Nothing personal: Training employees to identify a spear-phishing attack

Phishing attacks have morphed into a worldwide criminal industry. In recent years, threat actors have refined their methods of phishing, becoming increasingly more sophisticated as people have become wise to the traditional, obvious and unrealistic emails, which now often trigger suspicion.

An increase in employee training and improved general awareness of cyber security has forced cyber criminals to change their tactics and take a more personal approach, known as spear-phishing.

According to The Cyber Security Breaches Survey, phishing is the most commonly identified cyber attack among businesses that have identified any breaches or attacks, with 83% experiencing this in 2021.

Organisations need to understand what to expect from future phishing attacks. By taking advantage of the right digital security tools, businesses can reduce the number of phishing emails reaching users' inboxes.

To stay in front of new phishing attack techniques, it's also essential that employees have all the knowledge they need to spot a potential phishing attack that goes undetected, including how attack content differs from legitimate emails.

Connect with Jamie on Enterprise Nation for more cyber-security information and advice

Keeping up with sophisticated attacks

Much of the information that circulates about phishing attacks becomes quickly out of date. Cyber criminals are continuously inventing new strategies to penetrate organisational defences and gain victims' trust.

For example, social media platforms such as LinkedIn can provide a range of information that allows cyber criminals to imitate colleagues and discuss recent company news – all adding to the realism of the spear phishing attempt.

There are various types of malicious content that you need to be aware of:

• Malicious attachments: The common goal of malicious attachments is to install malware on your machine. This could be malware that provides remote access to your network or steals information, ransomware, malware that sends emails on your behalf, and more.

• Malicious links: Links can lead to malware or spoofed login pages – most often for Office 365, accounting platforms, and other cloud-based applications – designed to capture the login credentials you've entered.

• Malware-less emails: Some phishing emails rely purely on social engineering and use no actively malicious content. Fraudsters attempting business email compromise (BEC) and CEO fraud often take this approach and attempt to convince you to take action such as:

  • modifying banking details

  • wiring money

  • purchasing and sharing gift cards

  • providing confidential company details

For your business to best protect its operations, it's critical you can see all the activity and changes within your entire environment so you can understand when and how attacks are occurring.

No security solution can provide full protection against any type of cyber attack. What's needed is a concentrated effort in strengthening the weakest point in a security strategy – the human factor.

Hardening the human attack surface

An email-borne spear-phishing cyber attack is designed to get the recipient to act in the desired way — whether it's:

• clicking a link

• opening an attachment

• giving up information in a reply

• performing a business-related action (for example, initiating a wire transfer)

In almost all cases, the attack depends solely on how recipient engages with the email’s content. Regardless of whether malicious attachments or links are used, social engineering plays a significant role in spear-phishing, to convincingly fool the user.

Cyber criminals are continuously getting better at their craft, making phishing emails and web pages look, sound and feel increasingly legitimate.

One way for organisations to ensure their users can spot a potential phishing attempt is to implement security awareness training. Training is a vital tool to teach users the importance of secure daily habits, as well as how to spot the key elements of an attack.

In addition to suspicious links and attachments, users need to be aware of the following elements that attackers might use in a spear phishing campaign:

• Sender/sending details: Users should check who is sending the email in the first place; look closely at the domain the email has apparently been sent from. Look at the spelling and the use of homographic characters to impersonate a company or an individual.

  Also, take note of the email address and name of the sender. The misalignment of sender details is a good first indicator that something may be wrong. IT and security teams can additionally look at the IP address of the server sending the email, the age of the domain, DNS servers, domain registrar, and SSL certificate authorities as ways of validating authenticity.

• Recipient: Threat actors will often target a recipient in a higher-risk category, such as someone with access to financial information, intellectual property, customer data, etc.

• Subject: Looking at the subject can help determine legitimacy. Misspellings, incorrect grammar, and any other signs that the email is unusual or abnormal from those emails usually received is an indication of a phishing attempt.

• Body/content type: While most emails are HTML these days, it’s important to note whether the email supports tags and links that are used commonly in phishing emails.

On top of educating users and implementing training to recognise these elements, organisations can also take a more active approach by periodically attempting to phish their users.

Phishing testing provides IT and security teams with a feedback loop on where their security is weakest. Testing also helps to reinforce the security culture of the organisation.

Despite these measures to educate users about the risks, detecting a phishing email takes more than just scrutiny.

It often requires a layered approach to provide greater insight into the series of actions being taken before it’s recognised as being malicious. The activity created by the simple clicking of a malicious attachment or link may only be partially recognised by a given security solution.

What may be needed is an ability to centralise and review disparate data from a variety of network environment sources and security solutions to understand whether the suspicious activity is malicious.

This means if users fail to identify a suspicious email, security teams can detect phishing attacks themselves.

Be vigilant

Phishing attacks can have a significant impact on organisations, including loss of data, credential compromise, ransomware infection, other types of malware infections, reputational damage, and financial loss.

With the cost of a data breach reaching a massive $4.24 million on average in 2021, organisations cannot afford to overlook the importance of deploying a solid security strategy.

Deploying a layered strategy built on detection, hardening the human factor, and complete visibility will minimise the risk of successful phishing attacks while improving the ability to detect and remediate them.

This blog appeared first on Help Net Security.

Relevant resources

• Cyber security for small businesses: A basic guide

• Cyber security for small businesses: What is phishing and how can I protect against it?

• Top cyber-security threats and how to tackle them