Cisco’s 2021 Cyber Security Threat Trends report found that in 86% of organizations at least one user had tried to connect to a phishing site. A single malicious click and the next stop is ransomware, data theft, regulatory non-compliance, and general IT mayhem. Phishing works: here is why it works and how to prevent it if you are a business or an MSP.
Why Does Phishing Work So Well?
Cybercriminals are masters of the scam. They understand the nuances of human behavior and how to manipulate it to their own ends. Phishing is part of more generalized social engineering tactics that are designed to take advantage of natural instincts such as trust and fear. Because phishing uses behavioral know-how, it is successful. Studies show that up to 32% of employees will click on a phishing link; what is also worrying is that 8% of employees are still not aware of what a phishing email is.
Phishing emails are cleverly composed to be part of a wider phishing campaign that may make use of spoof websites to harvest login credentials and other personal data. Using these data, cybercriminals then can take over accounts, escalate privileges, and ultimately infect corporate networks with malware such as ransomware.
Phishing works so well because cybercriminals have honed their skills over many years, using the psychology of behavior to design optimized campaigns.
But cybercriminals also take advantage of other aspects of our digital lives, phishing being a starting point for more complex cyber-attacks that circumvent tools such as anti-malware software and taking advantage of software flaws in common applications. An example of a recent multi-part campaign that began with a phishing email is the multi-redirect phishing attack that used a series of redirects that finished at a Google reCAPTCHA page, finally redirecting to a spoof Office 365 page that stole login credentials.
Spear-phishing, which targets individuals, is particularly successful, often involving clever tactics that make it difficult for employees to recognize them. A recent Avanti report shows the success rate of spear-phishing, with 73% of organizations saying that IT staff are targeted by spear-phishing and worryingly, 47% of those attempts were successful.
The complex nature of phishing, and especially spear-phishing, means that a multi-layered approach to phishing prevention is the best chance of prevention.
Three Elements of Successful Phishing Prevention
This multi-layered approach to phishing prevention uses three core elements that together close the doors to phishing attacks. Businesses can apply them, and managed service providers can deliver them to their clients to harden their company against phishing.
Security Awareness Training
The human element is used by cybercriminals to enter a company network, cybercriminals taking advantage of ill-prepared employees and non-employees. Effective security awareness training is designed to educate everyone in an organization. By having full inclusion in the training, a company can work towards a security culture that makes security everyone's responsibility. But not all security awareness training programs are created equal. The campaigns must be designed with certain elements in mind:
Base the awareness training on human behavior: Make sure the campaign modules are based on the security behavior of each individual employee
Make the training fun: use security awareness training modules that are designed to be fun, interactive, and that are short and enjoyable.
Use phishing simulations: automated phishing simulations can be delivered through cloud-based platforms, to educate employees about phishing. The phishing campaigns should be adjustable to reflect the current threat landscape and offer easy-to-use templates.
Real-time interventions: if mistakes are made during training, the training module should react, in real-time, to show the trainee the mistake made and how to correct the behavior.
Audit and metrics: a feedback system should be included in the security awareness training program that delivers easy-to-understand insights to help optimize the training.
MSPs and businesses alike can benefit from security awareness training that offers centralized cloud-based platforms to deliver phishing simulations and training modules.
Anti-phishing Tools
Security awareness training should be augmented with anti-phishing tools. The tools offer email protection and spam prevention. Anti-phishing tools work to protect email and prevent threats by checking incoming emails against a cloud-based email filter. These filters use a layered approach to email protection, using simple word-based filters through to smart Bayesian filters that use dynamic rules to identify email spam. Heuristic filters are offered by some advanced anti-phishing tools. These filters protect a business against a wide range of cyber-attacks including spam, malware, ransomware, spear-phishing, Business Email Compromise/Vendor Email Compromise (BEC/VEC), social engineering, spoofing, and other email-borne threats.
A cloud email spam filtering solution will provide an easy to deploy and manage platform for both a business and an MSP.
Web Security
Many phishing campaigns use associated spoof websites. These spoof websites are very well-designed and use tricks such as digital certificates to make the website URL begin with HTTPS - tricking users into thinking it is ‘secure’, and therefore legitimate.
These spoof websites are widespread: in 2020, Google registered over 2 million phishing websites. If an employee clicks on a malicious link or navigates to one of these spoof websites, the next step is credential theft and/or stolen personal data; these data can then be used to propagate a cyber-attack that ends in ransomware, other malware, stolen data, and so on.
Web content filtering and DNS filtering solutions, provide a layer of web security to prevent an employee from navigating to a malicious website. By stopping the employee from going to the spoof website the phishing cycle is broken. DNS filters do this by creating a ‘blocklist’ of URLs. If an employee tries to navigate to a blocked IP address, the DNS filter stops the action.
Web content security is another layer of protection against phishing that can be delivered using cloud-based platforms. This makes delivery by an MSP easy to deploy, cost-effective, and can be centrally managed.
Using Human Users Alongside Technology to Stop Phishing
A report by the APWG said that “after doubling in 2020, the amount of phishing has remained at a steady but high level”. Phishing works and is unlikely to be replaced by another technique while it remains this successful. By applying these three layers, security awareness training, augmented with anti-phishing tools, and web security, phishing can be stopped.