Webinar Recap: Blocking Phishing Attacks Before Employees Bite

Nearly every business—from the largest enterprises to SMBs with a handful of employees—relies on email as their primary method of sending and receiving information. And since the average company uses more than 200 different software solutions, employees are accustomed to regularly receiving emails asking them to do things like confirm their identities and reset their passwords.

When you take those two facts into consideration, it’s not surprising that credential phishing attacks are the most common email-based threat organizations face.

In a recent webinar, I sat down with Graham Cluley, cybersecurity expert and host of the Smashing Security podcast, to discuss the latest in phishing attacks.

Here are five key takeaways from the webinar.

Many professionals are operating under the assumption that today’s phishing emails are just as poorly-worded or obviously malicious as those from ten years ago. But modern threat actors design detailed phishing emails and sophisticated phishing sites that are nearly indistinguishable from the impersonated brand’s actual messages and website.

For example, many attackers use links to the brand’s real website in the header and footer of the email, and then only include a single link to the phishing site in a CTA. When a target hovers over one of those other elements and sees it's a legitimate link, it can be enough to convince them the email was sent from the impersonated brand.

Further, it’s relatively easy for threat actors to determine which email provider an organization uses. And once they know, they can create phishing emails using Google’s or Microsoft’s own branding, fonts, and logos.

Social media networks are filled with information that threat actors can exploit.

Attackers can look up a specific organization on LinkedIn and find all of the employees who have recently been hired. Then, they can send an email pretending to be from HR and tell the recipients they need to log in to view new hire paperwork. Since the targets haven’t received security awareness training yet and are expecting messages like these from HR, they hand over their credentials without thinking twice.

Additionally, public companies in the U.S. are required by the SEC to publicly disclose information about their finances and operational updates that impact the business—such as changes in executive leadership. Attackers will monitor news outlets for these kinds of announcements and then send phishing emails impersonating the new executive.

Threat actors recognize that the phishing site URL is crucial, as it can make or break the attack.

To evade email filters, some attackers will take advantage of URL shorteners like Bit.ly to obfuscate the actual URL destination while others will first send targets to a legitimate website and then automatically redirect them to the phishing site.

Threat actors will also hide the malicious URL within a file on a trusted cloud hosting service. Because the link in the email has a domain of drive[.]google[.]com or dropbox[.]com, a traditional email security solution will not flag it as suspicious. But when the target clicks on the link, it takes them to a file that contains a link to the phishing site.

After an email account has been compromised, threat actors will often create a rule to BCC an external email address on all messages. This allows them to gather intel without having to repeatedly sign in to the account and potentially trigger a “suspicious login location” alert from the email security software.

Threat actors may also create email rules to prevent the user from receiving warnings that might make them aware of the issue. The attacker will create a filter that automatically deletes any messages with trigger words such as “hack”, “phishing”, or “alert” in the subject line. Then, even if the IT team recognizes that a credential phishing attack has occurred and sends a mass email to the workforce, the employee who has been phished will never receive it.

As long as companies use email, threat actors will launch phishing attacks.

To lower your organization’s risk, start by including security awareness training as part of your new employee onboarding. In addition, because attackers are constantly developing new tactics, you should also require ongoing training to ensure the workforce knows what new threats to be aware of.

And while educating employees will help reduce the risk of them engaging with a malicious email, it’s even better to minimize the number of phishing emails they receive in the first place.

Any time an employee has to assess whether a malicious email is genuine or not is an opportunity for them to make a mistake and for a threat actor to capitalize. Security awareness training in tandem with a modern email security solution that proactively stops phishing emails before they can be delivered is the one-two punch organizations need to protect themselves.

Organizations often dismiss phishing attacks as a threat because they don’t consider them to be as serious as some other attack types. But the reality is that, along with being the most common, credential phishing also has the potential to open the door to more damaging attacks.

Phishing emails are often the first step to compromising employee email accounts, from which far more damaging attacks can be sent. The key to preventing financial loss, data loss, and reputational damage is blocking credential phishing attacks before employees ever see them.

To learn more about the impact of credential phishing attacks and how to protect your organization, watch the on-demand webinar.