Since its advent in 1971, email quickly became a staple of communication and collaboration in both business and personal settings. In fact, there are over 4.04 billion email users worldwide in 2020 so far! That is about 56% of the world’s population using email, and it’s easy to see why it has become so popular.
Its success lies in its intuitive and straightforward nature. That is, it generally does not take a lot of instruction to those new to email started. Email messaging has a logical flow, and things look and behave as you think they would. Or do they?
I am not writing today to speak of how great email is, nor will I make that claim, there are many other collaboration tools out there to choose from. The fact is that no matter what you think of email, it will likely continue to be a centerpiece of business communication for the foreseeable future. With the COVID-19 pandemic driving populations all over the world to work from home, you can imagine that the use and reliance on email to effectively communicate information between colleagues will only increase at an even faster rate.
Unfortunately, the hasty switch to working from home is not without its drawbacks. Many workers are now using email on “untrusted” devices and networks and sending an increased amount of sensitive data through it. Remote workers may have turned to email as a way to communicate confidential data instead of more secure methods usually employed when in the office, such as a local file share or company intranet. Thus, what was once a secure enough email solution, may no longer be.
Being so popular is not always a good thing. Email is also one of the most popular attack vectors used by hackers and cybercriminals looking to gain access to internal company data and resources or to swindle a company and its employees out of money. There are many different types of attacks employed to achieve this and nearly as many methods to prevent them. This post will focus on a specific kind of attack called phishing. Phishing is a common and effective attack method often carried out via email, especially as a result of the COVID-19 crisis. This article aims to briefly explain what phishing is and what it looks like before providing you with several measures you can start taking right away to protect your business from these attacks.
What is Phishing?
There are many sub-types of phishing attacks, but they all rely on a practice called social engineering. The practice of social engineering is used to deceive and manipulate a person into doing things that advance the attackers’ interests. Of course, “phishing” is a play on the word “fishing” as the analogy works well to describe this type of attack. For example, an attacker may create an email that is disguised to look like an email from a different person or service. The email usually contains an action item for the recipient, such as a link to reset a password or an attached file to approve. In our analogy, this email is the fisherman’s lure.
Any decent fisherman is going to use a lure that is effective for a particular fish they are after and the location to be fished. Likewise, phishing attacks are often crafted based on educated guesses using information they already know about their target.
Really successful hackers are social engineering experts. They leverage human instinct and find information related to their target to create an attack (in our case, a clever email) that is believable enough for you and me to fall for. Did I mention that they are really good at it? According to Verizon’s 2019 Data Breach Investigations Report (DBIR), 32% of confirmed data breaches involved phishing, and similarly, 37.9% of untrained users fail phishing tests.
Phishing in Action
The COVID health crisis is a perfect scenario with which to craft a phishing attack. The amount of information and misinformation that is being published online about COVID-19 is enormous and changes every day. Many people, isolated from their support networks and stressed out, turn to the internet–eager to learn more and find help. The phisherman sees these precarious conditions and is quick to respond. By March of 2020, Coronavirus domain registrations skyrocketed. Researchers at Check Point observed over 51,000 new Coronavirus themed domain names registered between January and March of 2020.
Why register domains? It all lies in the cunning nature of the phishing attack. The attacker uses these domains to host websites designed to steal your information. Email is simply a vehicle used to get their website in front of you.
It’s actually a simple practice. An attacker may register a domain called CoronaVirusReliefFund.com. On that domain, they may put a replica of some other website, such as the IRS’s Economic Impact Payment Status Tool. The attacker may then create an email that appears to be from the IRS, claiming that immediate attention is required to receive your payment before it expires, along with a link to the attacker’s fake website, CoronaVirusReliefFund.com, where you can provide your missing information and ensure you get your payment. The goal here is to stipulate a sense of urgency. They want you to feel rushed so you’ll overlook any suspicious elements of the scam.
Things they want you to overlook are small details. For example, the sender’s email address is not from CoronaVirusReliefFund.com let alone the IRS, or the fact that you have never actually given the IRS this particular email address. Overlooking the details, the concerned recipient is presented with a direct link that assures a quick and easy resolution. Unfortunately, that direct link has no resolution in store for them. Instead, it sends the victim to the attacker’s fake website where they are asked to provide information the attacker can use, such as passwords, social security numbers, bank account information, etc.
Google blocks over 18 million of these kinds of COVID-19 related phishing emails every day, and measurement of phishing attacks over two weeks in April 2020 found that 94% of all COVID-19 related attacks were phishing attacks.
Why is email phishing so successful?
You may be asking yourself, “If Google blocks them all, can I just use Google and not worry about it?” Remember that email-based phishing attacks are successful because they often rely solely on exploiting human behavior rather than attacks on the actual systems we use. Other traditional attacks like breaching a company firewall, finding an exploit in software, or using viruses are all bound to specific sets of circumstances. They generally require more skill and are more challenging to carry out successfully. Anti-virus software and security infrastructures are pretty good at detecting these circumstances and simply blocking them or patching them out of existence.
The kind of emails that Google blocks are the phishing emails that contain attachments containing malicious code that anti-virus software can detect or emails that have already been identified as malicious through user reports or past domain behavior.
A.I. algorithms have vastly improved our ability to detect phishing emails. Still, it remains challenging to detect and block malicious phishing email that contains only text-based instructions for the email recipient. The majority of these types of phishing emails go by undetected, leaving the human recipient as the last line of defense against phishing attacks.
Safeguarding Your Company Against Phishing Attacks
User Training
Remember that 37.9% of untrained users fail phishing tests. It is possible to bring this number down substantially by providing even basic training to your email users. The good news is that you don’t need to be a security wiz to provide training. A great deal of protection can come merely by informing everyone about the existence of the threat.
While attackers are carefully adapting and crafting phishing attacks, many of them are easily spotted once you simply know that these types of attacks exist. The goal of informing your email users is that they will not erroneously assume email is a perfectly safe space. Phishing emails often contain subtle errors or differences from the thing they are impersonating. The goal is to have detecting these errors or differences be second nature for email users.
Humans are incredibly adept at detecting patterns, and most business members receive around 120 emails a day. Thus, it is likely that people working for your company already have a pretty good idea of what a legitimate email looks like and what a spam or malicious email looks like. They just might not know it yet. Getting people to consciously think about it is half the battle, and I bet you’ll find an increase in your phishing email detection rate by simply raising awareness.
You should also work with your I.T. provider or staff to develop a more in-depth and regular training plan that includes information on the latest threats and methods. You may wish to include regular phishing tests to keep tabs on your training efforts and to keep your email users sharp.
Company Policy
Ensure that you have a company policy that specifies what email should and should not be used for. Include language that addresses some of the common types of phishing schemes you see. Examples include:
- Personal favors from high-level employees such as the purchase of gift cards etc.
- Invoice payment requests.
- Emails asking you to change your password.
- Emails asking you to open an attachment or follow a link to open a document.
Notice that these are all examples that may be legitimate use cases for email. Remember, looking legitimate is how phishing attacks work. The key is to be able to differentiate a legitimate request from an illegitimate one trying to fool you by spotting the inconsistencies. You can help do this by defining limits and procedures for these items in your company’s policies and procedures. Policies can also safeguard situations where an attacker would have otherwise succeeded in fooling someone.
For example, here at Law 4 Small Business, we say that email should never be used as a platform to respond to or facilitate monetary favors, and communication of this class, regardless of platform, should always be treated as suspect.
Consider a common real-world example, suppose a new employee receives an email appearing to be from their boss asking them to buy a $100 Best Buy gift card. The email goes on to ask that they text their boss the gift card code as they forgot their wallet at the office, and they need to pick up a few flash drives before they return for an important meeting.
The new employee, unaware of the company culture and looking to please, may sense the urgency of the situation and quickly find it as an opportunity to “show up” for their boss and get the problem taken care of. Unfortunately, in the employee’s haste, they did not notice that the phone number provided was actually a number an attacker was using and not their bosses. The employee ends up purchasing the gift cards and sending the code to the attacker, who then immediately uses or transfers the card balance.
What is the proper course of action for the employee here? They should heed the policy and ignore the email. If they want to be proactive, they could verify the request using an alternate form of communication and/or ask for help. A quick phone call could prevent a headache.
Following this, it is vital that people do not feel afraid to bring suspect items to someone’s attention, nor should they be shamed if they do fall victim. While you may be annoyed by people verifying the authenticity of communication often, it is a small cost compared to the crisis that may arise if they do not check. Use these communications as valuable insight into areas where the company may need more training or vectors where your I.T. staff can tighten security.
If a phishing attack asks for a credit card number over email and your employees know that it is against company policy to send such information via email, they will hopefully take a second look at that email before acting on it.
Reduce the Amount of Available Information
There is a well-accepted theory that nothing is unhackable. I like to say, “it’s not if you get hacked, but when you get hacked.” Hackers are not a stupid bunch, and we are always playing catch up to them. They invent new ways to exploit us, and we respond to it in turn.
One report found that 65% of U.S. based organizations were victims of successful phishing attacks. It would be naïve and a grave disservice to your company to operate under the assumption that you won’t or cannot fall victim to a cyber-attack of any kind.
When an attacker gains access to your email, what will they find? Will they find a treasure trove of passwords, social security numbers, and other personally identifiable information or a clean mailbox with nothing inherently useful?
The easiest and safest method of preventing a data breach is to not have the data at all. Go through and permanently delete old unneeded emails often. Of course, this is not always possible based on your specific business needs, but in any case, having proper data loss prevention along with email archival and deletion policies can mean the difference between disaster and a minor, single-user, breach.
Challenge yourself to sit down with your business leaders and consider what sensitive data you really need to collect, store, and transmit. Talk to your employees and find out how they are using email. Are large amounts of sensitive data being transmitted through your employee’s email? Remember, no one is in trouble, focus on working with them to find ways to reduce the need.
Use Multi-factor Authentication (MFA)
This one may require a call to the person or organization that manages your email platform, but the security benefit is well worth the effort. Most of us use a username and password to log in to web services we use every day. This is single-factor authentication, where the single factor is your password. Simply put, MFA just means that more factors of authentication are required to successfully log in to a service. This often comes in the form of a text message or phone call to your phone.
With MFA in general, even if someone falls victim to a phishing scam and unknowingly provides their password to an attacker, that attacker will still be unable to log in because they will not be able to complete the additional factors of authentication. MFA is also an effective defense against password cracking attempts, passwords compromised as a result of improper password handling or security breaches suffered by 3rd party companies where your password may be stored.
MFA may come as a minor nuisance to some, but it is one of the most durable safety nets you can have at such a small cost.
Final Thoughts
Remember that email security is a big subject. There are many different ways attackers use phishing along with other possible attack vectors that make up your total attack surface. Also, keep in mind that email can be a safe platform to transmit sensitive data as long as all necessary precautions are taken.
This article is not an exhaustive guide on email security–phishing is just one piece of it. Luckily, it is something that you can make substantial gains in preparedness and prevention right away by creating awareness, enhancing policy, and leveraging tools like MFA. As with any platform, proper risk management, planning, and preparedness with the help of a professional is the only way to ensure that your company is not operating with unnecessarily high risk.
