly developed art, hence the moniker “engineering” is quite appropriate.
The most common form of phishing – also referred to as credential phishing – consists of a campaign of generic emails aimed at a general population or at a particular sub-section. The goal of these campaigns are to compromise the credentials of users or employees, in order to use these credentials for further organizational compromise. IBM’s Cost of a Data Breach 2020 reports that 19% of successful breaches were the result of stolen credentials, and furthermore that compromised credentials was the most expensive initial cause of malicious breaches.
These phishing emails usually mimic common business emails, such as password reset requests from Office 365 or Gmail for Business. According to Microsoft’s Digital Defense Report 2020, the most commonly spoofed brands in general recently have been Microsoft, UPS, Amazon, Apple and Zoom.
Where classic phishing campaigns cast a wide net, a spear phishing attack targets high-value accounts. The value of a target may be due to their individual value, or to the role or function they play in an organization. For example, the IT admins of an organization will usually have the highest level permissions to access any organizational assets, therefore the IT department may specifically be targeted. Employees in the finance or HR departments are also common individual targets.
Malicious actors will often expend considerable time and resources in preparing these high-value spear phishing campaigns. They utilize a variety of intelligence-gathering techniques, often relying heavily on social media, to create a compelling social engineering attack custom-fit to the target. For this reason, Microsoft’s 2020 DDR reports that 44% of the successful breaches they responded to utilized spear phishing as the initial attack vector.
Vishing refers to phishing attacks which use the voice instead of email as the attack vector. For example, an employee may receive a malicious automated call requesting they enter their multi-factor authentication token. If the attacker already has a hold of compromised credentials from a prior data breach, this token will now allow them full access to the employee’s company documents and data.
Smishing refers to the use of SMS or other texting method to fool someone into carrying out an action in the attackers interest. Smishing, similarly to vishing, takes advantage of the fact that social engineering attacks are more commonly associated with malicious emails in the general populace’s mind.
Business Email Compromise is the second of the two main forms of phishing identified in Microsoft’s 2020 Digital Defense Report (the first being credential phishing). Business email compromise (“BEC”) occurs when an attacker gains access to an email account trusted by the employees of an organization – for example, the email account of an employee or business partner. The attacker then utilizes this account to communicate with unsuspecting employees within the target organization – often to have them unwittingly wire money to the attacker’s account.
Don’t wait for the inevitable phishing attacks to arrive in employee inboxes. BrotherKeep’s partner KnowBe4 – the world’s leading security awareness training platform – reports that while an average of 38% of employees fail their first simulated phishing test, that number drops to 14.1% after 3 months of training, and to just 4.7% after a year. Bottom line: The right security awareness training is unquestionably effective in reducing the threat of successful phishing attacks.
Awareness Training I
A simulated phishing campaign is a great way to test an organization’s vulnerability to phishing attacks. It’s also one of the best ways to raise employee awareness to such threats before they fall for a real-world attack. Our phishing simulation campaigns are crafted to mirror actual timely malicious attacks – on the road to learning failing often comes first – so better to fall for a simulated attack first and be ready for when the real one comes.
Awareness Training II
Security awareness training is only effective if it engages its audience. Through our partnership with KnowBe4, we provide clients with some of the most entertaining and informative security training material out there, with the highest production value in the industry. Some of it will even make you laugh.
Awareness Training III
BrothersKeep partners with KnowBe4 to provide clients with advanced phishing campaign simulation capabilities and new-school awareness training. KnowBe4 is the world’s largest integrated platform for security awareness training combined with simulated phishing attacks, with over 35,000 customers.
According to the Verizon Data Breach Incident Report, 86% of successful attacks in 2019 originated with a phishing email. Phishing attacks are successful because they appeal to the emotions of the target – such as anxiety, fear and stress. For this reason they are hard to protect against, even with advanced technology. The most effective solution is to cultivate a security awareness and learn to recognize the signs of a suspicious email.
This will depend on the attacker’s end goal and method of operation. Some links may download malware to the victim’s computer. In attacks where credentials are being harvested, clicking on a link in a phishing email may bring you to a malicious landing page. These pages are often crafted to look like legitimate websites such as the login pages of O365, LinkedIn or Facebook. If the victim inputs their credentials, the credentials may be captured by the attacker.
Phishing emails come in a wide variety of formats, topics and quality. Many times they refer to current events, such as scams related to the time of the year (holidays) or to trending news items such as coronavirus. They often intentionally convey a sense of urgency, in order to get the target’s judgement off balance, in order to cause them to come to a hasty conclusion (action). Depending on the sophistication of the attacker, some phishing emails may be tailored to a specific person or department, with details that may falsely build confidence in the email’s legitimacy. Spending a little extra time examining a suspicious email, before clicking, almost always reveals signs that should raise a red flag. Jigsaw’s phishing quiz (a Google project) is a great way to quickly learn and test your ability to distinguish between a legitimate email and a malicious one.
If you have clicked on a link from a work email that you believe may have been malicious, the first two things to do are (1) disconnect the device from the internet and (2) notify your IT department. If you entered credentials on a site linked to the suspicious email, either you or your IT admin should immediately change the compromised password. At this point, depending on the circumstances, it may be wise to backup the files on your potentially compromised device. A malware scan of your system should be performed to discover if any malware has been downloaded as a result of the interaction with the malicious email or site.
Phishing emails are one of the tools used by hackers to “social engineer” their targets. It is usually the case that getting past a technological security barrier is harder than tricking an employee into compromising their own systems. Social engineering is based on an understanding that human judgement can be quite fallible, especially in a moment of stress or fear, and that manipulating people’s judgement can often make them act in predictable ways. The truth is that anyone can fall prey to a phishing email if the “wrong” circumstances come together in just the right way.
The best way to keep safe while using email is to become a security-aware user. Just as a person walking down the street maintains a certain awareness about their physical safety, such an awareness must also be cultivated while using the internet, which brings the whole world to every individual’s virtual “doorstep”. There are many resources freely available on the web to help you educate yourself, such as Jigsaw’s phishing quiz.
