Why Phishing Campaigns Succeed – And How to Fight Back
Here’s an encouraging stat: Nearly all (99%) of email-based threats like phishing are totally harmless in and of themselves. In order to become dangerous, they require some type of user interaction, whether that’s clicking on a link, opening an attachment, etc. Yet, email remains a highly popular and lucrative attack vector. In fact, phishing ranks as the leading cause of data breaches according to Verizon’s 2019 Data Breach Investigations Report. What do these two things tell us? Cyber criminals have gotten very good at getting users to interact with compromised messages.
There’s a clear, finely-tuned psychological element behind that success rate. Criminals have learned how to manipulate people into behaving in a certain way. Researchers from the University of Florida and Google picked apart this phenomenon in order to learn what makes these attacks so effective. One reason is that phishing targets the part of the brain dedicated to making quick decisions. Researchers noted how people agonize over important decisions while others are made automatically, without thinking. For most, clicking on links in emails falls into that second camp. They don’t take the time to stop and think “Is this something I should be doing?” It’s a reflex.
Phishing attacks may also play off a target’s emotions. Those same researchers found people with higher levels of stress tended to be more skeptical and were better at sniffing out scams. Attackers also know this and often program against it. Some phishing campaigns are structured to put victims in a good mood, thus lowering their stress level (and their guard!). That, in turn, makes them more likely to click on a link or attachment.
Another way attackers look to slip past a person’s defenses is by impersonating a source the victim trusts. In some cases this might be a boss or another authority figure. That trusted source could also be a company. Security firm Vade Secure regularly publishes a list of the companies most often impersonated during phishing attacks. The latest leaders in the clubhouse? Microsoft, PayPal, Facebook, Netflix and Bank of America. Microsoft, with its highly-valuable Office 365 credentials, has held the top spot on this list for five quarters running. Actually, this exact collection of companies made up the top five last quarter as well, only in a different order.
Masquerading convincingly as Microsoft isn’t just a psychological endeavor. It also requires some heavy-lifting on the technology side. Criminals have taken to swiping code from legitimate Microsoft websites and using it to make the line between their attack and the real thing almost imperceptible to even the most eagle-eyed, battle-hardened user.
5 telltale signs of phishing emails
While the picture painted above is pretty bleak, things are most certainly not hopeless. There’s plenty that organizations – and end users – can do to protect themselves. The best thing is to slow down. Sure, that’s easier said than done. Before a user interacts with an email – remember, 99% of the time, interaction is key – have them mentally run through a checklist of common phishing warning signs. This can slow them down just enough to get ahead of attackers.
- Excessive or suspicious typos. At first glance, typos can be easy to miss. Also, they may not even be an indicator of a threat, just that the person on the other end of the email was in a hurry. Still, too many misspellings and misspellings in certain places are major red flags. That “@micorsoft” domain name in the sender’s email address might not be instantly noticeable at first, but it’s a near-certain indicator of a threat. Other typos, like continually misspelling a company or contact’s name are worth noting.
- Uncommon groupings. Users tend to see the same names popping up in messages they’re CC’d on. It could be other people in their department, people they’re working on a project with, etc. They should be suspicious if they’re suddenly CC’d on a message with a group of names they don’t usually see. If the collection of names appears random or if it has a rudimentary pattern (like all of the last names start with the same letter), users may want to look at it more closely – or even better, send it to the security team for further analysis.
- Misleading hyperlinks. When it comes to phishing attacks, the truth is often in the hyperlinks. Encourage users to hover their cursor over a hyperlink prior to clicking on it. They should look for telltale signs of foul play like web addresses that don’t match the supposed sender. Typos again come into play. Attackers will often purposefully misspell something to make a fraudulent site look legit. For example: rnicrosft.com instead of microsoft.com.
- Unrequested follow ups. Something can’t be dangerous if it’s just following up an earlier message, right? Attackers love to exploit that line of thinking by creating bogus subject lines that make threats appear to be nothing more than harmless responses to a user’s original message. If a user doesn’t recall sending that initial email, and there’s no sign of it in his or her sent mail folder, there’s a good chance that message should be regarded as a threat.
- Unusual behavior. There’s a rhythm to the average workday and no one knows that better than the user who lives it each week. He or she knows when to expect given messages and requests. That’s not to say surprises don’t happen. However, if a billing request comes through in the middle of the night, one that usually arrives safely during business hours, users may want to think twice before interacting with it in any way.
Next steps: Give your organization the tools it needs to fight phishing attempts
Really, the best defense users have against phishing attempts is their gut. If something feels wrong, then there’s no harm in calling in the experts to check it out. The key is giving them the knowledge to recognize threats and empowering them to slow down and assess a situation before reacting. Arraya’s Cyber Security team can help facilitate the training users need to be ready for the worst today’s cyber criminals have to offer. Visit https://www.arrayasolutions.com/contact-us/ to open up a dialogue with our team today!
Have some thoughts you’d like to share about this post? We want to hear from you! Leave us a comment on this or any of our blog posts through social media. Arraya can be found on LinkedIn, Twitter, and Facebook. While you’re there, follow us to stay updated on our industry insights and unique IT events.