Why Phishing Still Works (and What to Do About It)
Last fall, Howard University made headlines as the victim of a ransomware attack that forced the cancellation of online and in-person classes, among other operational issues. And the Washingon, DC, institution is not the only university to be impacted by cybercriminals. With their vast repositories of sensitive and personal data from students, faculty and staff, colleges and universities are a prime target for attack.
One of the most common attack vectors for ransomware is phishing. This tactic has been around for decades — the term "phishing" dates all the way back to 1995 — and has been used by a wide range of adversaries, from script kiddies to the most sophisticated nation-state actors. The biggest threat phishing presents to cybersecurity professionals is not the tactic itself (described below) but the damage it can cause, especially when dealing with the higher education community. One of the most effective ways to protect against this threat is to teach people how to spot a phishing attempt and why they must report it to the right people. In the following article, I describe the phishing threat and outline best practices for tackling this persistent problem.
What Is Phishing?
Let's start with an explanation of this important piece of adversarial tradecraft. Phishing is a social engineering technique that uses e-mail to entice or trick unsuspecting people to click on web links or attachments that appear to be legitimate but are instead designed to compromise the recipient's machine or trick the recipient into revealing credentials or other sensitive information. Adversaries, whether an individual criminal or a nation-state, craft such messages to appear legitimate. A phishing e-mail can appear to be from your bank, employer or boss, or use techniques to coerce information out of you by pretending, for example, to be a government agency.
Whether an adversary is an individual criminal or a nation-state determines the motivation behind the phishing attempt. Motivations are many and varied; for example, in a phishing e-mail an adversary may attempt to:
- Steal account credentials to siphon funds from you or your university;
- Steal your school account credentials to access your personal files; or
- Deploy malicious software that will allow them to gain entry to your school or home computer or access the university network to steal personal records or intellectual property.
No matter the motivation, phishing presents adversaries with a low-risk attack method that offers a high potential for financial gain. And that's why the phishing threat keeps us CISOs on our toes — adversaries use the tactic over and over because it works. People are often busy and distracted, prone to clicking on links without thinking when they quickly check their e-mail between classes, meetings or other activities. The data bears this out: Organizations on average have a click rate of 10%, which represents a high chance of users clicking on an illegitimate link and giving up information or providing their account credentials to a phisher.
A typical phishing attack entails the mass sending of e-mails in hopes of getting anyone to click on malicious links. The intent could be to deploy ransomware, to steal existing account credentials, to acquire enough information to open a new fraudulent account, or simply to compromise an endpoint. Because everyone has an e-mail address, and because the tactic offers so many options for the adversary, phishing is a numbers game played in a target-rich environment in which only a relative few need to be tricked in order for the adversary to profit.
A less typical attack is the spear-phishing attack, a more specialized tactic in which the adversary specifically targets senior leaders or other sensitive roles within an organization. To craft a spear-phishing e-mail, the adversary typically collects information about their targets that's readily available on university websites or social media such as LinkedIn, Facebook and Twitter. The adversary uses such information to tailor highly personalized e-mails to entice the user to click on a link, aiming to pilfer sensitive information from their machine or network, or using the information to target other employees through e-mail compromise.
How Do You Detect/Prevent Phishing?
Phishing is challenging to fight with technology alone. While many solutions can help prevent such attacks, most are reactive rather than proactive, meaning that some phishing e-mails — upward of 20% with some solutions — will get through. And in some cases, such as when a university's e-mail account is compromised and used to send phishing e-mails, anti-phishing technology won't stop an e-mail that's sent from a legitimate source.
Stopping phishing, then, relies on more than just technology — it requires vigilance by everyone. People must be trained to recognize and constantly be on alert for the signs of a phishing attempt, and to report such attempts to the proper administration contact or security staff.
Here are five signs of a phishing attempt to encourage users to watch for and report:
- An unexpected e-mail that prompts you to take action such as changing a password, sending funds, buying gift cards or logging into a website.
- An e-mail whose body appears to be legitimate, but was sent from a known free e-mail site or an unfamiliar web domain (e.g., an e-mail that appears to be from your local electricity provider but was actually sent from a Gmail account).
- An e-mail with misspelled words, bad grammar or poor formatting.
- An e-mail that appears to contain suspicious file attachments.
- An e-mail containing web links that appear legitimate but are revealed to be from fake or unknown web domains when the cursor is hovered over them.
Phishing Remediation
So, what happens if your college or university experiences a successful phishing attack? It's important to have an incident response plan and solution in place in order to react more quickly to an investigation and conduct compromise assessments, threat hunting and monitoring. For a more proactive stance to incident response, consider the following best practices.
Preparation. A plan must be in place to both prevent and respond to incidents. Ideally organizations should have a dedicated incident response team or identify a virtual team leveraging existing resources, while ensuring playbooks for phishing, data-breach and other types of incidents exist and are updated regularly.
Detection and Analysis. It's important to have the right preventative tools in place to mitigate the many threats organizations face. The security team needs the ability to ingest system, application and other relevant logs into a central logging tool so they can be correlated, analyzed and used to identify suspect activity and respond to them. Ensure the proper tools are in place to detect and investigate incidents, as well as to collect and preserve evidence.
Containment, Eradication and Recovery. Containment will help halt the effects of an incident before it can cause further damage. Once an incident is contained, the remediation effort can start, including bolstering your cybersecurity posture based on initial analysis, while deeper root cause analysis can be used to prevent similar incidents from occurring again in the longer term.
Post-incident Activity. Every incident provides an opportunity to learn and improve, so once a threat has been contained, it is important to conduct a post-incident report. Documenting the important points made during the incident response, including such things as what happened and how, the effectiveness of your incident response plan, and what could have been performed better or more efficiently. Defining what precursors can be used going forward are key steps to consistently honing your response to phishing or other breaches.
Phishing — and social engineering in general — unfortunately works. Most everyone has an e-mail address, and peoples' trusting nature and willingness to help others often makes them susceptible to manipulative phishing attacks. Protecting yourself and your institution from these cyberattacks is a team sport that requires vigilant people to keep an eye out for suspicious clues and report them to the appropriate staff.
About the Author
Jerry Dixon is chief information security officer for CrowdStrike.