Phishing

Introduction to Anti-Phishing

Throughout the course of your day, think about all the clicking you do with your mouse.

You click again and again while opening a never-ending stream of emails.

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Demo Now

You click to open links in those emails.

You click on links within those links.

The list goes on and on.

We do it so often, it would be impossible to guess just how many times we do it every single day.

Imagine, though, if just one of these clicks was enough to bring your entire company down or drain your bank account.

Every year, countless people will experience this.

As the victim of a phishing attack, just one click is all it takes to cause unprecedented damage to an organization or bank account.

What Is Phishing?

You’re probably well aware what phishing scams are and how they work. After all, let’s look at some phishing statistics:

85% of organizations said they had been victimized by phishing scams in 2015. That was a 13% increase over 2014.
60% of these organizations also reported that the rate of these phishing attacks had increased overall.
Again, that’s an increase – by 22% - over the prior year.
30% of phishing scams get opened.
$1.6 million is the average amount a company ends up losing from a spear phishing attack.
20% of organizations say spear phishing is their #1 threat.
84% of companies have fallen victim to a spear phishing attack that penetrated their security.
15% of companies reported a drop in their stock price due to a spear phishing attack.
1/3 of companies have been successfully attacked through a CEO fraud email.
9% of organizations say they believe their executives could fall victim to a phishing scam like CEO fraud.
Another 29.6% said “maybe” if the targeted scam was convincing enough.

Obviously, this is a pervasive, costly threat.

For those who don’t know, phishing is a ploy to acquire sensitive information (e.g. passwords, social security numbers, etc.) from an unsuspecting victim. Real fishing involves some kind of bait. Usually, it’s live and something the fish will recognize as an authentic source of food.

With phishing, the perpetrator uses a different type of bait. They trick their victim to take the bait by acting as though they’re in a position of authority or influence, or by pretending to be a familiar person.

For example, someone may contact an employee saying they’re from HR and need them to click on a link to fill out a required form. When the victim clicks on the link, the scam artist can begin phase two of their attack where the real damage is actually done.

Spear phishing, which we touched on above, seriously ramps up the use of social engineering. The scam artist needs the following three ingredients for their plan to work:

The identity of a person of authority within an organization
Knowledge of the company’s practices to further cement their fake identity in the mind of their victim
A valid reason for requesting sensitive information

This obviously takes a lot more research, but the payoff is also much greater (see the stats above).

Nonetheless, when you consider the alternative for a criminal – learning how to code to create a program that can acquire the data they want, provided it doesn’t set off the company’s high-tech security – phishing is a no-brainer. It’s nearly impossible to get caught and it takes very little skill to pull off. Nonetheless, the result can be extremely profitable.

So what can you do?

What Is Anti-Phishing?

Broadly speaking, anti-phishing refers to a wide array of practices meant to defend against this nefarious scam.

Usually, though, the term refers to software and automated practices that make it easy to keep phishing scams far from your employees.

To be clear, training your employees is important. We’ll actually recommend some methods for ensuring they’re ready for an attack in a minute.

However, there’s no sense in making their job harder by letting phishing scams through.

Earlier, when describing phishing scams, we used emails as an example of a tactic these criminals would use. Emails are by far the favorite tool of these scam artists, too.

That being said, websites are also used. They might be used in tandem with emails, as well. The same concept is leveraged. The visitor to the site is led to believe that the website is legitimate, so when they’re asked for personally identifying information or other sensitive forms of data, they naturally hand it over without a second thought.

Anti-phishing software helps to identify these sites and either blocks them altogether or alerts the user that they’re on a suspicious site and should exercise caution.

What's the Difference Between Client- & Service-Based Anti-Phishing Software?

Before we delve into this topic, let’s cover some basic definitions of each.

Client-based anti-phishing software provides the desired service through a physical product; you’re not going through the cloud. It would technically be accessible even if your whole network was down, though there wouldn’t be much of a threat from phishing at that point.

Examples of client-based anti-phishing software would include:

Webroot Internet Security Antivirus
Kaspersky Anti-Virus
IC Spyware & Anti-Phishing Suite 4.0

With service-based anti-phishing software, you’re getting your protection through access to a server. This requires your network to be up and running, but the benefits are many.

Some examples of service-based anti-phishing software include:

Total AV
Windows Defender
Avast Antivrus

The entire software industry is moving toward service-based solutions – especially where security is concerned – because it allows you to download updates at any time.

For the most part, you’ll want to use a service-based anti-phishing program. Phishing continues to evolve and probably always will. The criminals who favor this type of scam will always be working on a brand new version with an even better chance of succeeding.

This means that anti-phishing defenses must be equally vigilant in updating and coming up with increasingly better forms of protection.

Anti-Phishing Best Practices for Businesses and Consumers

As we mentioned earlier, there is no way to overestimate the importance of training your people so they’re aware of what phishing scams entail and, thus, are better able to defend against them.

While software has its place, no form of defense is worth much if someone can be tricked into lowering it.

Think about a house. It can have a giant wall, cameras and a steel door with an impossible-to-pick lock. However, if the kids inside don’t know not to let strangers in or if one of the adults is gullible enough to trust someone claiming to be the police, all of those defenses will amount to nothing more than a lot of money down the drain.

With that in mind, let’s look at best practices you can pass on to your people to ensure they become a part of your defense against these attacks. These tactics can easily be applied to the needs of private individuals, too.

1) Make sure they understand the threat.

This is a central building block necessary for the rest of your efforts to work. The vast majority of your people will have heard of phishing attacks before, but that’s completely different than knowing how to identify them.

Constant reminders of what phishing attacks look like should be part of your defense strategy. Phishing attacks work when people let their guards down because they’ve become complacent.

2) “Why am I getting this email?”

Teach your people to always ask this question and you’ll take a big step toward never suffering from a phishing attack.

One very popular method of phishing entails mimicking the look of emails that come from trusted companies like LinkedIn or PayPal. These emails use the same logos and similar formats.

Of course, their justifications never add up. For example, none of these companies would request a user’s password through email. They also wouldn’t provide a user with a new password and tell them to reset theirs.

Again, phishing works when people fall asleep at the wheel and simply do as they’re told. Constantly asking “why?” will keep your staff from doing this.

3) Confirm the identity of the sender when they’re requesting sensitive information

It’s not uncommon for a company to need sensitive data to be shared among employees.

What is rare is for these companies to instruct this to happen through email. Aside from the security issues involved, this is just a very cumbersome method.

This is why the vast majority of organizations have secure processes in place for this. Approved users need credentials to access certain folders where this data is held, for example.

The point is that, if one of your employees does receive an email from a coworker or superior asking for sensitive data, they should call the person to confirm their identity.

Phishing is often used to gain someone’s email password. Once they have it, the scam artist proceeds to use this email address to message others in search of the data they really want.

Even savvy employees can fall for this because, after double-checking the email that’s sending the message, they see that it’s legitimate. A simple phone call can keep the transfer of sensitive data from happening and stop the phishing plot before it does even more damage.

4) Always Check the URL

Make sure your people don’t take URLs for granted. At first glance, a URL may look legitimate, when, in fact, it’s really a well-designed ploy to extract information.

One especially clever way of doing this is by supplying a valid URL through an email. The scam artist knows they can write out the URL, but then change the actual destination to whatever they want by using the email’s hyperlinking capabilities.

All you have to do is hover your cursor over the URL to see where it’s really leading you, but too many people don’t do this because they take for granted that what they first see is the site they’ll be taken to.

5) Keep Calm

Social engineering 101 is that people will be much quicker to follow your instructions if they’re given with a sense of extreme urgency. Scam artists will phish people by pretending they’re from the IT department telling a user that they must click this link to change their password ASAP because the company has been compromised.

It just takes an extra second to confirm if this is true or not.

To further keep these attacks from working, establish rules for how your company will handle emergency situations and ensure that everyone understands what to look for when the real thing happens.

6) Encourage False Alarms

As you can see, some of the best ways to protect against phishing attacks are to contact others to verify the legitimacy of a message.

This should always be encouraged. You can’t risk someone being worried about feeling embarrassed if they raise a false alarm. It’s not like you’re telling them to email the entire company, after all. Usually, it just takes a single email or phone call.

7) Have a Protocol for Reporting Phishing Attempts

Of course, if they do discover a phishing message (or, at least, think they do), you should give them someone to report the incident to. If it’s a valid example, the rest of your company should be notified so everyone is on high alert.

It’s not a bad idea to keep an eye on the problem as a whole, especially where your industry is concerned, so you can regularly send out examples to your employees of attempts to be on the lookout for.

Can Anti-Phishing Training Protect My Organization?

Make no mistake about it: your company will be targeted for phishing. There’s a good chance it’s already happened.

While we mentioned the typical costs incurred by those who fall victim to these scams, it’s also worth pointing out that the actual number of incidents reported every year – and thus the costs involved – is probably much higher.

After all, it would be easy for a phishing attack to succeed without the victim ever knowing. A scam artist may secure the email address they need to then go on and attack a third party.

In any case, no amount of software is going to be effective if your people drop the ball when confronted by a phishing attack. These types of users – those who don’t know what to look for – are exactly what these scam artists are hoping to come across when they design these plots.