Phishing is the starting point of most cyberattacks. When sending malicious messages or creating a clone site, attackers use psychological techniques and social engineering tools, so protecting against such campaigns is not an easy task for information security professionals.
To protect against phishing attacks, you can use different tools built into browsers and mail servers, as well as “overlay” tools from third-party vendors. Let us see how effective such solutions are compared to user training and whether you need to buy an additional solution to combat phishing.
What is phishing
Let us define the basic concepts - what is called phishing and how this type of attack differs from other cyber threats.
Initially, the concept of phishing assumed a very narrow interpretation and referred to letters that lured the victim to a fake site. However, later, the meaning of this term was significantly expanded. Now, any malicious email is called a phishing email.
Modern means of protection do not allow an attacker to easily connect to any valuable resource within the corporate network, so phishers attempt to provoke certain user actions that will become the starting point of a cyberattack.
Any fraudulent scheme that involves direct communication between an attacker and an employee of an organization or a home user can be called phishing. For this, both modern electronic means of communication - email, instant messengers, and old ones, for example, a phone call, can be used.
We should not forget about phishing that employs physical media. An example of such an attack is the flash drive that was used to halt the Iranian nuclear program in 2010.
Phishing begins much earlier than the victim encounters it directly. Therefore, depending on budgets and human resources, companies can either use a service for monitoring indicators of a possible attack or independently analyze the external environment in search of potential threats.
Preventive protection against phishing includes:
- Detecting malicious sites that can be used in an attack on a specific organization.
- Monitoring social networks in order to identify publications containing information about employees and other measures.
Today, most companies rarely search for phishing threats proactively, as this is a complex process that requires significant resources. It turns out that it is ineffective for companies to engage in such activities on their own. There are specialized solutions that do it quickly and cheaply.
How does a phishing attack start, and what means of communication are most often used by cybercriminals to deliver malicious links?
According to statistics, more than 96% of phishing attacks start with email. At the same time, this channel is the easiest one to identify. Other vectors of attack are much more difficult to track.
The lion's share of phishing attacks is carried out via email simply because all organizations use email. Corporate email is not always protected, and attackers have endless attempts to find necessary email addresses and bypass anti-spam protection.
In the event of mass attacks, email is indeed the main delivery channel for malicious content. However, in the event of a targeted attack, other methods of interacting with company employees are often used, such as phone, social media, and messengers. At the same time, targeted phishing attacks are not quite common due to the complexity of their preparation.
Bulk phishing campaigns also use some kind of targeting, such as checking the region a device belongs to before starting an attack. Often, the methods of mass and targeted phishing attacks are the same. Again, even those attacks that target a large number of smaller victims use some sort of profiling to increase the conversion rate.
As for the damage that a phishing attack can cause, it ranges from thousands of dollars in the case of individuals to millions if the attackers are targeting an organization.
Despite the prevalence of email as the main phishing channel, experts see the growth of attacks where instant messengers, blogs, official and fake social media accounts, and other options for interacting with targeted users are used.
Phishing protection methods
Mail servers and mail clients, as well as browsers, have built-in protection against phishing. Are these tools enough to defend against an attack? Are third-party solutions really necessary?
Built-in security tools for email services and browsers provide a basic level of protection that attackers can bypass because they have the ability to test the appropriate mechanisms before attacking. Those who use these basic security tools see this in their everyday life.
Specialized solutions implement more sophisticated algorithms, but they also can be studied by cybercriminals. However, this will significantly increase the cost of an attack. Attackers will have to purchase appropriate solutions and spend a lot of time testing and studying how each of the solutions functions. Not all attackers will take such a step. This creates an additional firewall where the funds turn into an effective security investment.
A modern email security solution should have the following properties:
- Updated regularly.
- Use machine learning techniques to recognize different types of attacks.
- Be able to understand well the structure and text of the message, recognize the text in the picture, and identify other suspicious signals and phishing indicators.
- Have a mechanism for assessing the reputation data of the sender and the domains specified in the letter.
Machine learning is used in anti-phishing systems to compare website pages and identify suspicious domain names. These actions cannot be effectively automated using signatures or statistical methods. However, ML and AI do a good job at this.
In addition, using machine learning, it is possible to analyze the actions a user tries to perform after receiving a message and thus prevent the spread of malware and the development of an attack. It is wise to use a vendor-supplied database as the basis for machine learning since the organization's own data may not be enough, as it quickly becomes obsolete. At the same time, an information security specialist can supplement it, as well as manually adjust artificial intelligence solutions to fine-tune the rules.
Protection against web phishing
What strategy should be used in relation to following a link in a message? Should you block or restrict all transfers to external resources by default or, conversely, allow them? What tools are available to identify phishing sites? How to deal with fly-by-night sites?
The strategy of total bans can be quite effective, but it has a detrimental effect on the business processes of the company. It is very difficult to use it to the full in real life. One trade-off is to allow users to access sites of a specific category.
Many companies have a practice of granting employees access based on a limited list of trusted resources. However, the problem is that the main targets of phishing attacks - marketing and sales staff, financiers, company executives, usually have some privileges and need to work with a broader list of resources.
To combat clone sites, you can use the following strategy:
- Use brand protection services, which check all newly registered domains for similarity to the domain of a particular organization, as well as automatically check the content of such sites.
- Use tools to analyze the actions performed by the site when you open it in a browser to combat resources that display different content to the user and search engine bots depending on certain parameters of the session.
Do you need external data sources to fight phishing?
In the end, let us briefly touch on the practice of using third-party data streams (feeds) to enrich anti-phishing systems. While information from aggregators can be useful, this information is not highly effective for phishing protection because it becomes outdated very quickly. It should also be borne in mind that adding a large number of attack indicators can lead to an increase in the number of false positives. You can use them, but you will have to manage plenty of feeds which is resource-intensive.
Phishing protection should not be limited to tools built into your browser or email client. These tools provide only a basic level of protection and are often powerless against targeted threats. At the same time, third-party solutions also do not guarantee complete blocking of all malicious messages. Corporate users should pay attention to external resources that can use their brand as bait, as well as fake sites aimed at company employees.
In any case, the fight against phishing requires an integrated approach, which includes a combination of technical tools (both built-in and third-party), as well as organizational measures - staff training, policies, actions to protect the brand on the Internet.