Phishing Remains a Stubborn Security Problem: How to Lick it for Good

Security

Savvy IT pros rarely fall for phishing scams. But even the most experienced are sometimes tempted by the sophistication of these exploits. While you might not be pretty for these tricks your end users might, and that leaves your network exposed.

Like other exploits, phishing attacks are getting more dangerous all the time. The key, or course, is to build an e-mail message that appears to be from a trusted source such as a bank. Once a victim is convinced of its authenticity and clicks the link, they are sent to a clone of the real website, and asked for personal information, credit card numbers and other bits of data one should never give up.

Even more troubling for IT, phishing attacks often seek user names and passwords. Once the bad guys have these, your network could be in big trouble.

Phishing is prevalent because it works, is generally driven by financial gain, and uses both email and social media. Here is what the Verizon 2017 Data Breach Investigation Report had to say. “There were a little over 1,600 incidents and more than 800 breaches featuring social actions in this year’s corpus (all external actor driven). Phishing was again the top variety, found in over 90% of both incidents and breaches. Once successfully phished, a number of things can happen: software installation, influencing disclosure of sensitive data, repurposing of assets and so on. In last year’s report, we discussed how the majority of remote breaches began with the same chain of events; phishing to gain a foothold via malware, then leveraging stolen credentials to pivot off of the foothold. It also holds true this year—95% of phishing attacks that led to a breach were followed by some form of software installation,” the report explained.

So what can you do about phishing?

Can your spam

The hook for a phishing scam is a well-crafted email, which by definition is spam. That means getting a lid on the spam in your shop with a filter. Since spam may still get through, also make sure your antimalware solution can detect and take care of these messages.

Make sure end users can spot the fake stuff

Phishing works through trickery, so train your end users not to fall for it. Here are a few items to cover in a training session or handbook:

  • How to spot a bogus e-mail.
  • That they should only click links they know with 100% certainty are authentic.
  • If they question the authenticity, but aren’t truly sure, they should go directly to the website, say of their bank, and see if there really is an issue.
  • Uses should never give their credentials to a site they got to through e-mail.

Here what a phishing scam looks like

While it can be hard to tell a legit message from a fake, there are usually telltale signs. Here is an example from the Microsoft Security Center.

In some less sophisticated phishing messages there are misspelled words and bad grammar. And the address of the sender tries to look legit, but if you look closely is clearly not from the place it should be from.

The links within the mail are also sketchy, but hopefully the end user has spotted the scam before they try to check out the link address.

Microsoft Used as a Foil

Hackers try to use trusted companies as a phishing lure. I got a message purportedly from the Microsoft Outlook team. The message was well designed, and looked real at first blush. See if you can spot the signs of a fraud.

Dear Outlook.com User,

As part of our effort to improve your experience across our consumer services, we’re updating the Microsoft Services Agreement and the Microsoft Privacy Statement. We want to take this opportunity to notify you about these updates for your safety.

If you do not update your Microsoft account within 24 hours your account will be deactivated and deleted from our server and you will no longer have access to many of the outlook.com features for improved Conversations, contacts and attachments.

Take a minute to update your account for a faster, safer and full-featured Microsoft Outlook experience and to avoid your account being De-Activated.

Thank you for using Microsoft services.

Microsoft Admin:

Microsoft respects your privacy. To learn more, please read our Privacy Statement.

Microsoft Corporation
One Microsoft Way
Redmond, WA 98052

Making things trickier, the link to Microsoft’s Privacy Statement was authentic.

Two Final bits of Advice

Here are two things your end users should take to heart:

They must never even open e-mail from organizations they’ve haven’t done business with or given their address to.

If a user clicks a malicious link and sees anything suspicious, have them shut down their machine and contact IT to stop any further spread.

Stay Protected

Phishing is malware, so antimalware is a needed defense. Fortunately, Kaseya VSA offers multiple types of protection such as patch management, anti-virus and antimalware. Find out more about this end point management solution here.

Posted by Doug Barney
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.
Disaster Recovery

Grow your Business with DraaS

Nobody likes downtime – it interrupts the flow of business, shakes the confidence of customers, and can cost businesses meaningfulRead More

Finding New Revenue Streams and Protection with Security-as-a-Service

Despite all the news about breaches and countless attacks that have hit most all IT shops, too many remain complacent.Read More

Third-Party Software at Center of Growing Vulnerability Risk

The traditional thinking in IT is that by patching Microsoft OS, the IT shop has effectively protected the environment fromRead More

Five Key Takeaways from Webroot’s 2018 Cybersecurity Threat Report

SPECIAL TO KASEYA BY WEBROOT Each year, a team of Webroot analysts and threat researchers take a look back atRead More

Archives

Categories