Phishing continues to be one of the most prevalent and enduring cyber security threats.
In this blog post, we outline why phishing continues to present such a threat and outline 10 steps you can take to better defend your organisation against it.
What is phishing?
Phishing is a form of social engineering that imitates communications from trustworthy people or organisations. By appearing authentic, phishing emails are designed to lure the recipient into clicking on a malicious hyperlink or opening attachments containing malware. Phishing can yield significant rewards for threat actors, due to the capacity to undertake mass campaigns and the wide availability of phishing tools on the internet. This means that even people with relatively limited technical skills can undertake phishing campaigns.
Phishing involves the dissemination of emails and other electronic communications in order to trick users into divulging confidential information such as account passwords and credit card information, or performing adverse actions, such as providing access to a system or network. Phishing attacks may also be conducted by voice (vishing) and mobile text message (smishing).
Another form of this type of attack is spear phishing or whaling, a highly targeted approach aimed at compromising a particular person. The target is usually a system administrator or high authority individual such as a C-level executive.
Phishing: still netting big results for fraudsters
As one of the most enduring types of cyber threats, the threat of phishing shows no signs of abating. The highest rate of mobile phone phishing in history was observed in 2022, with half of mobile phone owners worldwide exposed to a phishing attack every quarter. The Kroll Q4 2022 Threat Landscape report noted a significant increase in all types of phishing across 2022, driven in part by the COVID-19 pandemic and other social trends. The Office of National Statistics recently highlighted a 57% rise in “consumer and retail fraud” from pre-pandemic levels, driven by a nine-fold rise in “advance fee fraud,” where victims make upfront payments for goods or services that never materialise.
Yet another critical driver of the continued impact of phishing is the emergence of AI chatbots. There are clear indications that the use of chatbots can enable phishing, very possibly helping to accelerate volumes even higher in the near future. The use of chatbots to improve the standard of language used in emails may make it even harder to spot phishing attacks due to the absence of telltale typos.
Phishing techniques
Attackers harness many different techniques to ensure that their phishing emails achieve the response they want. This can include using JavaScript to place an image of a genuine and trustworthy website URL over a browser’s address bar. Link manipulation or URL hiding is commonly used to create a malicious URL that appears as if it links to a genuine website but actually runs a malicious web resource. Another approach is homograph spoofing, in which URLs are created that include characters that appear similar but are actually different to those included in an authentic and trustworthy website URL.
Preventing phishing attacks
While there is no silver bullet to completely eliminate the threat of phishing, there are a number of key steps organisations can take to reduce the risks. These include:
1. Using spam filters and phishing filters
A key first step in effectively defending your business against phishing is to ensure your network and endpoints are protected with a high-quality spam filter and phishing filter. Following this, ensure that updates are accepted when available.
2. Undertaking regular security assessments
An ongoing program of cyber security assessments like penetration testing will ensure that vulnerabilities are continuously uncovered and mitigated. This can include social engineering assessments or red team operations that analyse your employees’ awareness and understanding of phishing and business email compromise (BEC) scams.
3. Employing proactive endpoint monitoring
Using endpoint detection and response (EDR) and next generation antivirus (NGAV) on all hosts will help with detecting any phishing activity that has been successful within the environment, as early as possible.
4. Monitoring IT networks
Undertake continuous monitoring of IT networks to ensure that breaches are identified and shut down before they lead to data loss or financial and reputational damage. Acquiring the tools and expertise required to successfully conduct around-the-clock security monitoring can be a problem for many organisations.
5. Strengthening network security
Robust network security is a critical aspect of the fight against phishing. Ensure that your networks are effectively segregated. Alongside this, ensure that you use both desktop firewalls and network firewalls together to enhance your security and reduce the likelihood of a phishing attack and the infiltration of your computer or network.
6. Enacting a policy of least privilege
Employing the principle of least privilege can help to manage the potential impact of a phishing attack. Configure your staff accounts in advance using the principle of “least privilege”. This means giving staff the lowest level of user rights required to perform their jobs. To further reduce the damage that can be done by malware or loss of login details, ensure that admin users have separate accounts for admin work and general day-to-day work to prevent an attacker gaining administrator access, giving them the ability to create greater damage.
7. Using two-factor authentication (2FA)
Implement two-factor authentication (2FA) across all accounts in your environment where possible, ensuring one-time codes are used to confirm the authentication rather than a single “Accept” button. This is to further strengthen the 2FA.
8. Providing security training
It is critical that all employees are able to access security training and awareness sessions as these can play a crucial role in helping to reduce the likelihood of phishing attacks leading to data breaches. This will help your workforce understand the signs of a phishing email. Emails from an unfamiliar sender, or those with a tone that is generic or unnatural or with a large volume of typos, should be treated with caution. While the rise of chatbots means that many phishing emails are now more convincing, a high number of them still have tell-tale signs that they are from a suspicious source.
9. Staying up to date with phishing tactics
Ensure that you regularly update your knowledge of common phishing scams, new phishing trends and the strategies employed by actors. Awareness is a powerful tool in your defense against phishing attacks.
10. Managing your digital footprint
The information you share about your organisation and your employees online can be a valuable source of information to actors planning phishing attacks. By sharing too much detail on your website and social media accounts, you can end up empowering attackers to create more convincing and, therefore, more effective phishing emails. Be vigilant about the depth of information available to the public. Ensure that you also check what your partners and suppliers are sharing about your business and support staff to be vigilant in their own digital footprint.
Aim to follow the rule that personal or financially sensitive information should never be shared over the internet, particularly on pages from emails that ask for confidential information to be shared. If you have any concerns, contact the organisation via its website or phone number, double checking that this is authentic information.
How Kroll can help
Kroll Responder, our award-winning MDR service, can help to address many of your organisation’s phishing challenges. Kroll Responder provides the skilled security experts, cutting-edge technology and up-to-the-minute industry intelligence needed to hunt for and shut down attacks across your network and endpoints, 24/7/365. Our offensive security team conducts 100,000+ hours of security assessments every year, and bespoke phishing assessments can be conducted as standalone engagements or embedded into your MDR service.