#HowTo: Defend Against Increasingly Convincing Phishing Attacks

Phishing attacks have been written about since at least the late 1980s, yet their impact on business has never been so big. Crime statistics published by the FBI show that social engineering — which includes phishing — was the top digital crime by victim count in 2020, causing over $54m of losses. But the total harm caused by phishing is likely far larger because about a quarter of ransomware incidents begin with a phishing email. Conceived initially to trick users into disclosing login credentials and other sensitive information, phishing in recent years has been more commonly used to infect computers with malware by tricking people into opening malicious links and documents.

Cyber-criminals specializing in phishing are master email marketers because they are continually experimenting with ways to improve the effectiveness of their campaigns. They measure success using metrics such as their 'landing rate' (how often emails reach users’ inboxes after bypassing security controls) and ‘bite-rate’ (how often users fall for lures). They know people are busy and distracted, so rushed employees sifting through rapidly-filling inboxes are a prime target. With more employees working from home than ever before, the line between work and home equipment is blurred too, and seemingly innocent actions can have serious consequences, such as reading personal emails on a company device. 

Over the next few months, we can expect to see more innovative phishing attacks that are harder to detect and pose a greater risk to businesses. Here are just some of the trends making phishing tougher to defend against that organizations need to be aware of:

Trends Making Phishing Tougher to Defend Against

  1. Email Thread Hijacking
    This technique automates the creation of personalized phishing lures using email data stolen from systems infected with malware. Stolen email body text, subject lines, and address books are used to reply to emails containing malware messages, making them look like authentic replies. The technique is highly effective because the recipient is more likely to trust an email from someone they have previously talked to.
  2. Whaling 
    We are also seeing more people willingly sharing personal information online, which cyber-criminals can weaponize. Whaling is a type of targeted phishing attack typically aimed at senior executives. Cyber-criminals take personal information shared online — for example, on social media — and use it to build convincing lures that can lead to business email compromise fraud. 
  3. Exploiting Business as Usual and Daily Activities
    Our threat telemetry found that nearly half of all email lures were themed as business transactions such as invoices, orders, quotes and payments in the first quarter of 2021. Moreover, cyber-criminals have reacted to the surge in online shopping driven during the pandemic by targeting people with false delivery notifications. Cyber-criminals abuse the brands of well-known couriers and postal services to increase their chances of targets opening malicious attachments.
  4. Poor Remote Worker Cyber Hygiene
    One of the most striking findings from our research into risky pandemic remote working behaviors was that 55% of office workers admitted checking their personal email on work devices. This is concerning because personal email services aren’t protected by a company’s email gateway filters and are potentially unmonitored by security teams, making it easier for phishers to ‘land’ their emails on a company device.

Looking Forward: Zero Trust and Hardware Enforced Protection

With phishing activity doubling in 2020, cyber-criminals refining their technique and with remote working here to stay, it is unlikely we will see a shift away from phishing for the foreseeable future.

Employees are playing a greater role in companies’ defenses against phishing, but it is unreasonable to expect them to be constantly vigilant, even with training. People are distracted, busy and stressed, particularly over the last 18 months. 

To better protect users, a more architecturally robust approach to security is needed that stops putting the burden on employees. This approach should follow the principles of zero trust, isolating risky activity in compartments so that the compromise of one doesn’t lead to the compromise of another.

Hardware-enforced security technologies, such as micro-virtualization, run risky tasks — for example, opening email attachments, clicking on links or downloading files — inside isolated virtual machines, separate from anything else on the system or network. Even if a phishing email tricks a user into opening a malicious link or attachment, the malware is isolated from the rest of the device, meaning it cannot infect the host computer, spread through the network, steal sensitive data or persist. The result is that employees can click confidently without interrupting their workflow. 

Using isolation technologies built from the hardware up neutralizes the impact of phishing, freeing employees to do their jobs without worrying about being tricked by the latest social engineering techniques.

What’s Hot on Infosecurity Magazine?