Phishing

What Is Phishing?

Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters.

Emails claiming to be from popular social web sites, banks, auction sites, or IT administrators are commonly used to lure the unsuspecting public. It’s a form of criminally fraudulent social engineering.


Short History of Phishing

Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters. Here is a brief history of how the practice of phishing has evolved from the 1980s until now:

 

 1980s

A phishing technique was described in detail in a paper and presentation delivered to the 1987 International HP Users Group, Interex.

 1990s

The first known mention of the term ‘phishing’ was in 1996 in the hacking tool AOHell by a well-known hacker and spammer.

Early Days

This is about the time phishing as we know it started, although the technique wasn't well-known to the average user until almost 10 years later. Phishing scams use spoofed emails, fake websites, etc. as a hook to get people to voluntarily hand over sensitive information. It makes sense that the term “phishing” is commonly used to describe these ploys. Hackers in the early days called themselves ‘phreaks’, referring to the exploration, experimenting and study of telecommunication systems. Phreaks and hackers have always been closely related, and the ‘ph’ spelling linked phishing attacks with these underground communities.

AOL Origins

In 1995, America Online (AOL) was the top internet service provider with millions of visitors logging in every day. Because it was so popular, it was targeted by phreaks and hackers with bad intentions. Since the beginning, hackers and those who traded pirated software used AOL and worked together, forming the warez community. It was this community that eventually made the first moves to conduct phishing attacks.

First Attempts

Phishing attempts started with hackers stealing user passwords and creating random credit card numbers. While lucky hits were few and far between, they made enough money to cause a lot of damage and to keep doing what they were doing. They would open bogus AOL accounts with the random credit card numbers and use those accounts to spam users. AOHell was a Windows application that made this process more automated, released in 1995. AOL put security measures to prevent this practice, shutting down AOHell later in the year.

Phishers then moved on to create a different type of phishing attack, using techniques we still see today. They started sending messages to users, claiming to be AOL employees using AOL’s instant messenger and email systems. A lot of people willingly ‘verified their accounts’ or handed over their billing information to the bad guys. This was an unprecedented attack so people didn’t know what to watch out for, they believed the requests were legitimate.

The problem got even worse when phishers set up AIM accounts to send their phishing messages; the accounts didn’t fall under AOL’s Terms of Service. Eventually, AOL added warnings on all email and instant messenger clients stating "no one working at AOL will ask for your password or billing information". Policy enforcement then forced copyright infringement of off AOL’s servers, and AOL deactivated all phishing accounts and shutting down the warez community.

 2000s

In a lot of ways, phishing hasn’t changed much since early AOL attacks. In 2001, however, phishers began exploiting online payment systems. The first attack was on E-Gold in June 2001, and later in the year a "post-9/11 id check" was carried out soon after the September 11 attacks on the World Trade Center.

Beginnings of Email Phishing

In 2003, phishers registered dozens of domains that were very similar to eBay and PayPal, and could pass as their legitimate counterparts if you weren't paying close enough attention. Email worm programs sent phishing emails to PayPal customers (containing the fake website links), asking them to update their credit card numbers and other personally identifiable information. Also, the first known phishing attack against a bank was reported by The Banker in September 2003.

By early 2004, phishers were seeing major success for their exploits. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately US $929 million. United States businesses were losing about US $2 billion per year to phishing.

Phishers Go Pro

Phishing was officially recognized in 2004 as a fully organized part of the black market. Specialized software emerged on a global scale that could handle phishing payments, which in turn outsourced a huge risk. The software was then implemented into phishing campaigns by organized crime gangs.

Almost half of phishing thefts in 2006 were committed by groups operating through the Russian Business Network based in St. Petersburg. Customers disputed with their banks to recover phishing losses. The UK banking body APACS had the viewpoint that "customers must also take sensible precautions ... so that they are not vulnerable to the criminal." Similarly, when an initial flurry of phishing attacks hit the Irish Republic's banking sector in September 2006, the Bank of Ireland refused to cover customer losses at first, although losses to the tune of €113,000 were eventually made good.

Phishers continued to target customers of banks and online payment services, given early success. Emails claiming to be from the Internal Revenue Service have been used to capture sensitive data from U.S. taxpayers, which is still a popular ruse today. While the earliest examples were sent en masse with attackers hoping to get a few lucky strikes, it is reasonable to assume that phishers today can determine which banks their targets use and adjust their campaigns accordingly.

Social networking sites became a prime target of phishing, since the personal details freely shared on those sites can be used in identity theft. In late 2006 a computer worm unleashed on MySpace altered links to direct users to fake websites made to steal login credentials. Experiments have shown a success rate of more than 70% for phishing attacks on social networks.

A report from Gartner in 2007 claimed 3.6 million users lost $3.2 billion in a one year span. However, Microsoft claimed that number was exaggerated, dropping the annual phishing loss in the US to $60 million.

Attackers who broke into TD Ameritrade's database and took 6.3 million email addresses, but to do more damage they also needed account usernames and passwords. With the stolen email list they launched a follow-up spear phishing campaign.

The file sharing service RapidShare was targeted in 2008 by malicious actors who discovered they could open a premium account, thereby removing speed caps on downloads, auto-removal of uploads, waits on downloads, and cool down times between uploads. In a nutshell it made phishing campaigns much easier to execute.

Bitcoin and other cryptocurrencies were launched in late 2008, allowing transactions involving malicious software to be secure and anonymous.

In January 2009, a single phishing attack earned cybercriminals US $1.9 million in unauthorized wire transfers through Experi-Metal's online banking accounts.

At the end of 2009, the Anti-Phishing Working Group reported that they received over 115K reported phishing emails from consumers in the 3rd quarter alone, with the US and China hosting more than 25% of the phishing sites each.

 2010s

In March 2011, Internal RSA staff were successfully phished, leading to the master keys for all RSA security tokens being stolen, which were used to break into US defense suppliers.

A Chinese phishing campaign targeted the Gmail accounts of senior officials of the United States and South Korean governments and militaries, as well as Chinese political activists. The Chinese government denied accusations that they were involved in the cyber-attacks, but there is evidence that the People’s Liberation Army has assisted in the coding of cyber-attack software.

In August 2013, advertising platform Outbrain became a victim of spear phishing when the Syrian Electronic Army placed redirects into the websites of The Washington Post, Time, and CNN.

In November 2013, Target suffered a data breach in which 110 million credit card records were stolen from customers, via a phished subcontractor account. Target’s CEO and IT security staff members were subsequently fired.

Between September and December of 2013, Cryptolocker ransomware infected 250,000 personal computers with two different phishing emails. The first had a Zip archive attachment that claimed to be a customer complaint and targeted businesses, the second contained a malicious link with a message regarding a problem clearing a check and targeted the general public. Cryptolocker scrambles and locks files on the computer and requests the owner make a payment in exchange for the key to unlock and decrypt the files. According to Dell SecureWorks, 0.4% or more of those infected paid criminals the ransom.

In January 2014, the Seculert Research Lab identified a new targeted attack that used Xtreme RAT (Remote Access Toolkit). Spear phishing emails targeted Israeli organizations to deploy the advanced malware. 15 machines were compromised - including those belonging to the Civil Administration of Judea and Samaria.

In August 2014, iCloud leaked almost 500 private celebrity photos, many containing nudity. It was discovered during the investigation that Ryan Collins accomplished this phishing attack by sending emails to the victims that looked like legitimate Apple and Google warnings, alerting the victims that their accounts may have been compromised and asking for their account details. The victims would enter their password, and Collins gained access to their accounts, downloading emails and iCloud backups.

In September 2014, Home Depot suffered a massive breach, with the personal and credit card data of 100+million shoppers posted for sale on hacking websites.

In November 2014, ICANN employees became victims of spear phishing attacks, and its DNS zone administration system was compromised, allowing the attackers to get zone files and personal data about users in the system, such as their real names, contact information, and salted hashes of their passwords. Using these stolen credentials, the hackers tunneled into ICANN's network and compromised the Centralized Zone Data System (CZDS), their Whois portal and more.

Former U.S. Nuclear Regulatory Commission Employee Charles H. Eccleston plead guilty to one count of attempted unauthorized access and intentional damage to a protected computer. His failed spear phishing cyber attack on January 15, 2015 was an attempt to infect the computers of 80 Department of Energy employees in hopes of receiving information he could then sell.

Members of Bellingcat, a group of journalists researching the shoot down of Malaysia Airlines Flight 17 over Ukraine, were targeted by several spear phishing emails. The messages were phony Gmail security notices containing Bit.ly and TinyCC shortened URLs. According to ThreatConnect, some of the phishing emails had originated from servers that Fancy Bear had used in other attacks previously. Bellingcat is best known for accusing Russia of being culpable for the shoot down of MH17, and is frequently ridiculed in the Russian media.

In August 2015, another sophisticated hacking group attributed to the Russian Federation, nicknamed Cozy Bear, was linked to a spear phishing attack against the Pentagon email system, shutting down the unclassified email system used by the Joint Chiefs of Staff office.

In August 2015, Fancy Bear used a zero-day exploit of Java, spoofing the Electronic Frontier Foundation and launched attacks against the White House and NATO. The hackers used a spear phishing attack, directing emails to the fraudulent url electronicfrontierfoundation.org.

Fancy Bear launched a spear phishing campaign against email addresses associated with the Democratic National Committee in the first quarter of 2016. The hackers were quiet on April 15, which in Russia happens to be a holiday honoring their military's electronic warfare services. Cozy Bear also had activity in the DNC's servers around the same time. The two groups seemed to be unaware of each other, as each separately stole the same passwords, essentially duplicating their efforts. Cozy Bear appears to be a separate agency more interested in traditional long-term espionage.

Fancy Bear is suspected to be behind a spear phishing attack on members of the Bundestag and other German political entities in August 2016. Authorities worried that sensitive information could be used by hackers to influence the public ahead of elections.

In August 2016, the World Anti-Doping Agency reported a phishing attack against their users, claiming to be official WADA communications requesting their login details. The registration and hosting information for the two domains provided by WADA pointed to Fancy Bear.

Within hours of the 2016 U.S. election results, Russian hackers sent emails containing corrupt zip files from spoofed Harvard University email addresses. Russians used phishing techniques to publish fake news stories targeted at American voters.

In 2017, 76% of organizations experienced phishing attacks. Nearly half of information security professionals surveyed said that the rate of attacks had increased since 2016.

A massive phishing scam tricked Google and Facebook accounting departments into wiring money – a total of over $100 million – to overseas bank accounts under the control of a hacker. He has since been arrested by the US Department of Justice.

In August 2017, Amazon customers experienced the Amazon Prime Day phishing attack, in which hackers sent out seemingly legitimate deals. When Amazon’s customers tried to purchase the ‘deals’, the transaction would not be completed, prompting the retailer’s customers to input data that could be compromised and stolen.


Techniques

There are a number of different techniques used to obtain personal information from users. As technology becomes more advanced, the cybercriminals' techniques being used are also more advanced.

To prevent Internet phishing, users should have knowledge of how the bad guys do this and they should also be aware of anti-phishing techniques to protect themselves from becoming victims.

Spear Phishing

.Think of spear phishing as professional phishing. Classic phishing campaigns send mass emails to as many people as possible, but spear phishing is much more targeted. The hacker has either a certain individual(s) or organization they want to compromise and are after more valuable info than credit card data. They do research on the target in order to make the attack more personalized and increase their chances of success. 

Session Hijacking

In session hijacking, the phisher exploits the web session control mechanism to steal information from the user. In a simple session hacking procedure known as session sniffing, the phisher can use a sniffer to intercept relevant information so that he or she can access the Web server illegally.

Email/Spam

Using the most common phishing technique, the same email is sent to millions of users with a request to fill in personal details. These details will be used by the phishers for their illegal activities. Most of the messages have an urgent note which requires the user to enter credentials to update account information, change details, or verify accounts. Sometimes, they may be asked to fill out a form to access a new service through a link which is provided in the email.

Content Injection

Content injection is the technique where the phisher changes a part of the content on the page of a reliable website. This is done to mislead the user to go to a page outside the legitimate website where the user is then asked to enter personal information.

Web Based Delivery

Web based delivery is one of the most sophisticated phishing techniques. Also known as “man-in-the-middle,” the hacker is located in between the original website and the phishing system. The phisher traces details during a transaction between the legitimate website and the user. As the user continues to pass information, it is gathered by the phishers, without the user knowing about it.

Phishing through Search Engines

Some phishing scams involve search engines where the user is directed to product sites which may offer low cost products or services. When the user tries to buy the product by entering the credit card details, it’s collected by the phishing site. There are many fake bank websites offering credit cards or loans to users at a low rate but they are actually phishing sites.

Link Manipulation

Link manipulation is the technique in which the phisher sends a link to a fake website. When the user clicks on the deceptive link, it opens up the phisher’s website instead of the website mentioned in the link. Hovering the mouse over the link to view the actual address stops users from falling for link manipulation.

Vishing (Voice Phishing)

In phone phishing, the phisher makes phone calls to the user and asks the user to dial a number. The purpose is to get personal information of the bank account through the phone. Phone phishing is mostly done with a fake caller ID.

Keyloggers

Keyloggers refer to the malware used to identify inputs from the keyboard. The information is sent to the hackers who will decipher passwords and other types of information. To prevent key loggers from accessing personal information, secure websites provide options to use mouse clicks to make entries through the virtual keyboard.

Smishing (SMS Phishing)

Phishing conducted via Short Message Service (SMS), a telephone-based text messaging service. A smishing text, for example, attempts to entice a victim into revealing personal information via a link that leads to a phishing website.

Trojan

A Trojan horse is a type of malware designed to mislead the user with an action that looks legitimate, but actually allows unauthorized access to the user account to collect credentials through the local machine. The acquired information is then transmitted to cybercriminals.

Malware

Phishing scams involving malware require it to be run on the user’s computer. The malware is usually attached to the email sent to the user by the phishers. Once you click on the link, the malware will start functioning. Sometimes, the malware may also be attached to downloadable files.

Malvertising

Malvertising is malicious advertising that contains active scripts designed to download malware or force unwanted content onto your computer. Exploits in Adobe PDF and Flash are the most common methods used in malvertisements.

Ransomware

Ransomware denies access to a device or files until a ransom has been paid. Ransomware for PC's is malware that gets installed on a user’s workstation using a social engineering attack where the user gets tricked in clicking on a link, opening an attachment, or clicking on malvertising.

Website Forgery

Forged websites are built by hackers made to look exactly like legitimate websites. The goal of website forgery is to get users to enter information that could be used to defraud or launch further attacks against the victim.

 Domain Spoofing

One example is CEO fraud and similar attacks. The victim gets an email that looks like it's coming from the boss or a colleague, with the attacker asking for things like W-2 information or funds transfers. We have a free domain spoof test to see if your organization is vulnerable to this technique. 

Evil Twin Wi-Fi

Hackers use devices like a pineapple - a tool used by hackers containing two radios to set up their own wi-fi network. They will use a popular name like AT&T Wi-Fi, which is pretty common in a lot of public places. If you're not paying attention and access the network controlled by hackers, they can intercept any info you may enter in your session like banking data. 

Social Engineering

Users can be manipulated into clicking questionable content for many different technical and social reasons. For example, a malicious attachment might at first glance look like an invoice related to your job. Hackers count on victims not thinking twice before infecting the network. 


Top-Clicked Phishing Emails

Curious about what users are actually clicking on?  Every quarter we release which subjects users click on the most!

Our customers run millions of phishing tests per year and we get numbers on what top-clicked templates are. The infographic below shows the latest data, broken down into 3 categories. The first two sections rank email subjects related to social media and general emails. 'In The Wild' attacks are the most common email subjects we receive from our customers by employees clicking the Phish Alert Button on real phishing emails and sending the email to us for analysis.. 

Q2 2018 Top-Clicked Phishing Email Subjects

KnowBe4 Q2 2018 Top-Clicked Social Phishing Email Subjects


Phishing Examples

Classic Phishing Email

Over the past few years online service providers have been stepping up their security game by messaging customers when they detect unusual or worrisome activity on their users' accounts. Not surprisingly, the bad guys are using this to their advantage. Many are designed poorly with bad grammar, etc. but others look legitimate enough for someone to click if they weren't paying close attention:

Consider this fake Paypal security notice warning potential marks of "unusual log in activity" on their accounts. Hovering over the links would be enough to stop you from ending up on a credentials stealing web site. The first example is a fake Microsoft notice, almost identical in appearance to an actual notice from Microsoft concerning "Unusual sign-in activity". The second example email points users to a phony 1-800 number instead of kicking users to a credentials phish.

Paypal Phishing Security NoticeMalicious Windows Warning Email


Infected Attachments

Malicious .HTML attachments aren't seen as often as .JS or .DOC file attachments, but they are desirable for a couple of reasons. First, there is a low chance of antivirus detection since .HTML files are not commonly associated with email-borne attacks. Second, .HTML attachments are commonly used by banks and other financial institutions so people are used to seeing them in their inboxes. Here are a few examples of credential phishes we've seen using this attack vector.

Google Credentials Phish

Fake Adobe Login

 

 

 

 

 

 

 


Malicious macros in phishing emails have become an increasingly common way of delivering ransomware in the past year. These documents too often get past antivirus programs with no problem. The phishing emails contain a sense of urgency for the recipient and as you can see in the below screenshot, the documents step users through the process. If users fail to enable the macros, the attack is unsuccessful.

Macro Warning Screenshot

 

Social Media Exploits

Several Facebook users received messages in their Messenger accounts from other users already familiar to them. The message consisted of a single .SVG (Scaleable Vector Graphic) image file which, notably, bypassed Facebook's file extensions filter. Users who clicked the file to open it were redirected to a spoofed Youtube page that prompted users to install two Chrome extensions allegedly needed to view the (non-existent) video on the page. 

              Malicious Facebook SVG Message                Spoofed YouTube Site

 

 

 

 

 

 

 

 

 

 

For most users, the two Chrome extensions were used to allow the malware a limited degree of self-propagation by exploiting the "browser's access to your Facebook account in order to secretly message all your Facebook friends with the same SVG image file."

On some users' PCs the embedded Javascript also downloaded and launched Nemucod [PDF], a trojan downloader with a long history of pulling down a wide variety of malicious payloads on compromised PCs. Users unlucky enough to encounter this version of the malicious script saw their PCs being taken hostage by Locky ransomware.


LinkedIn has been the focus of online scams and phishing attacks for a number of years now, primarily because of the wealth of data it offers on employees at corporations. Malicious actors mine that data to identify potential marks for business email compromise attacks, including wire transfer and W-2 social engineering scams, as well as a number of other creative ruses. Here are some examples we've seen through KnowBe4's Phish Alert Button:

In one case a user reported receiving a standard Wells Fargo credentials phish through LinkedIn's InMail:

LinkedIn InMail Phish

Note that this particular InMail appears to have originated from a fake Wells Fargo account. The supplied link leads to a fairly typical credentials phish (hosted on a malicious domain since taken down):

Wells Fargo LinkedIn Phishing Scam
It looks like the bad guys set up a fake Wells Fargo profile in an attempt to appear more authentic.

Another similar phish was delivered to an email account outside of LinkedIn:

LinkedIn Email Phish Screenshot

This email was delivered through LinkedIn, as did the URLs used for the several links included in the footer of this email ("Reply," "Not interested," "View Wells's LinkedIn profile"):

Wells Fargo LinkedIn Phishing Email Screenshot
Those URLs were obviously auto-generated by LinkedIn itself when the malicious actors used LinkedIn's messaging features to generate this phish, which hit the external email account of the mark (as opposed to his InMail box, as was the case in the first phish discussed above).

CEO Fraud Scams

Here's an example of a KnowBe4 customer being a target for CEO fraud. The employee initially responded, then remembered her training and instead reported the email using the Phish Alert Button, alerting her IT department to the fraud attempt.

When the employee failed to proceed with the wire transfer, she got another email from the bad guys, who probably thought it was payday:

CEO Fraud Phishing


Mobile Phishing

Mobile phishing attacks have increased by 85% every year since 2011, according to a recent report by Lookout. Attacks on mobile devices are nothing new, however they are gaining momentum as a corporate attack vector. Attackers now take advantage of SMS, as well as some of today’s most popular and highly used social media apps and messaging platforms, such as WhatsApp, Facebook Messenger, and Instagram, as a means of phishing. Security professionals who overlook these new routes of attack put their organizations at risk.

Here are just a few phishing related risks posed by mobile device use:

  • Apps - lack built-in security. Free apps usually ask for a lot of access they shouldn’t need.
  • WiFi - your device typically picks up the strongest signal, which may be a rogue WiFi that seems legitimate but is actually an attacker just waiting to monitor, intercept or even alter communications from your device.
  • Bluetooth - can be used to spread viruses, and hackers can use it to hack into phones to access and exploit your organization’s data.
  • Human error - thieves sell lost and stolen devices to buyers who are more interested in the data that the device itself.
  • Smishing - aka phishing conducted via SMS. Similar to phishing emails, an example of a smishing text might attempts to entice a victim into revealing personal information. asking the recipient to take action on any number of seemingly mundane activities, i.e., the user’s bank claiming it has detected unusual activity or a congratulatory notice saying the person has won a prize from their favorite store.

At a minimum, use this checklist to help mitigate the threat:

  • Always use strong passwords
  • Encrypt or lock sensitive data
  • Don’t bypass built-in security, use authentication options like fingerprint or facial recognition
  • Enable remote tracking
  • Enable your device to erase remotely
  • Never leave your device in a public place or anywhere it can be easily stolen
  • Only use apps available in your device’s app store - NEVER download them from a browser
  • Watch out for new apps from unknown developers or with limited/bad reviews
  • Keep your apps updated, this will ensure they have the latest security. If they’re no longer supported by the app store, just delete them!
  • Think before you click any links in text messages or emails on your mobile device
  • Never jailbreak your iOS or root your Android - that leads to unrestricted access, making it way too easy for hackers
  • Always turn off WiFi when you aren’t using it or don’t need it
  • Don’t allow your device to auto-join unfamiliar WiFi networks
  • Don’t send sensitive information over WiFi unless you’re absolutely certain it’s a secure network
  • If you’re able to, disable automatic Bluetooth pairing and always turn off Bluetooth when it isn’t needed
  • NEVER save your login information when you’re using a web browser

How to Prevent Attacks

These are what we have found to be best practices in the prevention of phishing attacks. Note there is no single 'silver bullet' that will protect you, you must take a layered approach to stay secure:

While it may seem trite to offer a recommendation simply to understand the risks that your organization faces, we cannot overstate the importance of doing just that. Decision makers must understand that they face threats not only from phishing attacks, but also a growing variety of threats across all of their communication and collaboration systems, the personal devices that their users employ, and even users themselves. Cybercrime is an industry with significant technical expertise, extensive funding, and a rich target environment.

Many organizations have not yet developed and published detailed and thorough policies for the various types of email, Web, collaboration, social media and other tools that their IT departments have deployed or that they allow to be used as part of “shadow IT”.

As a result, we recommend that an early step for any organization should be the development of detailed and thorough policies that are focused on all of the tools that are or probably will be used in the foreseeable future.

These policies should focus on legal, regulatory and other obligations to encrypt emails and other content if they contain sensitive or confidential data; monitor all communication for malware that is sent to blogs, social media, and other venues; and control the use of personal devices that access corporate systems.

Establishing robust policies will not provide security protection per se, but it can be useful in limiting the number of tools that employees use when accessing corporate resources. In turn, these limitations can be helpful in reducing the number of ingress points for ransomware, other forms of malware, phishing attempts, and other content that could pose a security risk.

Application, OS and system vulnerabilities can allow cybercriminals to successfully infiltrate corporate defenses. Every application and system should be inspected for vulnerabilities and brought up-to-date using the latest patches from vendors.

A useful method for recovering from a ransomware attack, as well as from other types of malware infections, is to restore from a known, good backup taken as close as possible to the point before the infection occurred.

Using a recent backup, an endpoint can be reimaged and its data restored to a known, good state with as little data loss as possible. While this strategy will likely result in some level of data loss because there will normally be a gap between the most recent backup and the time of reimaging, recent backups will minimize data loss if no other remedy can be found.

There are good solutions available that can be deployed on-premises or in the cloud that can detect phishing attempts and a variety of other threats. Every organization should implement solutions that are appropriate to its security infrastructure requirements, but with specific emphasis on the ability to detect, isolate and remediate phishing threats.

While the overall spam problem has been on the decline for the past several years, spam is still an effective method to distribute malware, including ransomware.

Next, implement a variety of best practices to address whatever security gaps may exist in the organization. For example:

  • Employees should employ passwords that correspond to the sensitivity and risk associated with the corporate data assets they are accessing. These passwords should be changed on an enforced schedule under the direction of IT.
  • Implement a program of robust security awareness training that will help users to make better judgments about the content they receive through email, what they view or click on in social media, how they access the Web, and so forth. The goal of security awareness training is to help users to be more careful about what they view, what they open and the links on which they click. While security awareness training by itself will not completely solve an organization’s security-related problems, it will bolster the ability for users – the last line of defense in any security infrastructure – to be more aware of security issues and to be less likely to respond to phishing attempts. It is essential to invest sufficiently in employee training so that the “human “firewall” can provide an adequate last line of defense against increasingly sophisticated phishing and other social engineering attacks.
  • Establish communication “backchannels” for key staff members that might be called upon to deal with corporate finances or sensitive information. For example, if a traveling CEO sends a request to her CFO to transfer funds to a supplier, the CFO should have an independent means of verifying the authenticity of the request, such as texting or calling to the CEO’s smartphone.
  • Regularly send simulated phishing emails to employees to reinforce their security awareness training and to make sure they stay on their toes with security top of mind.
  • Employees should be reminded continually about the dangers of oversharing content on social media. Employees’ friends might be interested in the latest breakfast, vacation or restaurant visit that gets posted on social media – but this information could give cybercriminals the information they need to craft a spear phishing email.
  • Ensure that every employee maintains robust anti-malware defenses on their personally managed platforms if there is any chance that these employee-owned devices will access corporate resources.
  • Employees should be reminded and required to keep software and operating systems up-to-date to minimize the potential for a known exploit to infect a system with malware.

 

Every organization should use historical and real-time threat intelligence to minimize the potential for infection. Real-time threat intelligence can provide a strong defense to protect against access to domains that have a poor reputation and, therefore, are likely to be used by cybercriminals for spearphishing, ransomware and other forms of attack. Threat intelligence can also be used proactively by security analysts and others to investigate recent attacks and discover previously unknown threat sources. Moreover, historical threat intelligence – such as a record of Whois data that includes information on who has owned domains in the past – can be useful in conducting cybercrime investigations.

Using both real-time and historical domain and IP-based threat intelligence is an important adjunct for any security infrastructure because it offers protection in several ways: There are good solutions available that can be deployed on-premises or in the cloud that can detect phishing attempts, ransomware and a variety of other threats.

  • Organizations can remain compliant with the variety of regulatory obligations they face to protect employee data, customer data and other information they own or manage.
  • Good threat intelligence helps to monitor both intentional and inadvertent use of corporate brands so that these brands can be protected.
  • Threat intelligence provides forensics researchers with deep insight into how attacks began, how cybercriminals carried out their attacks, and ways in which future attacks can be detected early on and thwarted before they can do damage.

 


Here are some additional tips to share with your users that can keep them safe at the office (and at home). As your last line of defense, they need to stay on their toes with security top of mind:

New phishing scams are being developed all the time. The less you stay on top of them, the easier they are to fall for. Keep your eyes peeled for news about new phishing scams. By finding out about them as early as possible, you will be at much lower risk of getting snared by one.

It’s ok to click on links when you’re on trusted sites. Clicking on links that appear in random emails and instant messages, however, is never a good idea. Hover over links that you are unsure of before clicking on them. Do they lead where they are supposed to lead?

A phishing email may claim to be from a legitimate company and when you click the link to the website, it may look exactly like the real website but it's actually a phishing site. It's better to go directly to a site than click on a questionable link.

Most popular Internet browsers can be customized with anti-phishing toolbars. Such toolbars run quick checks on the sites that you are visiting and compare them to lists of known phishing sites. If you stumble upon a malicious site, the toolbar will alert you about it. This is just one more layer of protection against phishing scams, and it is completely free.

It’s natural to be a little wary about supplying sensitive financial information online. As long as you are on a secure website, however, you shouldn’t run into any trouble. Before submitting any information, make sure the site’s URL begins with “https” and there should be a closed lock icon near the address bar. Check for the site’s security certificate as well.

If you get a message stating a certain website may contain malicious files, do not open the website. Never download files from suspicious emails or websites. Even search engines may show certain links which may lead users to a phishing webpage which offers low cost products. If the user makes purchases at such a website, the credit card details will be accessed by cybercriminals.

If you don’t visit an online account for a while, someone could be having a field day with it. Even if you don’t technically need to, check in with each of your online accounts on a regular basis. Get into the habit of changing your passwords regularly too.

To prevent bank phishing and credit card phishing scams, you should personally check your statements regularly. Get monthly statements for your financial accounts and check each and every entry carefully to ensure no fraudulent transactions have been made without your knowledge.

Security patches are released for popular browsers all the time. They are released in response to the security loopholes that phishers and other hackers inevitably discover and exploit. If you typically ignore messages about updating your browsers, stop. The minute an update is available, download and install it.

High-quality firewalls act as buffers between you, your computer and outside intruders. You should use two different kinds: a desktop firewall and a network firewall. The first option is a type of software, and the second option is a type of hardware. When used together, they drastically reduce the odds of hackers and phishers infiltrating your computer or your network.

Pop-up windows often masquerade as legitimate components of a website. All too often, though, they are phishing attempts. Many popular browsers allow you to block pop-ups; you can allow them on a case-by-case basis. If one manages to slip through the cracks, don’t click on the “cancel” button; such buttons often lead to phishing sites. Instead, click the small “x” in the upper corner of the window.

As a general rule, you should never share personal or financially sensitive information over the Internet. This rule spans all the way back to the days of America Online, when users had to be warned constantly due to the success of early phishing scams.

When in doubt, go visit the main website of the company in question, get their number and give them a call. Most phishing emails will direct you to pages where entries for financial or personal information are required.

Confidential entries should never be made through the links provided in the emails. Never send an email with sensitive information to anyone. Make it a habit to check the address of the website. A secure website always starts with “https”.

There are plenty of reasons to use antivirus software. Special signatures that are included with antivirus software guard against known technology workarounds and loopholes. Just be sure to keep your software up to date. New definitions are added all the time because new scams are also being dreamed up all the time.

Anti-spyware and firewall settings should be used to prevent phishing attacks and users should update the programs regularly. Firewall protection prevents access to malicious files by blocking the attacks. Antivirus software scans every file which comes through the Internet to your computer. It helps to prevent damage to your system.

What Industries Are Most At Risk Of Phishing Attacks?

A new KnowBe4 study of phishing statistics for top industries, shows small insurance companies have the highest percentage of Phish-prone employees in the small to mid–size organization category. Not-for-profit organizations take the lead in large organizations.

Baseline Phish-Prone Percentage by Industry
Baseline Phish-Prone Percentage by Industry

 

The study, drawn from a data set of more than six million users across nearly 11,000 organizations, benchmarks real-world phishing results. Results show a radical drop of careless clicking to just 13 percent 90 days after initial training and simulated phishing and a steeper drop to two percent after 12 months of combined phishing and computer based training (CBT).

Researchers anonymously tracked users by company size and industry at three points:

1. A baseline phishing security test
2. Results after 90 days of combined CBT and simulated phishing
3. The results after one year of combined CBT and phishing is encouraging:

Average Phish-Prone Percentage After 12 MonthsVisible Proof the KnowBe4 System Works!
 
 

Download the full 2018 Phishing Industry Benchmarking Report 

The 2018 Phishing By Industry Benchmarking Report compiles results from a new study by KnowBe4 and reveals at-risk users that are susceptible to phishing or social engineering attacks. Taking it a step further, the research reveals radical drops in careless clicking after 90 days and 12 months of security awareness training.

Download Report

2018-Phishing-By-Industry-Benchmarking-Report-2-1
Webinars23

Watch the Phishing Industry Benchmarking Webinar

One of your important and ongoing IT security initiatives is getting the Phish-prone percentage of your users as low as possible. But how are you doing compared to the "similar-size peers" in your industry?  Join Stu Sjouwerman and Perry Carpenter as they discuss brand-new research based on what your users are clicking and find out how you are doing compared to your peers.

Watch the Webinar

How To Phish Your Users

Phishing and training your users as your last line of defense is one of the best ways to protect yourself from attacks. Here are the 4 basic steps to follow: 

  1. Baseline Testing to assess the Phish-prone percentage of your users before training them. You want to know the level of attack they will and won't fall for as well as have data to measure future success.
  2. Train Your Users with on-demand, interactive, and engaging training so they really get the message.
  3. Phish Your Users at least once a month to reinforce the training and continue the learning process.
  4. See The Results for both training and phishing, getting as close to 0% Phish-prone as you possibly can

An additional 5 points to consider:

  1. Awareness in and of itself is only one piece of defense-in-depth, but crucial
  2. You can't and shouldn't do this alone
  3. You can't and shouldn't train on everything
  4. People only care about things that they feel are relevant to them
  5. The ongoing process is to help employees make smarter security decisions

...and what we've found to e the 5 best practices to embrace:

  1. Have explicit goals before starting
  2. Get the executive team involved
  3. Decide what behaviors you want to shape - choose 2 or 3 and work on those for 12-18 months
  4. Treat your program like a marketing effort
  5. Phish frequently, once a month minimum

Phishing your users is actually FUN! You can accomplish all of the above with our security awareness training program. If you need help getting started, whether you're a customer or not you can build your own customized Automated Security Awareness Program by answering 15-25 questions about your organization


How To Report Phishing

With over 100 billion spam emails being sent daily, it's only a matter of time before you get hit. There are several ways you can and should report these:

  1. KnowBe4’s Phish Alert button gives your users a safe way to forward email threats to your internal security team for analysis and deletes the email from the user's inbox to prevent future exposure, all with a single click!
  2. The United Stated Computer Emergency Readiness Team website provides information on where to send a copy of the email or the URL to the website so that they may be examined by experts. 
  3. The Anti-Phishing Working Group (APWG) website features a text box in which to copy and paste the entire suspicious email you have received, including the header as well as the body of the message. 
  4. If you come across a website you believe is spoofed, or just looks like a phishing page attempting to steal user information, you can report the URL and submit comments to Google here.
  5. The Federal Trade Commission has an entire section of their website where complaints on phishing, identity theft and other scams can be filed. 
  6. The FBI's Intenet Crime Complaint Center (IC3) accepts complaints on their website. Make sure you have all the information needed before filing a complaint, they will ask for information about the victim, whether there was a financial transaction, and of course any info you may have about the sender.

Free Tools

Phishing Security TestPhishing Security Test

Did you know that 91% of successful data breaches started with a spear phishing attack?

Learn More

Phish Alert ButtonPhish Alert Button

Do your users know what to do when they receive a suspicious email or attachment?

Learn More

Second ChanceSecond Chance

Wish your users could "roll back time" when they click a bad link?

Learn More



Webinars

Phishing Attack Landscape and Industry Benchmarking Webinar

On- Demand Webinar: Phishing Attack Landscape and Industry Benchmarking

One of your most important and ongoing IT security initiatives is getting the Phish-prone percentage of your users as low as possible. But how are you doing compared to the "similar-size peers" in your industry? What types of phishing emails are users really clicking on? Watch this 30 minute webinar to find out!

Watch Now!
Webinar - Phishing and Social Engineering Trends in 2018: Is the Worst Yet to Come?

On- Demand Webinar: Phishing and Social Engineering Trends in 2018: Is the Worst Yet to Come?

Watch this insider’s perspective of cybersecurity trends to expect in 2018 from our founder Stu Sjouwerman. The list of six predictions are founded on KnowBe4’s deep insight into threats that organizations experience today and should expect tomorrow.

Watch Now!

How To Phish Like the Bad Guys Webinar

On-Demand Webinar: How To Phish Like the Bad Guys

Successful hackers understand that the user is the weakest link in the security chain. Email phishing campaigns have proven to be the path of least resistance to get unsuspecting individuals to download and install their malicious software. Learn the techniques that social engineers find successful and how to implement them into your simulated phishing attacks to inoculate your end users.

Watch Now!



Whitepapers

The Phishing Breakthrough Point Whitepaper

The Phishing Breakthrough Point Whitepaper

Security awareness training and simulated phishing tests can be effective tools to reduce unintentional insider threats. However, if robust metrics are not put in place, they can create social engineering blind spots. Find out more about the breakthrough point in an organization's phishing awareness level.

Get The Whitepaper

Best Practices for Dealing With Phishing and Ransomware Whitepaper

Best Practices for Dealing With Phishing and Ransomware Whitepaper

Phishing and ransomware are serious problems that can steal data or disable access to your organization’s network. This new Osterman Research whitepaper gives you a variety of best practices to minimize your potential for becoming a victim of phishing and ransomware.

Get The Whitepaper

The Latest In Phishing News



Get the latest about social engineering

Subscribe to CyberheistNews