Phishing is one of the most common methods of choice for attackers seeking to wreak damage on organizations – and some employees won’t realize they have been targeted until it is too late. Cybercriminals netted more than $12 billion between 2013 and 2018 from Business Email Compromise (BEC) according to the FBI‘s Internet Crime Complaint Center.
According to Verizon’s 2018 Data Breach Investigations Report (DBIR), phishing is the third most common action involved in data breaches – and along with pretexting, is involved in 93% of data breaches. It’s something that’s been seen in almost every organization – Wombat’s 2018 State of the Phish report reveals that 76% of organizations say they experienced phishing attacks last year.
We often see organizations compromised by directly targeted phishing campaigns. By this, we don’t mean the general ‘spam’ style campaigns you likely see on a daily basis such as emails which ‘appear’ to be from major brands and organizations. We mean the attackers that directly target your organization, where for example they will send an email appearing to be ‘from’ someone (or a team) to someone else within the business trying to invoke a specific action such as payment of a fraudulent invoice, to fool you into installing malware or to reveal sensitive information, such as your user credentials. These targeted attacks, in our experience, are by far the most successful at compromising companies.
If an attacker wants to perform this kind of attack, they would first attempt to find out as much information as they could about their target from information on the internet – such as company and employees social media accounts, blogs, and the corporate website. They may then register a domain that’s very similar to the ones coming from the organization, perhaps with a different suffix (such as .co.uk, .com or .fr), or similar to your own company domain. For example, if your main domain is CompanyA.com, they would register Company-A.com The attacker would then craft an email claiming to be from one of the key people, targeting an unsuspecting employee.
The targeted email might say something like “we’re launching a new remote access portal, please could you log in here and let us know if it works?” The plan would be to trick that employee into handing over their credentials. The portal they were taken to via the email might, for example, be an exact clone of your main remote access portal. The only difference would be that the ‘domain’ you are taken to would be different. To the average user, this isn’t something that would be easily spotted and likely not part of your current training programs to look for. These attacks are surprisingly successful and often allow the attacker to access an organization’s network, extract sensitive data or distribute malicious payloads. An organization can have the most advanced protections in place, but if they obtain legitimate access credentials, attackers can sail straight through those defences. These kinds of directly targeted attacks also often go unnoticed. A concept similar to this was used as part of the 2011 RSA Hack.
The good news is, there are immediate cost-free steps that your organization can take to help you distinguish between a genuine and spoof email… One thing that’s simple, free and underused is to tag emails that arrive from external sources (i.e., outside of your organization). For example, you likely already tag outbound emails with a disclaimer or confidentiality notice, so it makes sense to also tag inbound emails to make it obvious to the recipient that it hasn’t come from an internal source. For example, add a prefix such as EXTERNAL to the subject line of emails, or a highlighted message in the body of the email, making it very clear to the recipient where an email originates from.
If it was genuine and from a legitimate internal source, it wouldn’t have a tag. However, the same email from an attacker and an external source using the examples given above address would be clearly tagged. The target would know straight away that the email wasn’t from an internal source and who it claimed to be from. You can make it even more visible by going one step further by changing the tag every month, perhaps by adjusting the colour used where the tag is placed at the top of the inbound email (rather than the subject line).
This simple step can raise a warning flag, and prevent an organization from being compromised. The vast majority of email systems can support outbound and inbound email tagging. It’s quick and easy to set up, and it’s usually cost-free while being one of the best ways to protect your organization from business email compromise.
Additional measures that companies can take include educating employees to recognize suspicious looking and unexpected emails They should be encouraged never to click links in emails and to always visit sites directly (rather than following links in emails) wherever possible. Beyond this, it’s important to make sure that you’ve accounted for your organization’s vulnerability to social engineering such as running phishing simulations as part of your vulnerability management activities.
Speak to your current Penetration Testing provider and ensure that you are including the human element in the scope they are delivering to you. This is one of the key elements often provided to SureCloud’s clients as part of our innovative Pentest-as-a-Service© model.
Find out more about our Cybersecurity services to keep your organization secure here.
SureCloud’s webinar, ‘Cybersecurity Attacks that will Actually Lead to a Compromise’ is available on-demand through BrightTALK here.