It should come as no surprise that the sophistication and frequency of email phishing attacks is continuing to escalate, providing attackers with a jumping off point for ransomware attacks, data breaches, and other malicious activity.
While it can sometimes be difficult for companies to justify budget for measures to guard against these attacks, recent trends are making it harder to ignore their potentially devastating impacts.
- Ransomware attacks that rely on email phishing techniques to deploy malicious software are on the rise and smaller and smaller organizations are being targeted.
- Employees are increasingly working from home in environments that often lack enterprise-level network hardening, and are therefore more vulnerable to attack.
- State actors are increasingly targeting organizations that handle energy infrastructure, trade secrets, and national security information.
In this blog post, we’ll highlight some of the latest types of email phishing attacks and cover what we feel are the top ten ways you can harden your organization against these attacks.
The Latest Email Phishing Techniques
Cyber criminals are constantly evolving their strategies and tactics to circumvent their victims’ defenses. Here are some of the latest email phishing techniques we’ve observed in working with our clients.
- Attackers obtain an email, sent from an employee of the target organization, which leaks either an “External” or, worse, an “Internal”/”Safe Sender” banner.
- They create an HTML/CSS payload which either hides the legitimate “External” banner that will be applied by the target organization, or replaces it with the observed “Internal” banner. This payload is embedded in a phishing email sent to one or more employees of the target organization.
- When the employee(s) read the email, the “Internal” banner (or lack of an “External” banner) makes them more inclined to believe it is from an internal source and follow the included instructions (e.g., click a seemingly legitimate link that is actually malicious).
- Attackers send phishing emails with seemingly “harmless” files attached, including:
- PDF files with links to webpages that push malicious downloads.
Finish Signing Up
- Attackers send a phishing email that appears to be from a legitimate partner of the victim’s organization.
- The email prompts the victim to finish signing up for a legitimate service that is offered by the partner. The victim’s email or user ID are pre-populated in the signup screen, which instructs the victim to provide a password to “finish setting up” their account.
- Because the email appears to be from a known partner and because the email or user ID are already filled in, users tend to drop their guard and enter one of their current passwords (often the Active Directory password that they associate with their email or user ID).
Top 10 Ways to Harden Your Organization Against Email Phishing Attacks
Tevora has helped some of the world’s leading organizations defend against and respond to email phishing attacks. Based on our experience working with these clients, we’ve developed a list of the top ten things you can do to defend your organization against these dangerous attacks.
1. Conduct security awareness training. Conducting effective security awareness training is one of the best things you can do to guard against email phishing attacks.
Some security awareness training programs use run-of-the mill, templated phishing emails—not the type of thing you see with today’s advanced persistent threats. Be sure your training includes simulated email phishing attacks that replicate the latest techniques used by sophisticated attackers, including the techniques described above. Tevora can help ensure you’ve included these types of simulated attacks in your training.
Another common problem is that security awareness training can be boring! This causes attendees to tune out and not absorb the learnings. One way to make your training more compelling is to gamify it by integrating elements such as fun contests, quizzes and rewards. To learn more about this, check out our Is Your Security Awareness Training a Snoozer? Gamefy it! blog post.
2. Use password managers. Have your staff use password managers such as 1Password, KeePass, or LastPass. In our view, these tools are a much more effective way to ensure proper password hygiene than asking staff to remember and use long, complex, unique passwords. If using one of these dedicated tools is not feasible, we suggest using something like Okta that has built-in password management capabilities.
If for any reason your organization is not able to use password managers, the most important message you need to stress with your team is to not reuse passwords. With the proliferation of open-source databases that share breached passwords, the risk of reusing passwords has grown exponentially.
3. Update software frequently. Make sure to update all of your application and infrastructure software as frequently as possible. Most software updates, even if they are described as containing new or updated features, will contain the latest security updates as well.
Don’t forget that applying updates to mobile devices (Android and Apple) can be just as important, especially in a Bring Your Own Device (BYOD) environment.
4. Share trusted domains. While it is a good practice to instruct employees to avoid untrusted domains, it can be difficult to always know which domains should be trusted. We recommend developing a list of domains that your staff can trust, including those that are owned and controlled by your organization. Make sure the list is easily accessible by all of your team members.
5. Have an open door policy for your SOC/IR team. Strive to make your staff feel welcome talking to SOC/IR team members about any security issues. Make it clear to your staff that you will never ask for their password over the phone or email. Get the message out in person rather than relying on written communications, which can often be overlooked. This can go a long way toward shutting down phishing/social engineering attacks.
6. Use multi-factor authentication (MFA). While it can be inconvenient, using MFA can save you, even when someone is reusing a compromised password. Or, in some cases, you can get rid of passwords altogether by using Magic links/passwordless as an alternative.
7. Eliminate internal sender banners. If you are using an external and internal sender banner, get rid of internal sender banners, which can be spoofed. Switch from prepended/appended HTML banners to native external banners if possible.
8. Test. Test. Test. Conduct extensive ongoing testing to ensure your organization is fully prepared to defend against phishing attacks.
Test the effectiveness of your security awareness training by conducting periodic simulated phishing attacks using the latest phishing techniques. Enforce password resets for staff that fail these tests.
Engage skilled penetration testers to find vulnerabilities in your phishing defenses. Test your SOC/IR team’s response time to reported phishing emails and payload executions.
9. Audit Passwords. Conduct periodic audits to compare your team’s passwords against databases of breached passwords. Whenever matches are found, ensure those passwords are changed immediately.
10. Reward your vigilant employees. Incentivize your employees to report suspicious emails, phone calls and activity. Document the reporting process specific to your organization and reward employees that report real and simulated attacks with gift cards (or the reward of your choice)…
For a deeper dive on email phishing, check out our webinar on The State of Email Phishing: 2021.
Here are some additional resources on related topics.
We Can Help
If you have questions about email phishing or would like help hardening your organization against these potentially devastating attacks, just give us a call at (833) 292-1609 or email us at firstname.lastname@example.org.
About the Author
Kevin Dick, is the Manager of Threat Services at Tevora.