03 Aug Lets go phishing
Over the last several months I’ve spoken with several clients about phishing attacks. They’ve been wondering why they are so hard to combat.
I thought I would take some time to talk about this in more detail.
First it is important to understand the emotional tools attackers will employ to succeed. Trust, and urgency are the two most common (and successful) emotions attackers rely on and used together have proven to be very effective.
Trust is a fairly obvious emotion to leverage. If an attacker sends a well-crafted e-mail impersonating a trusted source, with a reasonable request, people are likely to click the link. Why? The user trusts the sender because they recognized the name, even though they likely did not verify the identity of the sender. Identity verification is important. How do attackers leverage this trust? Often times it is by impersonating, they disguise the sender’s identity to look like a person or organization we trust.
Disguises used by attackers have gotten MUCH better. After all, in the past it was pretty easy to figure out that I am not really e-mailing with a rich Nigerian King. Today however I get notifications from LinkedIn every day, I get notices from Microsoft every day, I get updates and requests from internal team members every day. Attackers have gotten very good at knowing what kind of notifications people get, what kind of requests people get, and what requests are trusted by users. I have heard users say things like “I only clicked on the link because I knew the person who sent me the e-mail”. Did you really? Again, the goal of these types of attacks is to leverage trust. When you hear about a “zero trust” strategy, this is what is meant. It is really important that we do not trust notifications from familiar sources, but that we confirm the sender’s identity.
Urgency is also a key emotional strategy employed by attackers. When you get an e-mail from someone saying they need something done now or bad things will happen you should automatically be suspect. Example of this is “Your bank account has been compromised; you must change your password immediately to prevent unauthorized withdrawals”. Wow, that is very urgent, it also has some very bad consequences if you do not do it, and very often it is a phishing scheme to get you to enter your current credentials into the attackers portal, cleverly disguised as your banks website.
A problem I am seeing more and more is an over reliance on security tools to compensate for good digital practices. Just because you have anti-virus, just because you have link sandboxing, does not mean every attack will be stopped. We had a customer get compromised because they clicked on a link in an e-mail, and they asked why the link sandboxing did not work. Because in this case the link pointed to a google web page, that ran a web site that asked for username and password. This in itself is not intrinsically bad and cannot be evaluated as bad. But dress that page up to look like Microsoft O365 login, and you have now just given an attacker the credentials to your e-mail.
The biggest risk in computer security is users. As IT professionals we can put anti-virus on every computer, we can implement great firewalls and scanning software on workstations and servers, but all it takes to defeat corporate security is a user that clicks on the wrong link from the wrong person. One of the best security investments a company can make is an investment in user training. Take the time to train users on how to spot fake e-mails, what to do if they get a phishing e-mail, and most importantly test your users so you know who needs more training. NPI has some great tools to help organization elevate their users awareness, a key component in any IT security strategy.