SpearTip recently partnered up with Women in Cybersecurity (WiCyS) to present a webinar discussing the importance of phishing training within companies, primarily how awareness is the best defense against this most common threat tactic.
The presentation begins with a discussion of social engineering in the modern IT environment. Social engineering is described a broad range of malicious activities accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information. Social engineering can be performed through various ways, including analog methods, such as conversations conducted in person or over the telephone, and digital methods, like e-mail or instant messaging. Phishing is a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation, in which the perpetrator masquerades as a legitimate business or reputable person. One of the common forms of phishing, including e-mail phishing with 3.4 billion emails delivered every day and accounts for more than 90% of data breaches.
Other common forms of phishing campaigns include spear phishing, whaling, smishing, vishing, and angler phishing. Threat actors use the human factor as part of their phishing campaign. Threat actors deploy psychology against end users’ brains, creating trust through personalization, and eliciting an emotional response to gain access to valuable data. Once threat actors have access to users’ information or systems, they can exploit them or their businesses. Threat actors’ end goal is always money and end users are the easiest targets. Within the presentation, the importance of how anti-phishing toolsets provide proactive and reactive protection against incoming emails and URLs to prevent end users from opening malicious content is discussed in detail. Anti-phishing toolsets scan emails and URLs, quarantine malicious communication without blocking legitimate emails, and block malicious URLs and file attachments. The toolset has e-mail traffic allow lists that prevent spoofing and help identify threat actors’ attack patterns.
However, almost 19% (or 646 million) of phishing emails bypass some security applications. The lapse in filtering occurs because businesses value the speed of communication and phishing emails don’t always contain malicious URLs, attachments, or links software. Additionally, threat actors are constantly changing their strategies and producing new plays and anti-phishing tools are generally reactive, rather than proactive. Sarah talks about phishing training as mitigation and the 5 things to look for in the tone of communication.
Urgency – Threat Actors want something right now: the longer you think, the more you may question the senders’ legitimacy
Plausibility – Modern phishing attempts are based on real-life, often mundane scenarios
Familiarity – Claiming to be from an authority figure, Using personal details
Confidentiality – An action required needs to be done by users alone; getting others involved risks the scam failing
Quality – Contains obvious and egregious spelling or grammatical errors
With phishing and social engineering attacks accounting for the overwhelming majority of how threat actors initiate successful cyberattacks, it’s imperative for businesses and individuals to be thoroughly aware of how phishing scams are designed. These tips will help users enhance cyber awareness and security posture.
Assume Malice and Exercise Caution with Attachments – While attachments are enticing, often containing interesting information, they also hide malicious applications: treat them similarly to links.
Don’t Automatically Trust a Sender’s Display Name: Verify – Threat actors often conduct research before launching a phishing campaign, using trusted “personas” to appear more convincing to recipients.
Scan Links WITHOUT Clicking – Before clicking any suspicious link, hover your mouse over the text to determine where it will actually direct you.
Check for Spelling and Grammar Errors – Most senders, especially businesses with well-established reputations, are careful with spelling and grammar whereas threat actors are not.
Do Not Match a Sender’s Sense of Urgency – Any message requiring users to “act now” or fill out some form “immediately” is trying to take advantage of users.
Assess the Sender’s Motive: Why Do They Want Personal Information? – Large companies with which people do business as well as employees will not ask for sensitive, personal information through text or email.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.