4 Effective Methods to Protect Against Phishing Attacks

Phishing attacks continue to plague us in 2020 as the number one attack vector of choice by threat actors. Phishing attacks have grown more sophisticated and difficult to spot. Read on to see what you can do to protect your organization from this escalating threat.

fishing hook on keyboard

What Is Phishing?

A phisher attempts to trick users into divulging information. Phishing attacks come in the form of fraudulent emails and fake websites to trick users into clicking a malicious link or giving up information. The goal of phishing is to load malware onto a user’s computer, trick the user into divulging personal information, or steal user login credentials.

Did you know? Phishing attacks were first made popular in 1994 when a seventeen-year-old hacker known as “Da Chronic” created the first-everphishing kit called “AOHell.” AOHell allowed attackers to pose as AOL staffmembers and send instant messages to potential victims. The fraudulentmessages often included imperatives such as “verify your account” or“confirm billing information.”

  • According to the National Institute of Standards and Technology (NIST), identity and credential theft from phishing and spear-phishing attacks was the number one cybersecurity threat in 2019.
  • The Verizon 2019 Data Breach Report claims phishing and the use of stolen credentials was the number one threat action leading to sensitive data breach in 2019. It shows that “research points to users being significantly more susceptible to social attacks they receive on mobile devices.”
  • According to the Experian Data Breach Industry Forecast 2020, the top data breach trend for 2020 will leverage text-based “smishing,” identity theft techniques targeting online communities.

How to Spot a Phishing Attack

Repeated security training and real-world experience have made most of us pretty good at spotting potential phishing emails. We know to look for things like:

  • Misspelled email domain names
  • Poorly written emails
  • Suspicious links
  • Messages that create a sense of urgency

How Phishing Attacks Are Evolving

Naturally, as we get quicker at spotting a phish, attackers look for more cunning methods to fool us. In 2020 the core tenets of phishing attacks remain the same. What’s changing is the presentation. The use of spoofed email addresses eliminates the misspelling of email domain names. Well-crafted email templates are available on the dark web to replace grammatically challenged emails. Obfuscated and spoofed URLs are getting through spam filters and appear as genuine links.

If a sense of urgency already exists in the potential victim, the attacker need only opportunistically match the situation with the right message.

COVID-19 Themed Phishing Templates Available Online

Not surprisingly, malicious actors are exploiting the urgency surrounding the COVID-19 crisis. According to Google, during April, there were more than 240 million coronavirus-themed spam messages sent to Gmail accounts every day.

Building a phishing campaign using the government’s response to thecoronavirus as bait became a little easier with the release ofCOVID-19-themed credential phishing website templates. Templates makeit simple for criminals to quickly create high-quality, malicious Webdomains that mimic key agencies and organizations involved in fightingCOVID-19. In most cases, the look-alike website is a trap for credentialmining, identity theft, financial fraud, and enterprise system intrusion. Dark Reading

According to Proofpoint, there has been a surge in the creation of COVID-19-themed templates that mimic brands, including the World Health Organization (WHO), Internal Revenue Service (IRS), Centers for Disease Control (CDC) and government agencies from the United Kingdom, Canada, and France.

How Can You Defend Against Phishing?

Phishing is fundamentally a digital con game, and phishers are tech-savvy con artists. The attacker’s goal is to either download malware onto a user’s computer, trick the user into divulging personal information or into stealing user login credentials. Here are four common methods used to protect against phishing:

  1. Security awareness training—Security awareness training is the front line of defense by helping users to spot the fraudulent tricks being used to deceive them and how to avoid them.
  2. Malware protection—Keeping security patches and malware protection software up to date helps keep servers and endpoint devices from being taken over by malware.
  3. Email filters—Updating spam filters can help keep the latest phishing scams out of user’s inboxes in the first place.
  4. Implementing multi-factor authentication (MFA) —Stolen login credentials present an enormous risk since they are typically used as the first step in a larger data breach or cyber-attack. Deploying two-factor or multi-factor authentication is a proven defense against stolen login credentials from phishing attacks.

If you are looking to implement advanced, multi-factor authentication, the good news is that there are plenty of solutions available. The challenge is knowing what is best for your organization and the best vendor with which to partner. Ideally, a vendor should provide complete coverage for all your corporate assets and offer a wide choice of human-friendly authentication options such as smart cards, biometrics, behavioral analytics, and converged access control.

The solution should also be easy to connect into your existing IT environment and ready to evolve with your cloud migration strategy.

Learn more about what to look for in a multi-factor authentication solution in our Advanced Authentication Buyer’s Guide.

Get the latest blogs on identity and access management delivered straight to your inbox.

Jeff Carpenter is Director of Cloud Authentication at HID Global. In his 15+ years in cybersecurity, Jeff has held positions with several top tier cybersecurity and technology companies including Crossmatch and RSA, a Dell Technologies company. He holds both Certified Information Systems Security Professional (CISSP) and Certified Cloud Security Professional (CCSP) designations.