Every so often, a computer “virus,” malware, or data breach makes headlines, populating our Google searches, social media feeds, and email inboxes when a company we use is affected. It’s unnerving, to say the least, but you’re pretty sure that you follow all the rules, meaning it won’t happen to you. Right?
One of the more popular buzzwords, phishing, has been tossed around enough that you could fill an aquarium if you had a real fish for every time you heard the word. On the surface, the concept seems simple enough and if you’ve done some investigating, the ruse doesn’t seem all that clever. Besides, you have security software that is supposed to prevent these kinds of things.
The sad truth is that just as our technology evolves and becomes more sophisticated, so do the methods employed by ne’er-do-wells of the world. One day, you respond to a seemingly valid communication and the next day, money or products have disappeared. So how does this happen?
The Evolution of Phishing: An Incredibly Brief Timeline
Over the years, the act of phishing has advanced in much the same way as physical fishing (but over a shorter period) if we apply this line of thinking to how humans have evolved from spearing fish in shallow waters to commercial fishing enterprises. In the same sense, phishing – which roots in simple deceptive tactics – has become wider-spread and more complex.
Early phishing attacks were simple. Bad guys would create emails with domain that “looked close” to a legitimate business. For example, let’s just assume at some point, there was someone at Microsoft named Steve who works in the support division He would have an email that probably looks like email@example.com. Knowing the naming convention for a Microsoft email, attackers would simply buy similar looking domains and haphazardly send out emails with fake content and links from addresses like firstname.lastname@example.org which looked close enough to fool a lot of people.
Eventually, these illegitimate domains would experience some combination of being blacklisted or would be purchased by the affected company, hence preventing the possibility of emails from these domains reaching victims. Though this kind of attack still occurs, built-in spam filters catch these attacks. As a result, phishing schemes have become much more insidious.
The Hyperlink and How it’s Exploited
A hyperlink from a trusted source should send you to some valid resource when received from a legitimate company. The most common example would be when you forgot a password to login to an account. You’ll get an email that looks something like this:
This particular email includes a button that links to the user’s Vudu account with a token that validates the user’s session to their account via a verified email, allowing them to change their password. You’ll also see a full link (which is partially blocked for security reasons) to be copied and pasted into a browser.
So why copy the link when it looks like a perfectly valid email?
Let’s look at a simple example to demonstrate why many companies opt to include a full link for such processes. First, click each of the links below before you continue reading.
If you actually clicked on both links, you’re aware that the first link takes you to YouTube video with dancing hamsters. The second link goes to a StackExchange page discussing how an XSS attack could be initiated through an anchor tag which allows you to create links in HTML.
Most email applications capably recognize when a link is highly-suspicious, but the problem is that modern email phishing exploits have been refined to circumvent detection. Further, these kinds of attacks don’t stop at just emails – links end up in SMS messages, other kinds of Internet-based messaging apps, social media, and more.
Perhaps you’ve received a text at some point that looks something like this:
The interesting part about this message is that Zelle is a valid payment service but it looks a lot spam or some scheme from a digital thief, especially when you’re not a registered user. The point is, we use SMS to communicate with each other as well as businesses, so this means that anything from an email address, phone number, or social account are possible attack vectors.
Phishing in Modern Business
When we look at an email or webpage without manually inspecting the code, the correct aesthetics trigger a trusting cognitive response much like when we see a loved one or a familiar object. When something fits a model stored in our minds, our brains simply put a stamp of approval on the preliminary visual data we’ve gathered, preventing further processing.
This component of psychological evaluation processes laid the groundwork for brand forgery or spoofing where a criminal will create the illusion an email comes from a verified sender by implementing the proper layout, colors, logos, and more. Though being proactive can thwart some attempts, the simple fact remains that we don’t extensively think about the familiar.
Preventing Phishing in Business
For a consumer, an attacker who achieves access to an account enjoys gains at the victim’s expense by either manipulating financial transactions or scraping data which can lead to everything from marginable financial loss to identity theft.
On the business side, there’s a responsibility to protect the business itself but most importantly, employees and customers. As such, it’s critical to implement intelligent software to thoroughly inspect all incoming and outgoing emails, even intracompany emails. After all, we’re all only human. Here are a few examples of why:
By altering the From, Sender, or Reply-To headers of an email, an email can arrive in an inbox with false sender information, just like if someone were to purposely include the wrong return-to- sender address on physical mail. Unknowingly, the recipient could simply respond to a request for information or follow a link to a fake site and provide information to an unauthorized source.
By employing machine learning to develop algorithms on behavior patterns of individual senders and other subtleties, it is possible to spot a deviation and either call attention to suspicious behavior or outright block a fraudulent communication.
Analyze outgoing emails
Is every account secured on a company server such that there’s no possible way someone other than the intended user has access? As much as you’d like to think everyone devotedly follows the employee handbook, this usually isn’t the case.
Not only do executive assistants and trusted colleagues often learn the credentials of other individuals, there’s software in the form of malware that can affect these accounts. Someone who accesses work email from a personal phone or computer increases the odds for an attack as malware could learn a user’s credentials, allowing a bot or human to take over the account and send emails from inside a system which is why it’s important to go over outgoing emails with a fine-tooth comb prior to a communication reaching a customer or vendor.
Parse incoming emails
Naturally, you don’t want to receive communications from phishers as this may result in anywhere from an employee account being compromised with slight consequence through and entire fileserver worth of information falling into the wrong hands.
Customers may send links to resources, like their Dropbox, containing files to demonstrate how your company is helping their business improve or possibly, data documenting an ongoing support issue. Vendors may send links to products they’re trying to sell. Any of these communications could potentially be spoofed, contain a redirect to a malicious site, or have an embedded XSS attack to exploit a resource or information on a device, that evades common filters.
Securing Your Company
At Inky, we’ve developed an intuitive system built with adaptive algorithms to learn, detect, and thwart attacks from fake communications. Check out our product and feel free to try our demo for free to see how our Inky Phish Fence secure email gateway can prevent catastrophe at your business.
Andrew B. Goldberg, Ph.D. Chief Scientist at Inky Phishing Protection