More people fell victim to phishing than any other form of internet crime in 2020, and this trend only seems to be continuing into this year and beyond.
But phishing is not only prevalent - it is evolving.
Attackers have moved away from the misspellings, poor URL obfuscation, and obviously malicious attachments of old. The keys to resisting phishing now are establishing safe behaviors and understanding a message's context.
As a Senior Offensive Security Consultant at Echelon risk + Cyber, I have experience running modern phishing campaigns with a high rate of success. Below are phishing mitigation strategies based on the techniques used in these real campaigns:
1. Beware of Links
Inspect links and teach users to be skeptical.
Use technological means to inspect incoming links in their email inboxes. Links should be inspected for legitimacy of the domain, domain reputation, malware at the domain, recency of the domain, etc.
Train users to identify common techniques that modern threat actors use to trick users into clicking links. Examples include:
Your users receive an email stating that their bank account has been breached, and they need to log in to verify their identity. Train your users to go to sites separately and handle “breaches” or other time-sensitive events (if they are real) from there instead of using links in “urgent” emails.
apple and appIe look the same, but the second one uses a capital “i” instead of a lowercase “L.” An attacker could disguise malicious links using this technique, defeating a visual URL check. It is important to reiterate to users that links cannot necessarily be trusted and that it is always safer to navigate to a site directly rather than using a link included in an email.
Often, modern attackers do not link directly to their malicious sites, and instead use a mail delivery service to mask their links – making it more difficult to verify validity without visiting the potentially malicious site yourself. Again, it is important to train users to go directly to sites themselves rather than following links.
2. Be Skeptical of Urgency
Train your users to always be skeptical of time-sensitive, urgent emails, especially if they include links and/or attachments.
Attackers will prey on your internal sense of urgency to make you act quickly and forget your training. Remember this the next time you feel like you are rushed into an important decision via email. Typically, a company will tell you to log in manually to handle urgent requests and will not include links in the notification email.
3. Beating Multi-Factor Authentication (MFA)
Ensure that your users do not accept unexpected MFA requests.
An attacker may compromise a user’s credentials but will still need their approval to log in due to MFA. However, this is often easily bypassed by users’ tendency to tap “accept” on all MFA requests. We recommend that organizations implement a token-based MFA implementation where the user must type in the second factor from their phone or other hardware device. This technique has worked for us on countless engagements, essentially rendering the MFA implementation useless and allowing us to log in with a single factor of authentication.
As techniques advance, so must the awareness of the end user. In identifying and mitigating modern attacks, where a phishing email will be visually indistinguishable from a legitimate one, context and safe practices are key.