When trying to keep technology security training up to date, it would be nice to say one of the best defenses for anyone working with a computer would be to simply not answer any email, at all. Unfortunately, just like we tell children as they grow up, the world is just not that simple. Today’s phishing methodology is far more advanced than it was just five years ago. At the same time, hackers are still using very old and simple attacks as well with notable success. This variance in attack modes constantly keeps knocking companies and agencies off their feet. No surprise, people tend to be the weakest link in a technology defense in just about any size organization today.
Damage Avoided is Cheaper Than Damage Control
Fortunately, a good amount of phishing can still be prevented with:
- Constant awareness of what might be a threat
- Regular and frequent education of personnel
- Testing and compliance of internal practices
- General involvement of everyone in the organization in basic security principles
- Solid network protection for easy-to-identify attack methods like that from PS LIGHTWAVE Support
Understanding How Phishing Has Changed
The typical phishing approach a decade ago was almost comical. It generally involved an email tool disguised as a bank email notice saying an account was compromised and the institution needed the recipient’s information to fix the problem. Believe it or not, people using the same bank handed their personal info over, and accounts were compromised. However, with extensive training in every company and agency, the effectiveness of this style died down. It still grabs an odd weak player but for the most part the attack method gets blocked regularly now. Spam filters heavily wised-up to these fake emails as well.
However, phishers got smart and kept tailoring their methods. Email still continues to be the main phishing channel (although phone and regular mail can work too), but the content of the messages changed dramatically. While the widespread fishnet attack (ergo the “phishing” name) still happens, far more intrusive phishing has become very targeted, going after key individuals in organizations. Many still use the method of asking for a recipient’s info, but the message has become personalized. “Whale Phishing” has become prevalent with many critical program and system managers getting hammered by odd emails expecting them to provide details. Worse, the emails look like they came from within the same organization. Having such an individual compromised tends to open up larger account areas due to the typical user’s provisioned rights being greater than an average user.
An even sneakier approach developing fast has been the use of common services that many organizations take advantage of. This is an evolution of the bank account error email, but instead the phishing attempt uses common support services like shipping courier services, office supply vendors, food ordering, and similar. Bottom line, the fake communication looks extremely normal and commonplace, so it gets clicked on and the user is compromised, even when people have been trained on phishing in general. Human behavior favors familiarity, and phishers know it. As Penn Jillette from the magician duo Penn & Teller noted at the recent RSA Conference in San Francisco in February 2020, they regularly use tricks that are easily 100 years old, but Penn & Teller still consistently fool people because audiences are too focused on technology and not the simple mundane things that seem normal. Knowing how a fake attack is done doesn’t automatically create a defense.
Can Phishing Be Stopped? Yes.
So, we get to the heart of the matter, how do folks deal with modern phishing today and prevent it? First, practice caution regularly. If a user doesn’t know or trust a new email or gets surprised by an unexpected item, don’t click on it or use it. If it’s internal, someone will likely ping again or follow up through another channel if the issue is important.
Second, IT platforms applied should be using email, POP and SMTP filter tools as much as possible. These applications block a good chunk of broad-based phishing emails that eliminate problems before they ever get to users.
Third, if you’re getting an odd email from an internal messenger about something critically needed, do the most archaic thing possible in the modern age – pick up the phone and call the office or person to find out what the issue is instead of responding by email. 99.9% of whale phishing attacks are stopped by confirming verbally if the message is real.
Finally, have a mitigation protocol in place to shut off an account as quickly as possible as soon as it is compromised. Many key users realize within less than 24 hours their account has been hacked, but rights provisioning in many organizations can take up to 2 weeks to disable an account. This should never happen. Speed is the most critical factor in damage control scale effectiveness.
Getting Help for the Next Step
If you need more guidance on this, we recommend looking into the same training that we provide to our staff.
PS LIGHTWAVE provides high-speed, fiber Internet for public and private commercial entities in the Greater Houston and surrounding areas.
Through our high-quality infrastructure, innovative technology and expert, locally based support, we deliver not only the best in connectivity and reliability but in scalability and redundancy. We invite you to learn more about our services, our history and our dedicated team.