Anyone with an email address has likely received suspicious messages in their inbox from time to time. These messages usually come from unfamiliar senders and try to get the recipient to perform some kind of action, like clicking a link or providing sensitive information. The message might even contain scare tactics intended to convince the recipient that failing to act could have adverse consequences.
Sending such messages is known as phishing, which is one of the most common techniques cyber attackers use to target both individuals and organizations.
In this “Back to Basics” post, we will talk about the types of information attackers use to design a convincing phish and the ways some technical controls can be bypassed. We will also discuss how organizations can use a multifaceted approach to strengthen their systems and employees against potential phishing attacks.
How are Phishing Attacks Performed?
Gather emails
One of the first steps necessary to performing a phishing attack is gathering targets. This is often made easy by taking advantage of networking sites such as LinkedIn. An attacker can obtain a list of first and last names of users connected to any company on LinkedIn, or they could take things a step further and create a fake employee profile in order to make connections with these users and gather more details about them. The information gathering process can be made even easier by tools such as hunter.io, which can search the entire internet for emails associated with a given domain.
Ultimately, the attacker needs just one email address to be able to convert any number of names into the organization’s email schema (for example, [firstinitial][lastname]@[company].com), resulting in a list of targets ready to use in their attack.
Craft phish
Creating the phishing pretext, or the content contained within the message itself, also involves information gathering. The attacker may explore the target organization’s corporate website, social media presence, and news articles to learn more about the company and its employees and look for opportunities to tailor a phishing message to something relevant to the organization.
For example, knowing the type of email platform, VPN, or conference call software in use can give the attacker options for crafting a realistic phish relating to one of these services. Another common phishing pretext makes use of open enrollment for employee health benefits, so if an attacker can discover when an organization’s open enrollment period takes place, they could use this to deliver the message at an appropriate time.
When crafting these messages, experienced attackers are careful not to develop overly complicated pretexts, as this can raise suspicion. The most convincing phishes reflect a level of communication that is normal for email, require an easy action (such as clicking a link to take a survey), and convey some sense of urgency. The goal is to get the employee to act without thinking carefully–the more information an attacker has about the inner workings of a company, the better opportunity they have to achieve this goal.
Bypass controls
Before sending a phish, attackers may take steps to help increase the apparent legitimacy of the message and bypass controls an organization may have in place. For example, if an attacker can spoof an actual domain used by the organization, the message’s sender will appear to be an actual internal email address, which is less likely to raise suspicion than if the attacker uses a misspelled domain or a different domain entirely.
In addition, while many email filtering products can identify and block suspicious messages by their signatures, an attacker with enough time and expertise could create a highly customized phish with a unique signature that could get through these systems and reach user inboxes. If these protections are not in place, the attacker has even better odds of succeeding.
How Can Organizations Protect Against Phishing Attacks?
Building an effective system of defense against phishing attacks requires a combined approach utilizing both technical controls and employee awareness.
Technical controls and protections
Mail records
One of the most fundamental forms of defending against phishing attacks come in the form of three important mail records: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-Based Message Authentication, Reporting and Conformance (DMARC). These records are stored in the Domain Name System (DNS) settings for the domain.
An SPF record indicates what hosts can send email on a domain’s behalf. If a properly configured SPF record is not in place, an attacker could spoof an actual domain belonging to the organization, which makes the email appear to be coming from a legitimate source. When an SPF record is in place, attackers typically must send phishing emails from slightly misspelled (such as .corn) or alternative domains (such as .net). This increases the likelihood these messages will be caught by spam filters or identified as suspicious by users.
Like the SPF record, DKIM helps verify the authenticity of a message. It does so by enabling the owner of a domain to virtually “sign” legitimate emails using a form of cryptography. The mail server will check incoming messages against the DKIM record to confirm that the correct signature has been used. Otherwise, the server will know that the message is not authentic.
Having the SPF record properly configured often isn’t enough on its own, however. The DMARC record provides an additional layer of protection by dictating how messages failing the SPF or DKIM check should be handled. If DMARC is set to the strongest level of protection, “Reject”, messages failing SPF or DKIM checks are fully blocked.
For the most robust protection, organizations should set all three of these records. Contacting your DNS provider is a good place to start.
Third-party software
In addition to securely configured mail records, many organizations also make use of third-party email protection software. These products offer malware protection, spam filtering, and advanced email monitoring and can help catch even more sophisticated phish attempts.
Employee awareness
As discussed above, many of the security controls organizations use to help prevent phishing messages from reaching inboxes can be circumvented with enough time, resources, and effort. Once the phish lands in user inboxes, it becomes a matter of employee awareness. Training users to recognize and properly handle phishing attacks is a key element of a strong defense against social engineering attacks. RSM recommends an approach that combines classroom-style training and ongoing campaigns to build and maintain a strong sense of security awareness among an organization’s employees.
Training sessions, which should occur upon hire and at least annually for the duration of an employee’s tenure, should focus on how to identify various types of phishing techniques and the organization’s policy for reporting these attacks. Employees can be given quizzes after completion of each training session to measure understanding and identify areas where additional training is needed.
Awareness campaigns can serve as a refresher between training sessions. These campaigns can involve distributing monthly or quarterly newsletters, displaying informational posters at the office, and conducting simulated phishing exercises to measure employees’ ability to apply training in a possible real-world scenario. Combining ongoing awareness elements with focused training and technical protections with help organizations limit the threat of phishing attacks.
This article was authored by Blaire Kibler, with special thanks to Jake Dugan and Jack Potter for technical expertise.