Phishing is one of the oldest tricks in a digital attacker’s books. But since its inception, the tactics and techniques used by attackers to conduct phishing have evolved. Security teams now need to evolve their anti-phishing strategies to effectively address a new era of threats. From spearphishing to smishing and now vishing, relying on old definitions and procedures leaves security teams ill-equipped to protect customers and employees. In this blog, we’ll review the top four assumptions security professionals often make when it comes to phishing and how to rework those assumptions to be fully prepared to tackle phishing attacks.
Assumption 1: Phishing is limited to email, so anti-phishing protection should be limited to email
Most people have seen their fair share of phishing emails offering free gifts, jobs and money – if you just ‘click here.’ Security and IT teams have spent years on employee and consumer training to help individuals identify these types of emails. And for good reason. According to Verizon’s Data Breach Investigations Report, 94% of malware was distributed through email.
While anti-phishing email protection is critical, security teams often make the false assumption that securing email is a comprehensive way of addressing phishing in its entirety. In actuality, phishing occurs wherever digital interactions happen – on the web and on social media. In order to distribute a phishing link through email, the actor must first stand up the malicious domain used to conduct the attack. In order to get the most bang for their buck, attackers look for any and all means of distributing this link. Email is often an easy source due to the relative low cost and sophistication of set up. Email address blocked? No problem, just set up a new one and continue on.
Social media offers a similar scenario for attackers. Since the majority of social networks are free to use, there is lucrative opportunity. The inherent trust built on social platforms may make it more likely for users to click on a phishing link or engage with an attacker under the assumption of familiarity. Traditional security policies and tools lack the visibility and remediation necessary to address phishing that occurs outside of email. The traditional means of blocking and spam filters do not apply. Security teams must evaluate all platforms on which phishing occurs in order to develop a policy to effectively address it, unique to each platform. On Facebook, for instance, turning on post approvals is one simple step to stop the spread of phishing links on your public pages, allowing internal teams to review each community post for malicious activity prior to publishing.
Assumption 2: Spam filters, blocking and deleting are an effective anti-phishing strategy
The traditional approach to handling phishing, particularly via email, has been what we often call: playing whack-a-mole. A combination of blocking and deleting emails addresses the individual threat but does little to disrupt the attack at large. Without addressing the source of the attack at the domain level or conducting further investigation into the actor or threat campaign, phishing attacks will continue at the same speed and scale we all know too well.
When it comes to anti-phishing policies, think bigger. In addition to blocking individual email addresses and deleting malicious posts, work with domain registrars to have the malicious domains associated with those email addresses, or the phishing links themselves, taken down. This ensures that not only is the individual threat itself addressed, but prevents future targeted attacks, making it more difficult for attackers in the long run.
Assumption 3: Phishing requires sophisticated attackers
Yes, this is another blog post talking about hackers in hoodies… but only to say that the typical stereotype of sophisticated hackers that stand up phishing sites in seconds is not always the case. While full scale phishing campaigns often require coordinated efforts across platforms, new techniques have made phishing more accessible to even the least sophisticated of hackers.
Phishing kits provide fully packaged SaaS like solutions for less experienced hackers to stand up phishing domains and campaigns in no time. The rise in popularity of these kits, particularly kits targeting high-profile brands, suggests that this new method of phishing is gaining significant traction.
Assumption 4: Phishing is something we can address on our own
The scale and complexity of modern phishing attacks make them difficult for security teams to handle on their own. In the same way that attackers rely on a community for hacking services, security professionals can leverage anti-phishing communities to collectively address phishing and other cybercrime. The Anti-Phishing Working Group (APWG), Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) and other communities offer the opportunity for collaboration and a unified response to global phishing threats.
Partnering with an anti-phishing protection solution that covers all platforms where phishing occurs will also help you coordinate a comprehensive response. Learn more about ZeroFox’s anti-phishing protection software here.