A common form of social engineering where a threat actor or nefarious character poses as someone familiar to you such as a friend, family member, colleague, or even a reputable vendor is known as phishing. The play here for the threat actor is to lure you into giving up sensitive information. This is often a login, password, or combination thereof, that could ultimately lead to data theft, identify fraud, or a malware infection. It can even lead to the dreaded ransomware which commandeers your device, for yep you guessed it, a ransom that you would be expected to pay in order to get your device access and data back.
Phishing is not new and is still going strong after emerging in the 90’s and is still as effective as ever in wreaking havoc onto home and small business users worldwide. The National Cyber Security Alliance says that 10% of all small to midsize businesses went out of business after experiencing a data breach so why leave your future to chance, especially since the cost of rectifying a cyber breach all too often exceeds any cost attributed to its prevention.
Phishing gets its name from the idea of a threat actor reeling you in as in the context of fishing, and if they’re lucky you end up being their catch of the day. It starts with tempting you with compelling content, which is the lure, or is it the allure? This could be a mysterious email attachment, or possibly making you believe that you will lose out on
something if you don’t take swift action. Phishing attempts come through in many ways, but most often in the form of an email and can even be sent to you via SMS or traditional phone texting, which is
commonly referred to as smishing. Here are several ways however for you to block the bait so to speak before you even get the chance to open a malicious link or attachment that you may have thought was legitimate in nature. Consider taking a multifaceted approach to defending against phishing, particularly when it comes to protecting your digital assets and improving your overall cyber hygiene.
SECURE EMAIL GATEWAY SERVICES
A first line of defense to protect against phishing should start with your email provider to see what they are doing or what they can do to prevent such nasty emails from ever making their way to your inbox. Many Internet service providers such as Spectrum and Verizon either offer, or are starting to offer, more robust cybersecurity services for the home and small business. In this case specifically providing secure email gateways that are often powered by very complex machine learning and/or artificial intelligence to keep up with the incredible amount of email traffic and filtering that takes place on their networks. These SEGs act as a proxy or sit in-line to an email’s delivery path from the Internet to the personal or company email server. In the case of Spectrum for example, they now provide their Security Shield service and claim, “to detect and block malicious websites, phishing scams, and internet originated attacks against devices in the home.”
There are an abundant number of SEG services out there or those who would scan and filter your emails prior to arrival to your inbox, many for just a few dollars a month. Microsoft is just one of many of them for which you may be familiar. Having said that, SEGs are not fool proof by any means, certainly not guaranteed to completely safeguard you, and won’t always leave you free from phishing attacks. According to Cofense, 90% of phishing attacks reported came from an environment that used an SEG. Cofense attributes this large percentage to the ever-evolving sophistication of phishing techniques.
If you recall, earlier we mentioned this idea of muti-faceted approach, and that’s because using a singular approach to protection alone, particularly as it applies to phishing, is never enough. Let’s look at another very effective method of phishing protection that takes place at the endpoint. This would be your desktop or laptop computer and comes in the form of application allowlisting. Application allowlisting or whitelisting as it has been known in the past, is nothing new. Quite simply it tracks good applications and known executables and only allows these to execute within your environment. In other words, if you click on a malicious link by accident and it houses a nefarious payload, it will not execute or be allowed to run on your device because it is not in your list of approved applications and executables. This technique aligns with the National Institute of Standard’s (NIST) Zero Trust Architecture, is highly endorsed by the Cybersecurity and Infrastructure Security Agency (CISA) and is increasingly becoming the standard by which most public and private sector organizations intend to operate. The alternative approach to this is often referred to as blacklisting which is a common technique utilized by many major antivirus and malware protection companies today. Through this technique an unknown program is initially allowed to run while built-in heuristics and behavioral analysis work their magic. While this process can only take seconds to perform, or worse case a few minutes, this unfortunately is sufficient time for a ransomware payload to begin partial encryption of your hard drive and unleash its destruction. At this point, the damage is already done, whereas in the case of allowlisting, time is on your side. The unknown application is blocked instantly while additional inspection of the executable in question is conducted (behind the scenes) while your device remains protected. A schematic comparing blacklist vs. allowlist is shown below.
The most effective protection against phishing attacks is human intelligence and by all accounts also happens to be the weakest link in any organization when it comes to cybersecurity. According to the 2021 Verizon Report on Data Breaches, 85% of data breaches were attributed to the human element. Being able to recognize common phishing indicators such as suspicious sender addresses, spoofed hyperlinks, spelling and grammar errors, and unexpected or curious file attachments goes a long way in protecting your environment. Even with the best technological defenses in place with highly trained staff, it only takes one person to accidentally click a bad link or open an unsuspecting attachment to unleash chaos onto your network. Would you know a phishing attack if it were presented to you?
Here are some telltale signs that an email is probably not legitimate. These include some of the following:
The subject line is typically blank.
The sender's name doesn't match their email address.
The email asks you for personally identifying information, such as a username and password.
There can typically be a greater sense of urgency to get you to act.
Poor spelling and grammar are used in the body text.
Phishing related attacks can be reported to Anti-Phishing Working Group at www.antiphishing.org.
If you haven’t already done so, you might consider implementing a formal cybersecurity training and awareness program that routinely trains and tests yourself as well as your users. For hundreds of dollars a year (not thousands), you can rather quickly and easily implement an online training program. An effective training program significantly raises awareness to phishing, improves your organizational cyber hygiene while achieving a more desirable response from your employees. Many training programs include phishing simulation built right into the training tool to test your users’ knowledge base randomly and routinely for as much as needed over the course of a year. This is a critical element when it comes to creating an effective cybersecurity culture within your organization. Ultimately, you want your users to be able to identify threats as they occur in real time while taking the appropriate actions to mitigate them. This behavior makes any cyber professional smile and certainly should do the same for any small business owner attempting to improve overall cyber hygiene.
Phishing attacks are still one of the top cyber threats today consistently happening to millions of unassuming users worldwide and are increasing year over year. Be sure that you have adequate tools and strategies to mitigate your risk while utilizing a multi-faceted approach to soften the impacts to your personal or small to midsize business that are likely lurking just around the corner on the Internet.
For more detailed information on how to enhance or improve your cybersecurity posture contact Runtime Fitness today.
"If you connect it, we protect it."