Phishing 2022: Old Tricks Are Targeting New Users, But They Don’t Have to Be Yours

With the first phishing attack originating more than a quarter-century ago¹, this malicious activity is nothing new. Yet, business leaders still struggle to help employees avoid becoming victims.

Phishing exploits, the primary goal of which is to gather sensitive personal or corporate information, often lead victims to counterfeit Web sites that trick them into divulging private data such as usernames and passwords. Increasingly, the sites encourage them to click links that enable direct data collection from the victim’s phone, computer or other Internet-connected device.

A prime example of a successful phishing attempt was the January 2022 attack on Sacramento County², where a phishing scam led to a data breach that exposed thousands of records containing protected health information (PHI) and personally identifiable information.

 

Fighting Phishing Isn’t a Battle — It’s a War

An article³ published in January 2022 by the Anti-Phishing Working Group (APWG) was sobering, to say the least. This international consortium works to eliminate phishing-related fraud and identity theft by collecting, analyzing and exchanging lists of sites confirmed to be collecting credentials illicitly. The APWG works closely with government entities, such as US-CERT — an arm of the U.S. Cybersecurity Infrastructure Security Agency, e.g. CISA.

Per the APWG, phishing reached a monthly record in Q3 2021 — double its pace in early 2020. There were 260,642 attacks in July 2021 alone, which was the highest monthly attack count recorded in APWG’s reporting history. In September 2021, APWG detected 214,345 unique phishing sites.

These sites can look very real, too. They may even have a URL that is close to a real, trusted one, such as www.johnsplace.shopping.com versus www.shopping.johnsplace.com. Aggravating the problem, newer and more sophisticated phishing attempts can trick or even bypass these many spam filters and signature based security products.

 

Stopping Phishing from Hooking Your Users

The good news is that business leaders and their staffs don’t need to wait like sitting ducks. From sophisticated email filtering solutions to user awareness training and simulations that teach employees how to spot malicious emails and messages, the scammers can be beat. Following are a few executive tips.

 

Teach Users to “Just Say No”

Any firm can be a target in the current cyber warfare landscape. Nevertheless, business leaders who educate their workforces to spot and report phishing attacks have a much better chance of escaping unscathed. At Novatech, we recommend using a third-party solution, either in addition to or in place of in-house education — especially if your firm doesn’t have security experts on staff. KnowBe4 (https://www.knowbe4.com/) is one that we have found to be very helpful and thorough. There are others that are pretty good.

Training must be both broad and deep, and it should be reinforced with corporate policy making. Important aspects of a thorough program include:

• Educate users to accept their innate gullibility and teach them to identify phishing emails. Monetary inducements, such a spoofed notice of an impending raise or bonus, are the most compelling tricks.
• Establish internal company policies that prohibit financially or personally sensitive information, such as the “raise notification” mention in the previous item, from being sent via email. Then ensure management sticks to that policy.
• Instruct personnel to be alert to phishing scams that do not arrive via email. Criminals have learned that sending fraudulent text messages, a practice called “smishing” — aka SMS phishing — is an excellent way to lure users into providing personal or financial information.
• Teach users the “security tricks of the trade.” For example, the Edit Hyperlink feature in Word and some other programs enables a cybercriminal to make the “Text to Display” different than the actual site URL. It might read cybersecuritycentral.com but its underlying link could be anything.Users can check site validity by hovering over the link to see if another link pops up. The pop-up is the real link and if it doesn’t match the displayed link, the user shouldn’t visit it. Another option is to copy the link, paste it into a text document, and examine it.
• Finally, stay abreast of emerging scams involving falsified websites and update users regularly. Some cybercriminals are even creating “scam alert pages” that purport to be warning firms and their customers about emerging threats but are actually stealing their information.

 

Encourage Personnel to Lock Down Their Online Information

It’s amazing how much personal information criminals can glean from social media, professional profiles and other online sources. If users adjust their settings, they can ensure that only people they trust can view that data.

With the growth of machine learning and artificial intelligence, cybercriminals will soon be even better positioned to collect and collate/organize this information for productive use, making this practice an imperative.

 

Heighten Vigilance

Sophisticated, socially engineered phishing emails may be able to evade detection by many email filters. However, humans who are diligent can more easily evade them. Phishers prey on the oldest of human foibles — their emotions. By using text that arouses curiosity, sympathy, greed and/or fear, and pairing it with a compelling sense of urgency, they can dupe unwitting workers. Don’t let your workforce be unwitting.

In addition, teach them to look for quirks in email messages, such as bad grammar and spelling and/or unfamiliar or impersonal greetings. Salutations such as “Dear friend” as opposed to “Dear Jane” should arouse suspicion.

 

Discourage the Use of Attachments

Most companies now use secure, file storage platforms such as OneDrive, Teams or Dropbox. These can also be used for sharing files with other employees. Make this a requirement and discourage the use of attachments with internal emails.

 

Eliminate Blind Spots

Business leaders and their teams cannot protect what they can’t see. If your organization doesn’t have in-house security teams with visibility into all your technologies, from cloud and on-premise applications to networks, services, databases, endpoints and more, you should work with a provider who can help you achieve that visibility.

Furthermore, you should maintain a comprehensive, accurate, prioritized inventory of all your software, hardware and IT  assets. That enables security teams to systematically determine what should be safeguarded, what controls are needed to protect, defend and respond against damaging events. Increasing your current security posture will be critical now and into the future.

Finally, security teams should be able to identify and produce metrics that provide meaningful insight into the status of the organization’s security posture. If yours can’t, it’s time to bring in the experts.

 

Use Technology as Your Weapon

Last, but absolutely not least, leverage advanced technologies to strengthen  your defenses. At Novatech, in addition to KnowBe4 for user education and training, we recommend Mimecast for email security with targeted threat protection, in addition to a modern security defense.

We have developed a Cybersecurity self-assessment score card. If you would like a copy, shoot me an email at Dave.moorman@novatech.net.

I encourage all business leaders to perform their own due diligence and determine whether these or other solutions would be better fits for their firms. I also urge them — and you — not to wait too long. The clock is ticking.

1 https://www.verizon.com/business/resources/articles/s/the-history-of-phishing/

2 https://www.sacbee.com/news/local/crime/article257617048.html

3 https://docs.apwg.org/reports/apwg_trends_report_q3_2021.pdf