What is Phishing?
One of your teammates at work gets an email from a senior member of staff. It’s an emergency—and they need something done right now. The employee, flustered by a direct approach from someone far up in the organization, and clearly in a hurry, jumps to comply and do as ordered. If they’re lucky, that’s the point at which they realize—or are told—that they might be victims of a common scam: Phishing.
Let’s start with a definition. Phishing is a fairly well-known term, but not always well-understood. Phishing is social engineering by email or other electronic communications that pretends to be communication from a legitimate source. It’s built to get unsuspecting users to do something like downloading a malicious file, visiting a hazardous web page, or providing access or information they shouldn’t. It’s a form of Business Email Compromise (BEC) but the behaviors of both threat actors and victims in phishing scams are similar to other forms of communication scams. A phishing mail (or voice call, video call or instant message) can masquerade as being from a trusted workmate or senior manager, a regulator, customer, bank, or government department. It often relies on urgency to get people to act quickly, without checking the legitimacy of the message.
How fast? Verizon’s annual Data Breach Investigations Report gives a median time for a user falling for a phishing email of just 60 seconds.
Here are a few of examples of phishing you might a small or midsize business (SMB) might encounter:
- Someone in your accounts department gets an email that looks like it comes from the CEO, saying they need to transfer funds to pay for an acquisition that has to happen that afternoon. The bank details are connected to an account owned by the fraudster.
- An email impersonating the IRS tells an employee they need to fill in a form or grant access for an audit, or they will be arrested for tax fraud and prosecuted along with their employer. The link goes to a malicious web page that contains a hostile payload; alternatively, the attachment included in the email is not a document to be completed but a malicious file.
Phishing (and a couple of variants we’ll talk about later) is a popular attack technique for two reasons: it requires little in the way of specialist tools or skills, and secondly: it works really, really well.
At the height of the COVID pandemic in 2020, the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Center (NCSC) took the unusual step of issuing a joint advisory on phishing. The physical and psychological effects of the pandemic acted like a pressure cooker, creating near-perfect conditions for social engineering.
Types of Phishing Attacks
In order to learn how to prevent phishing attacks, it’s important to understand some of the most common tactics used by bad actors. Increasingly, attackers use a combination of the methods or attack paths described below:
- Email phishing: a low-effort, high-impact way of compromising organizations at scale. In some circumstances, it can be highly targeted and specific in nature.
- Spear phishing: a very specific, well-researched attack on an individual or organization that uses detailed information on the company or individual to elicit the desired response.
- Whaling: an attack targeting a senior executive or executives in your business.
- Clone phishing: the creation and use of an email address or using a domain that closely resembles a legitimate organization or individual in order to fool recipients.
- Vishing and smishing: the use of voice calls or text messages in a similar tactic to phishing emails.
How to Spot Phishing Scams
Phishing often relies on particularly human traits: wanting to help others, do work efficiently, and please people in positions of authority with brisk action. It also preys upon the individuals’ sympathy for those in trouble or need, and the need—unconscious or not—to skip over details when overwhelmed with requests, information, or inputs. Fear of something bad happening if immediate action is not taken is a significant lever, too.
In practical terms, this often results in phishing attempts that seek to use these weaknesses and apply enough pressure that the victim misses key signs that something is amiss. These signs include but aren’t limited to spoofed communications (everything from fake email addresses and stolen corporate logos to elaborate deepfakes and voice cloning), the use of inside information to convey belonging to an organization, and the need to get something done for an urgent deadline.
How to Prevent Phishing
The Federal Trade Commission issued helpful guidance to small businesses in the form of an infographic which sets out three key steps for users before they click on a link or hand over sensitive information:
- Double check who is behind the message by looking up the company, organization or individual and confirm the message is actually legitimate.
- Talk to someone such as a colleague or workmate who can often add perspective.
- Make a call using a number you know to be correct and speak to someone at the organization involved to confirm the communication and message are legitimate.
There are two main methods of minimizing the impact of phishing attacks: training and awareness, and technical measures.
Training and Awareness
It would be dangerous to think that phishing affects only indecisive office employees—anyone can fall for this trick. Regular training on how to identify phishing scams, suspicious email types, and why urgent requests for information, payment, or other actions should be taken with a grain of salt are all worthwhile. Knowing what constitutes a potentially risky click or attachment is key here, as is sense checking risky decisions with a workmate.
Classroom learning is one thing, but many organizations also use simulated phishing exercises, hiring specialists to send fake phishing emails to employees to check how alert they are to scams. It’s vitally important that this sort of testing is conducted from the perspective of education and understanding of risk; those who fall victim, in many circumstances, will be more alert in future and more receptive to education.
How to Avoid Phishing and Minimize Its Impact
Tools, filters, and practices that reduce risk and phishing protection are just as valuable; these can range from free tools to the enforcement of solid operational and cybersecurity practices.
Robust email filters can intercept suspicious or “known bad” messages before they reach employees, and something as simple as a banner warning users that the email they’ve opened is from outside their organization and to be vigilant can reduce the flow of phishing mails to a trickle.
Coupled with this is the verification of links and attachments. Email sandboxing, a process by which links and attachments are opened automatically in a sterile environment by the email system, can be used to detect malicious payloads or bad links.
Enforcing multi-factor authentication (MFA) for accessing sensitive information, as well as other methodologies such as the principle of least privilege, can prevent people breaking the rules in an effort to be helpful.
Effective antivirus (AV) and anti-malware tools can also block the download or installation of malicious software, and alert you to its presence.
Another best practice: strong password policies, including the use of unique and complex passwords as well as regular password updates coupled with MFA, improve attack resistance.
Finally, it’s absolutely vital that employees report suspicious activity. For this to become the norm, it’s essential to foster an environment where people can own up to mistakes without judgment. If not, then it’s more likely that people will not mention or actively cover up errors made in good faith. To achieve this, establish and publicize clear protocols for reporting suspicious emails or activities to the security team or IT department.
What to Do if Your Organization iI Hit by Phishing
It goes without saying that with phishing, as with many other aspects of good cybersecurity, an ounce of prevention is worth a pound of cure.
Your organization should have an incident response plan that is as comprehensive as you can manage to achieve; even a simple plan is better than nothing, and adding to and updating it as time goes by will help you in future.
Make—and Update—a Response Plan
A good response plan will include phishing as a topic, and detail the specific steps your business will need to take to address a phishing attack— whether it’s successful or one that your employees detect and defeat.
Detect and Analyze Attacks
A second step to the response plan should also be detection and analysis: if the attack is part of a coordinated campaign or even just a mass attempt that will hit more than one employee, it’s important to analyze the attack to understand the potential scope and impact. An untargeted email spammed to thousands of people is dangerous—but it should be handled quite differently to a spear phishing attack that uses inside knowledge to undermine your organization’s defenses.
Remember: if employees feel they can report attempts without fear of judgment, your detection capability will be improved.
Contain and Eradicate
Phishing attacks can often carry malicious payloads in the form of ransomware or other malware, and the principles of containing and eradicating these are much the same process. Isolate infected systems to prevent further contagion and damage, and then move to eradicate the attackers’ presence.
Recover and Follow up
Follow your incident plan to restore your systems to normal operation—look to remove malicious content from the affected systems, and then check, verify, and re-check systematically before going live. Once the incident is closed, review it, with a view to learning what worked and what didn’t, and how it could be used to improve future responses.
If you’d like to learn more about how to prevent phishing scams, read this detailed guide to incident response planning for enterprises that’s just as useful for smaller organizations.
Conclusion
As a subset of social engineering, phishing is a particularly cruel tactic for scamming your employees. Fear of being penalized for accidentally clicking on a link—a clear symptom of a blame culture in the workplace—can and does create negative outcomes and lead employees to be less willing to take the initiative, less likely to click on even benign attachments or links, and more likely to report false positives.
It’s vital, in preparation, training, testing, and detection and response to phishing attacks, to treat victims with sympathy and empathy, and avoid an overzealous blame culture. While repeated failures are probably reason for action, anyone can—and likely will—fall for phishing attacks under the right (or rather, wrong) circumstances.
While the technical and technological aspects of phishing and associated attacks are fascinating (and with the advent of generative AI, potentially due for significant evolution), it is the human element that remains critical to defending your small or midsize business from attack. Train and equip your employees correctly, and it will be a threat that can be identified and contained long before it’s a problem.
Protect Your Business Today
SMBs around the globe have turned to SentinelOne Singularity™ Control to proactively resolve modern threats at machine speed. Request a free 30-day trial to see how SentinelOne can help you protect your business against every kind of threat, including ransomware and malware.