Click Happens: How to Recognize and Prevent a Phishing Attack
Successful ransomware attacks cost businesses millions of dollars each year. The cybercriminals behind these attacks use a variety of vectors to find vulnerabilities to exploit. According to the recent ESG report, The Long Road Ahead to Ransomware Preparedness, while application and system software vulnerabilities remain the leading attack vectors, other avenues such as misconfigurations, user error, and phishing emails still rank high among the IT and cybersecurity professionals surveyed.
Nate discusses some of these attack vectors in his recent article, Think Before You Click: How to Protect Yourself from Ransomware. If you haven’t heard of Nate, he’s our resident (fictional) IT guy that raps and sings the praises of Wasabi hot cloud storage. His latest video serves more as a public service announcement to help educate people on the dangers of phishing as a trojan horse for a ransomware attack. It’s funny and informative, and you can check it out below. In that educational spirit, I wrote this post to help people recognize the signs of a potential phishing attack so that they can avoid becoming a victim. If you find it helpful, please share it with your employees as you see fit.
What is a phishing attack?
Phishing is when someone tries to trick you into giving up sensitive information, such as your username or password, or to click on a bogus link or attachment in a fake email or website. Criminals also use phishing to trick you into giving up money by asking for payment for services that don’t exist or sending them money for goods and services that never arrive. But the most dangerous and damaging phishing attacks, by far, are those designed to infect your network with malware in order to stage a ransomware attack. (Malware, short for “malicious software,” is software or code specifically designed to disrupt, damage, or gain unauthorized access to a computer system.)
Phishing continues to be a popular method for bad actors to install malware into your network for the simple fact that it is so effective. A phishing expedition often comes in the form of an email that appears to come from a credible source. The message is almost always designed to entice you to click on a link or open an attachment to view additional information or take some other action. It may even appear as if it came from someone you know or trust. Phishing preys on the trusting nature of human beings and the increasing pace and busyness of modern life. It’s easy to be tricked into clicking on a nefarious link when you are in a hurry. And it’s not just email you have to worry about. Phishing attacks also come via text message (smishing) and voice calls (vishing). These techniques can be used in combination with each other or on their own to fool users into installing malware onto their devices without knowing it.
Here are some of the most common types of phishing attacks
Spear phishing is a highly effective form of social engineering where the attacker uses personal information about the target that they found through social media, hacking of other accounts, or internet searches. Some criminals will even go as far as developing ornate scripted phone calls designed to learn information and emotional triggers that they will use to create a highly personalized email to scam you.
URL Obfuscation Attack
A URL obfuscation attack is a spam email that contains a malicious link or attachment. This spam email attempts to trick people into installing malware onto their network by taking advantage of innocent-looking message titles and seemingly trustworthy attachments. Combined with spear phishing, they become powerful targeted malware phishing attacks sent to a specific person inside your organization. Because they contain information already gleaned from the victim, these emails often look entirely legitimate but contain an attachment with a malicious file or a link to a website where the victim may download malware disguised as a non-malicious file.
While many people are now wary of opening attachments in unsolicited emails, cybercriminals will often set up phishing sites that mimic the look and feel of a legitimate website and send your users emails directing them to the site. Since users aren’t inherently suspicious of links within emails, they are more likely to simply click them, not thinking twice about where it leads. The links usually appear as if you are visiting a trusted brand or service but it in fact takes you to a malicious website designed to infect the target’s computer with malware.
Another method widely used by hackers is called credential harvesting and can be so convincing that it fools even experienced users. Credential harvesting is when bad actors steal your login credentials or other sensitive information via email phishing or other means, then use it to access your accounts and systems. Hackers can also use this same method to target businesses by sending emails posing as corporate executives or vendors who request confidential information such as passwords or bank details (see CEO Fraud below). The most common way credential harvesting attacks happen is through phishing emails with links or attachments containing malware; however, they can also occur via phone calls or text messages if the hacker has enough information about you to impersonate someone else (such as an employee at the company).
Once the bad actors have obtained your credentials, they can use them to log into your accounts and access sensitive data like financial information or customer records. This could lead to identity theft or fraud. If those credentials are for sensitive systems access or root logins, you can just about guarantee a ransom note to follow.
A whaling attack (also called CEO Fraud) looks like it was sent from a high-level executive at your own company but is really coming from an attacker outside of your organization that is trying to trick you into sending them money or sensitive data. These emails often ask for money or a wire transfer or even information about your employees that can be used as part of a broader social engineering tactic.
Now that you are aware of the ways in which the bad guys try to trick us, here’s what each and every one of us can do about it.
How to avoid a phishing attack
- Never click on any links in an unsolicited email from someone you don’t know
If you didn’t initiate the action, there’s a good chance the message isn’t important enough to risk a phishing attack. If it seems legitimate and you are truly interested in learning more, a few quick Google searches on the sender’s email address, URL, and company information before you reply is well worth the effort.
- Ignore emails or SMS messages that contain spelling or grammatical errors
Brand name businesses have communications experts and legal teams that review all major messages and communications. If you spot errors or something doesn’t look quite right, it’s safer to ignore the message than to respond.
- Look for mismatched or incorrect URLs
Links in phishing emails often look legit at first glance. Do not click! Instead, hover your mouse over the link and inspect the URL (the actual hyperlinked address). If the address is different from the one displayed, there’s a good chance it’s a fake. Report the email to your IT department.
- Watch out for phony domain names
The criminals want you to believe that their messages are coming from a legitimate company, perhaps one that you already do business with. They’re counting on your employees not fully understanding how DNS structure for domain names work. While a legitimate domain name, such as Wasabi.com can have any number of backslashes after it (example: Wasabi.com/ransomware), child domains will appear at the beginning of the URL (example: info.wasabi.com). Bad actors often create fake child domains using legitimate company names, but the structure will give them away if you’re paying attention. A fake child page may look like this: Wasabi.com.[something that looks legit].com.
- Don’t be intimated by threats or a false sense of urgency
Bad actors are trying to coerce you into taking some form of action, whether that’s clicking a link, paying a fee, or revealing sensitive information. The social engineering tricks of the trade to get you to “act now” can range from grand promises of winning a contest to threats of legal action for unpaid taxes or an invoice for a service you may or may not use. Any sense of urgency that the message is trying hard to convey is a good signal to stop and think before you click.
- Do not share personal information via email, EVER
Reputable businesses don’t ask for credit card numbers, passwords, or other login credentials via email. Institutions such as your bank will never ask you for your account number (they already know it)! No matter how official an email message looks, you should always be suspicious if the sender is asking for any sort of personal information.
Make sure you have a complete ransomware protection and mitigation strategy
The cybercriminals behind these attacks are getting smarter by the day. They have learned that stealing sensitive data alone isn’t always enough to motivate organizations to pay a ransom. According to the same ESG ransomware report I mentioned earlier, 53% of organizations that were successfully attacked reported not just the theft of sensitive information but the targeting of infrastructure configuration data–information necessary to infiltrate deeper and wider across the network to encrypt data and lock up systems to force their victims to pay up fast. The report also shows that bad actors are increasingly targeting backup copies and cloud storage in order to prevent their ransomware victims from easily restoring their data.
That’s why it’s critical that your organization focus not only on employee training and prevention but ransomware mitigation and recovery strategies. Remember, just like Smokey the Bear used to say “Only YOU can prevent phishing attacks!”
Here are some additional resources to help ensure you are following industry best practices for a complete ransomware protection, mitigation, and recovery strategy.
Blog – There’s a Gaping Hole in Your Ransomware Protection Plan
Blog – 5 Backup Best Practices to Combat Ransomware
Webinar – The Long Road Ahead to Ransomware Preparedness
Webinar – Before Ransomware Strikes – Avoid these 5 Common Mistakes