July 19, 2018
Set sail with our phishing 101.
Fishing is great. Phishing is not. That’s Phishing 101.
Just kidding, I’ll tell you a little bit more. In the simplest terms, phishing is a method of social engineering (deception) used to gain access to a user’s social media account, bank account, or another protected resource by using a message, like email or text, to trick a user into providing their access credentials. Once the user reveals a username and password, the criminal will access the account to hijack information from it, which can be as harmless as posting spam or as devastating as draining a bank account. In summation, phishing is no joke.
A report from Cloudmark reveals “42% of respondents surveyed feel that the trust in a brand would be greatly reduced if they received a phishing email claiming to be sent by that brand.” So when it comes to user trust, phishing will leave an enduring impact on your domain and brand even after the attacks stop. Plus, some brands don’t even realize their domains are being used in phishing attacks, yet the damage to their reputation is done. Do you know what email is going out on your behalf?
There are several types of phishing attacks:
Standard phishing: Messages impersonating a well-known brand sent with the intention of accessing user credentials. Typically these attacks are widespread and untargeted, in hopes of sending enough email to reach at least some of the brand’s audience, further hoping a portion supplies access to their accounts.
Spear phishing: Highly targeted emails commonly used to target specific roles within a business to grant the malicious sender access a specific part of a network, or achieve something particular, like stealing credentials or transferring funds into their accounts in their control. These attacks are harder for the average user to identify, as they are personally addressed to the individual, and may contain real information gleaned from other social engineering tactics.
Business Email Compromise (BEC): Usually targeted to a specific individual, and include instructions “from” a senior executive or other respected authority. The addresses used to send these messages are usually very similar to the actual individual being impersonated, and the instructions might sound totally feasible. The CEO asks for funds to be transferred to complete a purchase? For some roles within the company, that could be legit. The FBI estimates $1.2 billion in losses occurred from BEC scams in 2015.
How do you protect yourself and your company from being a victim of phishing?
Get educated. This is an integral step toward protecting yourself and your organization from phishing. OpenDNS has an online phishing quiz you can take to see if you are savvy enough to know the difference between a fake website and a real one. As a benchmark, I got 14/14 right. Let’s see if you can get on my level. If your organization hasn’t invested in phishing awareness training for employees, we strongly suggest it. Check out Cofense (formerly PhishMe) or Wombat Security (now a part of Proofpoint).
Improve business processes. When dealing with large monetary transfers, build a secondary verification into the process. Anything over $X (X being your company’s comfort level) requires two forms of verification from the requestor. This could be an email supplemented with a phone call or a signature from the requestor’s manager. Put this process in writing, inform the company, and stick to it, whether it’s a request from the “CEO” or a lower-level accountant. Every person follows the process, especially if there is any doubt at all about the legitimacy of the email.
Invest in solid technology. A good anti-spam solution is your first line of defense, and it will help catch many of these fraudulent emails before they reach your inbox. Increasingly, these tools work with email authentication solutions like SPF, DKIM, and DMARC. You can learn more about all three in the 250ok Deliverability Guide. Also, once you’ve properly authenticated your email, consider taking the next step with Brand Indicators for Message Identification (BIMI). While it’s in beta now, you can use this time to get your house in order so you can opt-in when it opens for broad use.
Craft a response plan. Mess-ups happen. Knowing there’s a plan in place in case a phishing attempt is successful will help organize your team to potentially minimize the access given to a potential attacker. This plan should include your senior IT resources, financial teams, and communication groups to help mobilize any of the necessary resolutions including system hardening, network forensics, financial management, or communications (internally and externally). Ever considered cyber insurance covering breach and BEC compromises? Think about it, especially now, before the issues become more prevalent to your organization.
Much like regular fishing, phishing is likely here to stay, but unfortunately for us, phishing leaves us at risk of getting caught. Continue to build your resources, including education, defense systems, contingency plans, and so on, to keep potential impact at a minimum.
You may also like...
It’s hard to believe we are nearing the end of yet another exciting year in email, and 2019 proved to be one of the most momentous and active years to date. Over the past year, the number of new technologies, mergers and acquisitions, mailbox provider (MBP) announcements, news, and highlights is evidence of the versatility […]
I recently gave a presentation on global privacy regulations to a post-graduate marketing class and one of the things I noticed while preparing was that even within a single country, privacy is complicated. On a global scale, it is really complicated. For example, Canada has one federal private sector privacy law, three similar provincial laws, […]
*Update: This article was featured on email influencer Jordie van Rijn’s emailmonday blog! To see it in action, plus a great round-up of other articles and thought leadership looking forward to the future of email, click here.* The Black Friday emails are deleted, marketers’ email lists are checked twice, we pretty much know which senders […]