Businesses: phishers aren’t just coming for you. They’re coming for your employees and your customers, too.
Phishing attacks are on the rise this year, thanks in part to massive Emotet and TrickBot campaigns, which make use of phishing emails to deliver their payloads. If you don’t already have one in place, then it’s time to implement an anti-phishing plan.
Where phishes are concerned, it doesn’t matter if the technique being used is revolutionary or old hat. Somebody, somewhere is going to fall for it. It’s up to you and your employees to ensure that your business is secure, and that your customers are performing safe email practices, too.
If your customers are logging into fake portals, eventually they’re going to tie up your support channels asking for help, refunds, reorders, and more. If your employees are being stung, they open the door to data theft, network infiltration, ransom demands, spying, and a massive dent in your company’s reputation to boot.
All of these are poor directions to head in. So let’s first take a look at some of the targets of phishing campaigns. Then, we’ll talk about what your employees and customers can do to identify a phish.
Targets for phishers
The 2018 Phishing Trends & Intelligence Report (PDF) from PhishLabs stated that Email/Online Services were the top targeted industry in the second half of 2017 by a margin of 26.1 percent, with a high concentration of phishing URLs mimicking Microsoft Office 365 login pages.
Office 365 is enormously popular for businesses, with Microsoft revealing in 2016 that is has:
- 60 million active commercial customers
- 50,000 small business customers added every month
- 340 million downloads of its mobile app
As our 2019 State of Malware report shows, there’s no real sector of industry left alone by malware attackers. Trojans (which include Emotet and TrickBot) lured in targets in manufacturing, education, and retail in 2018 with phishing emails. And ransomware, which is also a popular payload of phishing attacks, crippled organizations in government, as well as education, manufacturing, retail.
Outside of those verticals, however, phishers know that every business is sitting on something juicy: personally identifiable information (PII). Just about any organization in any vertical is sitting on databases of customer names, emails, and their payment details.
That’s a huge number of potential targets at which to aim.
What should we do?
While it’s nearly impossible to predict every threat model, or what an attacker may want with your company’s data, you can better thwart phishing attacks by putting in place a clear anti-phishing plan. There’s never been a better time to start beefing up your cybersecurity policy for employees, as well as update your website with solid anti-phishing tips for your customers.
If you’re short of a few ideas on how to help your employees and customers identify phishing attempts, we have a handy introductory list below.
Anti-phishing tips for your employees
- Attachments aren’t always a guarantee of malware. Often, phishers will send perfectly clean files as an additional confidence trick. “Please fill this in and send it back,” they’ll say. Having said that, many phish campaigns will happily try to backdoor a network with a rogue file alongside a phish attempt. When in doubt, do not open the file. Instead, try to contact someone you know from the organization listed in the email to confirm.
- Mobile devices are particularly at risk from lengthy scam URLs, as the visible portion may be tailored to appear legitimate, but the rest of it—which would give the game away—is hidden offscreen. Employees checking email on their phones or browsing the Internet should always review the whole URL before clicking. If it looks suspicious, or uses numbers or peculiar letters in place of what you’d expect to be there, it’s best to leave immediately.
- Dubious apps are also a potential problem, so it’s best to review apps you plan to install on your work mobile device or desktop with a hawk eye. Are the logos the same? Does the user experience match what you’d expect?
- Promoted content on social media can lead to phishing, and it’s worth advising all employees and customers to be wary of this—especially as ads tend to be targeted to your interests (thanks, trackers). While you may not want to prohibit use of social media at work entirely (especially as it’s part of the job for many folks in marketing), recommending that users not engage on social media from work devices, or limiting their engagements to work-specific tasks, could help thwart phishing attempts.
- Bit of a niche one, but you may wish to advise employees not to waste spammer’s/phisher’s time with any of these tactics during work hours. Using personal accounts is all fun and games, but replying with anything work-related could go terribly wrong. The bad guys know your work mail exists for one thing, and they’ll either spam it hard, send you more junk, or go after your business even more than they were already.
Anti-phishing tips for your customers
- Look at some anti-phish pages from the biggest brands. You’ll notice that they all mention the most obvious forms of attack. If you’re eBay, you’re going to see customers sent fake auction missives, or “problem with your auction” attacks. If you’re Steam, it’ll be “problems with your marketplace item” or free game keys. A bank? it’ll be bogus re-authentication mails. For Apple, it’ll be issues with pending refunds for items they don’t remember purchasing. This is how you should lead the charge.
- Point out that the presence of a padlock isn’t a guarantee the site they’re on is real. Certificates for websites are easily obtained for free these days, and scammers are taking full advantage of it. It may have been useful to tell people “Avoid sites with no padlock because it isn’t real” years ago, but the game has changed and so must our messaging.
- Warn them about bad spelling, errors in formatting, and email addresses in the “From” field which look suspicious. Also mention that many phishers spoof mails in the “From” field so this isn’t a guarantee of safety either. Perhaps the formatting and design are different from what you usually receive from an organization. Maybe the logo looks pixelated or the buttons are different colors. The possibilities are endless.
- Desperation is a surefire sign that something may be wrong. It’s panic buying, but not as we know it. Emails claiming a tight time limit to login and perform an action, alongside the threat of losing X or Y forever, is a good sign of bad things afoot.
- Warn them off emails asking for additional personal information (and if your organization sends such emails, try to wean yourself off this practice, too). Links to sites asking for logins is bad practice. Train your customers and employees out of this habit. If they won’t click links asking for information, the battle is halfway won.
- The URL shown on the email and the URL that displays when you hover over the link are different from one another. An oldie, but goodie.
My business uses Office365, what else can I do?
Microsoft has a handy list of security suggestions for you to deploy on your network. Suggestions include:
- A secure score rating for your network
- Multi-factor authentication plans
- Secure lockbox requests for customers
Google has come up with a short, fun, and difficult anti-phishing test. It’s a fantastic way to experience some common phishing techniques safely. There aren’t many ways to experience real phishing examples in a safe environment, so it’s well worth having a go. You’ll likely find that there’s a few tactics in there you haven’t seen before, and it’s always a good idea to test your employees on some left-field phishing techniques. However you choose to go about putting together an anti-phishing plan for your organization, we wish you many years of safe emailing ahead.