Protect Yourself and Your Company from Email Phishing
Online threats are always evolving. It seems like every day there’s a new kind of cyber-attack to watch out for. Email phishing may not be a new kind of attack, but it’s evolving too. It can leverage the news, the weater, popular trends, upcoming holidays, and hundreds of other topics to trick you. And some of our more reliable ways to identify email phishing may no longer be useful.
See Preventing Email Attacks with Kiri Addison for a complete transcript of the Easy Prey podcast episode.
Kiri Addison is the Detection and Efficacy Product Manager at Mimecast, a cybersecurity company focused on email security. She works closely with researchers and engineers to build and develop products that keep up with the ever-changing threat landscape. Their goal is to make sure their customers are protected from malicious emails. Though she was always interested in tech, Kiri didn’t start her career with cybersecurity in mind. When she finished her studies, she wanted to get out of the academic world. She found a job working for the UK government as a tax fraud and risk analyst. From there, it was a natural progression to security.
Trends in Email Phishing
Criminals are always finding new technologies and techniques to exploit. From SQL injection attacks to job scams, fake business opportunities to Evil Twin attacks, scammers and fraudsters leverage social engineering and most people’s lack of awareness about scams and threats to defraud us for billions of dollars each year. But sometimes, the classic approach is still best. Despite not being a new or flashy method, email phishing is still the most common type of threat out there.
Email … is still the number one attack vector and ever increasing.Kiri Addison
Even though it’s not a new method, email phishing is always on the lookout for new techniques to exploit. It’s especially common to see phishing emails crafted around things going on in the world. Coronavirus-related emails are finally dropping off, thankfully. But Kiri recently saw an Easter-themed Amazon scam email. They will jump on any new idea.
How quickly the criminals integrate news into their email phishing varies, but it can be quick. Some events, like Easter or the Christmas shopping season, have a big lead-up and scammers can predict them. Others, like international news events or natural disasters, happen unexpectedly. In those cases, scammers want to jump on them as soon as possible before they become irrelevant. Kiri wouldn’t be surprised if some scammers have an “intelligence division” whose job is to keep up with the news and integrate these current events into email phishing attacks.
Using Artificial Intelligence in Email Phishing
Many people are worried about the use of artificial intelligence (AI) tools like ChatGPT in email phishing. There has been a lot of talk about how these tools will revolutionize phishing. After all, if an AI writes a phishing email, the common signs like poor grammar and spelling mistakes won’t be present.
Kiri thinks that in the future, we may have to change the advice we give people. Instead of looking for spelling mistakes, it might be more helpful to look for grammar that’s too perfect to have been written by a human. But for now, she can’t say she’s seen a lot of AI-generated email phishing. It’s hard to tell for sure what the impact will be, but we’re still in the early stages. The potential impact may be real. Or it may just be hype. Right now, the tech is still new, and we don’t know for sure.
Automated Email Phishing Attacks
Another trend Kiri has been seeing lately is automation of the first stage of email phishing attacks. The first stage of the attack is the initial, “Hi, can you help me out with this?” email. It used to be sent manually. Organized phishing groups had teams that just wrote and sent those initial emails. It took a lot of time and manpower, and it slowed them down.
But more recently, that first stage has been automated. Criminals can send out thousands of email phishing attacks and then wait for people to respond. They start by purchasing compromised login credentials, which are easy to find on the dark web. With access to thousands of accounts, they can send out just a few emails from each. That makes it more likely that spam filters will not recognize or block these email phishing attacks.
Abusing File-Sharing Sites
Even the basic tools and techniques behind email phishing can change. Lately, Kiri has seen a lot of scammers abusing file-sharing sites to host malicious content. Instead of sending you a malicious link directly, the email has a link to a SharePoint site. If your company uses SharePoint, your access to SharePoint won’t be restricted. But on that SharePoint site, there could be a malicious file or a link to a different site designed to steal your credentials. Or it could link to another genuine file-sharing site with a malicious file or link.
By doing this, scammers are putting their actual attacks further and further from the email phishing message. That makes it harder for filters and other protections to detect what’s going on. Some attackers will even research your company’s supply chain to know what kind of link to send you. If your company doesn’t use SharePoint, they know sending you a SharePoint link won’t work. So they find out your company uses Dropbox and send you a Dropbox link instead.
Email Phishing Protection
Overall, the technology to protect people from email phishing is improving. We have good coverage against basic attacks. But the threats are constantly changing. Kiri recommends layering defenses for the best email security. Your basic email provider will provide basic protection. But layering another security solution on top of that can help protect you from emerging threats.
In less positive news, 70% of phishing emails are still being opened by end users. That doesn’t necessarily mean 70% of people are interacting with the scammers or giving away their credentials. But it does show that we have a long way to go. It really comes down to awareness training. It’s important to tell people to watch for common signs, like poor spelling. But even people who know those basics don’t necessarily know about the latest threats. And many of us don’t realize that email phishing is being based on current events, so we need to be aware of the news when thinking about threats.
End users who have regular awareness training are five times less likely to click on malicious links.Kiri Addison
Some people also think that their company, internet service provider, or email provider are too good to let any email phishing through. When malicious emails get through those filters, more people click on those malicious links. Awareness training can’t be something that’s done once per year just to check a box. The best results happen when the training is done quarterly, or even more often.
What Businesses Can Do To Protect Their Email
Most of the work Mimecast does is with corporate platforms. There is a difference between the kinds of email phishing attacks that target individuals and the kind that target business emails. There is some overlap, especially when it comes to extortion. But generally, businesses see different kinds of attacks. Businesses also have the unique threat of email phishing pretending to be from them and damaging their brand. So there are unique steps that businesses need to take to protect their customers as well as their staff and operations.
Tech Controls and Security Protocols
Kiri recommends every business have email security scanning set in place for all incoming emails. The scans should not just look at the email itself, but also at any attachments and clickable links. These scans should also be done on outbound emails in case an account was compromised.
There are also security protocols a company can put in place to protect themselves from being impersonated via email spoofing. But it’s a case of both implementing the protocols and implementing them correctly. SPF protocol validates who is allowed to send emails on your behalf, DKIM protocol ensures the message came from who it claims to be from, and DMARC protocol combines both. DMARC protocol works. But it can be tricky to set it up and get it working properly, and it takes times.
Sometimes companies approach security protocols not by looking at how it protects them, but at compliance checklists. They check the box to confirm they have DMARC and think that’s enough. But there are ways to set up DMARC that do absolutely nothing. If it’s set up improperly and then forgotten, it’s not protecting anyone from email phishing.
End User Awareness Training
Another thing Kiri recommends all businesses should do is implement end user awareness training. Make sure users are aware of what impact they can have by clicking a link or opening an attachment. Try to connect it to the impact it could have on their lives or their jobs. No one wants to be the employee who sent $100,000 to a scammer. In Mimecast’s trainings, they tell people to never reuse personal passwords because criminals can use them to get into their work accounts, and never reuse work passwords because criminals can use them to get into their personal accounts. Making it more personal may help get the message through.
Company Security Policies
Not every company security policy is useful. Kiri thinks forcing employees to change passwords on a semi-frequent basis is a terrible idea. When you do that, they’re not going to come up with a unique and strong password every time. They’re just going to add a number to the end of their original password. It’s not effective.
It’s better to encourage employees to never reuse passwords and have them create strong passwords the first time around. A password manager will help with this. Password managers make it easier and more convenient to use strong, unique, random passwords for every account. Implementing a password manager for your employees will go a long way towards increasing password security.
Kiri also recommends two-factor authentication (2FA), also called multi-factor authentication (MFA). With 2FA, even if someone enters a username and password correctly, they still have to enter a code from another source to finish logging in. It’s an extra security step to protect against compromised accounts. There has been an increase in the use of 2FA, which is good. More people are getting the message that it will help keep accounts secure.
How to Identify Email Phishing
As an end user, there are things you can do to identify email phishing. Start with being suspicious, taking your time, and not letting yourself be pressured. The biggest thing email phishing is doing right now is social engineering. The scammers try to pressure you and make it sound urgent. They may impersonate a senior person in your company and request help with an urgent task. Urgency can also be used in marketing, so just because something sounds urgent doesn’t mean it’s a scam. However, it does mean you should investigate before you believe it.
If you think somethings off, just pause. Don’t be pressured. And report it.Kiri Addison
When trying to evaluate an email, ask yourself what the impact is. Is this person asking you to make a wire transfer or send potentially sensitive or personal information? Some companies have a warning on emails that came from outside the organization. This is helpful when someone from the outside is trying to impersonate your boss. But it’s a lot harder when email phishing is sent from an actually compromised account. As an end user, it can be difficult to figure out if an email is an email phishing attack or a genuine request.
Signs of a Compromised Account
If you are trying to identify if an email is legitimate or if someone’s account was compromised, look for abnormal communication patterns. Would this person normally email you? Would they normally ask you to do this? Is it sent at a time this person normally sends emails? On the tech side, the security team can check if the account was sending a normal volume of emails, from a location the person would normally be in, from a device they would normally use.
The best way to find out if something is email phishing or genuine, though, is to contact the sender outside of email. Walk down to their desk, or give them a call, and ask if they legitimately sent it. Even if it was genuine, it’s better to check than potentially expose the company to attack.
Protection for the Evolving Threats of Email Phishing
It’s hard to say if AI tools like ChatGPT are being used in email phishing or not. But regardless, Mimecast has been thinking about how to detect it. AI text generation detectors have questionable accuracy at the best of time. And even when they do detect it properly, changing a word or adding a spelling mistake can convince the detector it was human-made. It will be interesting to see how that technology improves. In the meantime, Mimecast has been creating their own phishing emails with ChatGPT and GPT-3 and added them to the training set for their own machine learning models.
In the end, most protection for the evolving threats of email phishing is going to come down to awareness training. Even if AI generates the best content, it still has to be sent, and the actual delivery of the email can tell us a lot. And not every email phishing attack will be effective. It doesn’t matter how well-written the Wells Fargo email is if you never use Wells Fargo. To be safe, Kiri doesn’t click links in emails even if she doesn’t think it’s malicious. She goes directly to the site. There’s a lot of news coverage, but email is still a major vector. It comes down to psychology and manipulation. But even as email phishing is improving, our methods of protecting ourselves are improving, too. It’s not the end of the world.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Most of us want to be polite and help others where we can. But scammers can take…[Read More]
It’s a nightmare scenario: You’re away from home and have an accident or a medical emergency. We…[Read More]
You’ve probably heard the phrase “buyer beware.” It refers to situations where it’s the buyer’s responsibility to…[Read More]
AirTags, a tracking technology designed by Apple, are one of those things that feel like futuristic tech….[Read More]
Would you want all the transactions in your bank account to be publicly available to anyone who…[Read More]
Scammers have learned to use systems like shipping, rental cars, and rental homes against us. And they’re…[Read More]