Phishing, as we’ve discussed before, is one of the most common attacks used against businesses and their users. It’s a form of social engineering that uses e-mail, SMS/Text, or whaling (specifically targeting high profile users), to obtain personal information.
These are often done, masking as legitimate companies, not-for-profits, or posing as other organizations attempting to solicit information from a user. Often in times of global, or national events, we see upticks in these types of attacks. The devastating Hurricane Ian is such an example. Attacks will often use these events to mask as charities, insurance companies, or other organizations that are designed to help people in need. By using the necessity of need and the distraction due to the emotional state such an event can put people in, these attacks can be cleverly hidden.
So, how can we protect ourselves?
Training and Awareness
As any engineer knows, you can’t fix what you can’t measure. Baselining your users’ willingness to click on phishing e-mails can help you determine a good foundation on the probability your users will click a compromising e-mail. It’s something we believe in at R.A.D. Security and something we also put ourselves through monthly.
By testing, this gives us metrics to examine how our business is performing, as well as seeing areas where we need to improve on recognition of these attacks. Once we have our baseline, we can begin training to identify these items and guide users into reporting these instances to management or their security vendor.
As an example, my student account received a rather obvious, but nonetheless suspicious e-mail:
With this e-mail, we can see that the sender is not from the college’s domain and from a random G-mail account. Thankfully, for this one, the spam filter caught it along with a banner message showcasing that this originated outside the domain it was impersonating. Had I responded with my cell number, they could have then began sending SMS/text to prompt for more information, or even call me.
They’re not all this easy, but these attackers will try as many times as possible to get any bit of information and this is why it’s important to be aware of these. Simply training a few minutes, once a month can create wells of awareness in spotting these e-mails. From the banner message, the sending e-mail’s actual domain, and often poor grammar and hurriedness of the e-mail, all of these help in identifying a possible phishing e-mail.
Having the users be part of your security defense is the single most important thing you can do to bring security to the forefront of your business. Security is not just a means to an end, it’s part of the culture of the flow of information in a business. Everyone plays a part.
While user awareness is the single most important item in security, having accounts prepared for attack is also crucial. Multi-factor authentication (MFA/2FA) helps stop attackers from accessing information remotely if a phishing attempt were able to harvest credentials and try to access information remotely. This usually requires another device, or method, to authenticate the user along with the user’s password.
We can keep striving for 100% secure accounts, but that’s just not realistic. People do make mistakes, even if they are careful, and MFA can help alleviate some of those mistakes. At R.A.D. Security, we do not have one system we use that doesn’t have MFA applied, and if that system cannot provide MFA we simply do not use it and find an alternative. Most businesses, it’s e-mail that is the life blood of client interaction and we want to keep this flowing and as interruption free as possible. MFA takes just a few moments to set up and can save hours of work later to recover damaged or stolen information from attackers.
What’s the solution, then?
The real solution is awareness, training, and protections on our information in the event we fail. Some of the largest IT and technology vendors have failed (Kaseya, Samsung, Acer) in protecting their assets in areas where training and with proactive restrictions in place, such as required MFA, could have helped prevent these damages. There’s a much longer list of companies that have failed to simple phishing attacks. Our goal at R.A.D. Security is to make sure you’re never on this list. Let’s work together to be better.