Phishing has become a common word today, and although many people know what it means, they still fall prey to phishing attacks. Phishing is a type of social engineering, where hackers try to trick you with fraudulent communication to secure your personal information. These communications are usually relevant to your context and as such, victims are often easily fooled. For example, you may receive emails or calls about income tax during the time of tax filing, or about an order, you made during a shopping festival online, or if your organization is being targeted, then an email from your CEO could also be a phishing mail. Cybercriminals pose as figures of authority, to steal your data, financial information such as credit card details, or personal information.
Large and small enterprises may invest in cybersecurity teams, systems and solutions, but can still fall victim to phishing attacks. This is largely due to the fact that all cyberattacks, in particular phishing attacks, rely heavily on human error. However, large organizations can put in place the appropriate infrastructure and intensive training programmes for their employees to avoid phishing attacks. Alternatively, the lack of resources and training in SMEs makes India, one of the largest startup ecosystems in the world, a hotbed for phishing attacks. Companies should work in tandem with experts to understand the best practices to implement to protect themselves against phishing attacks.
Types of Phishing Attacks
Phishing attacks are designed to dupe their targets (can vary from organisations, SMEs, and even average citizens) into revealing sensitive information or downloading malicious software such as ransomware through a fraudulent message.
The following are the most likely ways in which an attacker will attempt to phish you:
- Email phishing – It is the most common phishing attack, where the attacker impersonates a legitimate organisation by meshing letters in the username in a way that may seem unsuspecting to the untrained eye. If not looked at carefully, the victim could end up voluntarily sending sensitive information to an attacker.
- Spear phishing – A spear phishing attack has a very specific target. Prior to the attack, the attacker will gather contextual details such as the name, post, job role, contacts and mannerisms of the individual. The calculated nature of this attack makes it the most sophisticated form of phishing. The attacker then conducts the attack at the specific time and day when the victim is expecting such an email. Spear phishing often targets individuals that handle bank transfers on behalf of an organisation.
- Vishing attacks – These attacks are done by deceiving the victim into giving unauthorized access to financial information (such as credit cards or bank accounts), and other potentially valuable data over a voice call, often by posing as tech support.
- Smishing attacks – By sending an SMS to the victim’s mobile, the attacker most commonly uses it to send a URL that downloads malware onto the device.
- Catfishing – This attack relies on deceiving the victim, and gaining their trust under a fake identity. The attacker then leverages this trust and baits them into sending money, or confidential information that could compromise them.
- Whaling attacks – Whaling attacks target politicians, celebrities, and senior-level business executives by impersonating them. By mimicking these important individuals, the attacker fools the victim into performing an activity on their behalf, such as wiring funds. This is another sophisticated form of phishing that needs to be exact in terms of the way they communicate, their signatures, and the attachments they share.
These are some of the most prevalent ways in which an attacker may target an organisation through phishing. HTTPS phishing, clone phishing, angler phishing, and pharming are some of the other phishing attacks an attacker might use to target sensitive information that could risk the reputation of a brand.
Protect Your Organisation from Phishing Attacks
For an employee that has to deal with numerous emails, calls, and messages over social networking platforms on a daily, it is very easy to overlook the finer details that could indicate a phishing attack before responding to the sender.
A report released by the FBI’s Internet Crime Complaint Centre (IC3) ranked India as 4th in terms of cybercrime victims, with phishing being the most common. Large organisations usually have DLP solutions, threat detection, and firewalls, integrated into their email service providers that are thoroughly monitored for phishing attacks. However, the same cannot be said for SMEs. Although the pandemic-induced digital shift proved to be profitable for most SMEs, they were rushed to go live with solutions and did so with minimal understanding of cybersecurity. Their lack of awareness and measures to prevent cyberattacks make them the ideal target for phishing attacks. Over the past year, 76% of SMEs were targeted through phishing attacks. The limited resources of an SME make it difficult to onboard a CISO or implement security solutions in their systems that can prevent phishing attacks.
While working in hybrid or remote environments, it is essential that companies integrate systems that can afford some degree of protection against phishing attacks.
- Certain levels of administrator controls such as a Group Security Policy that covers settings across devices including:
- Restricting access to the control panel and PC settings.
- Prevent storing of LAN Manager Hash.
- Disable access to Command Prompt.
- Disable forced system restarts.
- Disable Removable Media, DVDs, and CD drives.
- Restrict software installations.
- Disable guest user account.
- Set Minimum Password Length to Higher Limits.
- Set Maximum Password Age to Lower Limits.
- Disable Anonymous SID Enumeration.
- Implement password protection rules. Weak passwords are the main cause of data breaches. Implement the rule to use passphrases in passwords (both password complexity and password expiration policies are dead). Ask all the employees to use unique passwords for different accounts and software.
- Implement Multi-Factor-Authentication for VPN, applications that hold sensitive data (GitHub, Bitbucket, Jira), and any other team management or interaction software (Skype, teams). The incoming traffic from the employee devices to the VPN should be directed to a firewall with pre-configured rules before allowing them to the requested destinations. In the meantime, make sure your organisation’s assets (web portals, APIs, servers) that are being accessed by your employees are protected against the latest threats.
- Maintaining up-to-date versions of software, operating systems, and applications is a must. The VPN software should be up-to-date and should be securely configured. Endpoint protection software installed across the devices should receive updates from the AV server (either via VPN or regular internet). Also ensure that you maintain a system, and software inventory with baseline versions installed.
- Provide phishing awareness training for your employees and periodically conduct simulated phishing campaigns. Make them aware of the advanced phishing campaigns getting delivered via phone calls, SMS and social media posts. Leadership teams need to allocate budgets for all employees including new interns, to undergo regular training to raise their understanding and awareness of such attacks.
Protect Yourself from Phishing Attacks
Here are some general practices that you can follow to prevent phishing attacks from disrupting your life and impacting your organization:
- Improve your awareness: Training your employees and making them aware of phishing attacks is vital, but not the be-all and end-all. Staying up-to-date on new developments in the cybercrime space will give you a better idea of what to look out for.
- Look for inconsistencies: Keeping an eye out for spelling errors in the username, grammar mistakes, and inconsistencies in the voice or the tone in which the sender would usually communicate are surefire ways to identify a phishing scam. Employees need to be cognizant when reviewing information to ensure they are coming from trusted sources.
- Don’t blindly click on links and attachments: By hovering over a URL, you can view the link to the site it will redirect you to, whether or not it has HTTPS on it, and also verify the ownership and certificate associated with that particular website. Attachments are also vulnerable to downloading Trojan viruses and ransomware, that can compromise your system.
- Install and update firewalls and anti-viruses: Endpoint protection and anti-virus solutions can usually pick up on these attacks promptly and categorize them as spam unless they aren’t updated. Patches and updates are crucial to keep filling the gaps in these evolving cybercrime methods.
Entersoft’s Anti-phishing solution
Entersoft’s strategic partnership with Segasec provides a holistic solution to phishing attacks for your organisation. Segasec’s proactive digital risk management adds to Entersoft’s application protection, by using Machine Learning and Artificial Intelligence to detect domain manipulation and content duplication at the earliest. It is capable of securing endpoints and taking down any detected threats with lightning speed by diluting the information, and making it unusable for the attacker. The 24/7 monitoring can also immediately report a breach and collect unarguable forensic evidence in the event that it may arise. The added layer of security can detect internal and external phishing attacks, mitigating them ahead of time, before users are even exposed to them.