Check before you click and fight the phish
By Simeon Tassev, MD and QSA at Galix Networking
While phishing scams are nothing new and have not changed drastically since their inception several years ago, we have seen some changes in terms of the techniques used, as well as the sophistication of content. From a tech perspective, the general technology used to pull off these social engineering attacks remains the same. The end goal also remains unchanged, with scammers sending fraudulent communications that appear to come from a reputable source. The aim is to steal sensitive data like credit card and login information, or to install malware on the victim's machine.
The main evolution of phishing attacks has seen them become more targeted and focused. While in the past, phishing attacks were engineered around, for example, the lotto or other general topics, such attacks have largely been blocked by most e-mail security or hygiene systems.
Current attacks are a lot more focused in the sense that they target specific individuals, with the communications coming from spoofed reputable organisations such as well-known banks or even the South African Revenue Service. These phishing attacks are harder to detect, as they purportedly come from well-known institutions instead of an unknown individual.
Business e-mail compromise technologies
There have also been some developments in terms of business e-mail compromise technologies. This is also phishing, but slightly different, with scammers typically impersonating a high-level person within an organisation, such as a CEO, CFO or COO, who has the power to sign off on money, or has some level of privileged access.
At the same time, phishing volumes have also increased significantly, as even non-technology savvy scammers are realising that it is much easier to create a phishing campaign to obtain financial rewards than to commit hard crime, where the associated risk is much higher.
According to a study by business intelligence firm UpCity, which surveyed 600 business owners and IT professionals on their 2022 cyber security plans, priorities and budgets, the most common causes of cyber attacks are malware (22%) and phishing (20%).
What makes phishing attacks particularly easy to execute is the rise of concepts as such as crime as a service, where pre-packaged phishing tools and lists of addresses can be bought, enabling scammers to just execute a phishing campaign and then action on any response they receive.
One other phishing component that has arisen recently involves attempting to compromise a victim’s e-mail account by making them change their two-factor authentication mechanism. This is a fairly new technique, stemming from the proliferation of two-factor authentication systems and the realisation that these can be spoofed or bypassed. Once a successful phishing attack occurs, there are steps that organisations should take to mitigate the potential harm. There are multiple controls, or various components, that make up an organisation’s protection mechanism and the response would be dependent on how the attack was carried out.
If it was via e-mail, the e-mail security or hygiene system would enforce various policies to protect the user or prevent an undesired action from taking place. Some of these systems can detect known malicious e-mails and block them, or some simply look for certain keywords and quarantine suspicious e-mails. This is typically general security control.
More advanced technology
However, there are some systems that have the capability to scan the content of an e-mail and detect suspicious links and attachments within them. These systems are typically a bit more advanced, but are fairly common and accessible technology.
Additionally, most cyber security vendors now offer web reputation service, which kicks in when a link is received via e-mail. This technology can verify whether the link or associated website has been rated by other users and what its web reputation is. In the event that it’s very poor, web reputation services can block it.
However, in any type of phishing attack, the main component that is exploited is the human one, with the targeted victim essentially being the weakest link. Hence, the best protection against phishing attacks is education and awareness. Logic and common sense can be the biggest deterrent against a phishing attempt – if a link looks suspicious, or the sender is unknown, just don’t click on it.
That said, organisations must explore all available technologies and controls that are available to them and ensure that their systems are as secure as possible. Those that do not have these controls in place should engage with a security specialist to explore the best options for them.