Phishing Unmasked: Empowering Your Team

Jara Rowe: Welcome to Securing October with Trava. This is part two of our two- part series on different cybersecurity topics in celebration for Cybersecurity Awareness Month, which is in October, and today is the last day, but cybersecurity is important all the time. I am Jara Rowe. I'm the content marketing specialist at Trava, and I am here just to lead the team behind the scenes mostly in the webinar today. We are going to tackle phishing. Just a couple of other housekeeping things, there are a couple resources across the bottom for people to be able to download and click, so you can learn more about phishing at a later time. And we will be sending out the recording by the end of the week. Third, there is a Q and A function, so if you want to ask any questions throughout, please go ahead and use that functionality, and we have time at the end of the webinar to answer. There has been a slight change in our plans for the day. We will not be having a Trava demo, but if you do have any questions, please feel free to ask those. I will go ahead and end the poll. It looks like we all pretty much know someone that's been a victim of a phishing attack, so hopefully you get some knowledge today to where that doesn't affect you or a loved one anymore. We will go ahead and get started. For our agenda, we will do some intros for the team. They will go and break down phishing, and then we will have a quick Q and A at the end. I will go ahead and pass it over to Christina and Marie.

Christina Annechino: Awesome. Hi, my name is Christina Annechino. I'm the Cybersecurity Analyst here at Trava. I've been working on compliance, I also have done vulnerability management as well as writing vulnerability reports within our BCRAs, our baseline cyber risk assessments. Yeah, a little bit about me.

Marie Joseph: Yeah, and I'm Marie Joseph. I'm a Security Solutions Engineer here at Trava, been here a little over two years. I mainly help our customers through any compliance engagements that they're looking for, so helping them get their certifications and getting them through audits every year. That's what I do. I'll pass it back to you, Christina.

Christina Annechino: Awesome. All right, well let's jump right in. Topic of conversation, phishing. What is it? It's a type of social engineering attack but before I go more in depth with the phishing definition, let's talk about what is social engineering. Social engineering is the type of attack geared towards manipulating human behavior that will lead a victim to either divulge confidential information, download software, click into a maliciously controlled webpage, transfer funds, or make any other different mistakes that will compromise either personal or company security. An attacker will try to invoke emotions such as fear, sympathy, or urgency to cultivate a real situation that must be addressed by the victim right now. The goal is really to distract the individual that they're targeting and play on the initial human instinct that will trigger the mistake. Defining what is phishing, it is the attempt to steal a user's information by sending fraudulent communication. This can be in the form of emails, SMS texts or even phone calls, posing as a legitimate known contact asking for some kind of action from the email recipient. I want to provide some statistics to you. Phishing attacks are becoming increasingly sophisticated and pose a significant threat to organizations and individuals alike. Reported by CISA, it's estimated that about 90% of cyber attacks originate from some form of phishing. Also based on email security data from CloudFlare from the timeframe May'22 to May'23, CloudFlare is a content delivery network and cloud security platform, they processed approximately 13 billion emails that included blocking 250 million malicious messages from reaching user inboxes, so very large number. Also from data collected during CISA assessments run for federal and critical infrastructure partners, eight out of 10 organizations had at least one employee successfully exploited by a phishing attempt during these security assessments. Really what we're trying to convey is phishing is quite prevalent in today. All right, so I'm going to get into some specific types of phishing attacks. Each of these are kind of variations of phishing and we'll focus on different types of targets and implementing different techniques used by attackers to achieve the same goal, which as mentioned before, stealing data. Let's start with spear phishing. Basically it's targeting a specific individual or group, so careful research has been conducted to really build a complete profile of the trusted center. Next we have is whaling. This is going to be highly targeted, really aiming at a C- suite executive, and then the focus here is to get victims to perform a secondary action such as initiating wire transfers, which would be common with execs. Next we have vishing or voice phishing. Basically this is a defrauding over the phone. A common approach would be for an attacker to pretend to be an internet service employee, really to extract credit card or banking information from their target. Next we have here is smishing, so this is SMS- based phishing. This has become more popular with BYOD and remote work arrangements. Basically what this means is more people are using mobile devices at work, creating a larger target area for attackers for phishing attacks. Then finally we have tailgating here. This is a physical attack, meaning someone is going to be sneaking into an unauthorized building. For instance, an example here would be an intruder posing as a mail delivery or vendor. Again, they're going to try to tackle on that initial human interaction of opening the door for someone, common human action, so want to get into the building and that would be a form of tailgating. Then finally, we've clone phishing. This occurs when a legitimate email or website is replicated. The reason why this is successful is because legitimate details are included and the signs of phishing attempts can be really subtle. This would include adding logos, layout, and content to the copied email or website. These are just a few. There's definitely way more different types of phishing attacks, but just want to make sure we're touching on some different terminology and making sure that we're knowing all about phishing. All right, so let's get into phishing versus spoofing. In reviewing what phishing is, it's also beneficial to review what spoofing is as well. Since they are somewhat similar attacks, understanding how each of these threats differ can ensure you protect against both phishing and spoofing effectively. I'm just going to briefly describe what an attacker will focus on during these attacks. For phishing, the attacker is going to be sending various types of targeted messages in order to acquire sensitive data and possibly leading a user to a fake website. Then for spoofing, the attacker has already disguised themselves with the identity of a legitimate source with the intention of installing malware, conducting further attacks and so on. Really with spoofing, it's the profile of a legitimate source has already been created and that would be the difference. For context, a phishing attempt can actually begin with a spoofing attack. An example of spoofing would be email spoofing. An email address would've been created accurately resembling a trusted sender where the from field is going to be written to mimic the name and email of the known contact. This is what can precede a phishing attack. Other spoofing attacks include DNS and IP spoofing as well. Great, so moving forward. Let's talk about some common tactics and objectives. CISA phishing campaign assessments have identified some of the most successful subject lines for phishing attacks. This is going to include financial security alerts and updates. Basically the impersonation of a tax professional stating you need to confirm right away your social security number, ATM, debit card PIN. If you look on Bank of America's website, they've actually stated there that they will never request these details through this line of communication so it's really important we're aware of that. The next subject line would be organization- wide announcements and updates. For instance, this can include maybe, " Payroll has been delayed," providing an employee with an additional clarification clicking on a link to visit that site for that additional information. Next, we have user- specific alerts. This can range from security awareness training updates to immediate password resets, as well as a Zoom meeting link where your meeting time has changed and, " I need to make sure that you click on that to get access," so definitely they're trying to target on that urgency. It's the main point here. I want to also talk about some of the different objectives that the attacker's going to be focusing on during a phishing attack. As we previously mentioned before, stealing credentials is definitely a big one, distributing malware, so replacing a safe link within a replicated email, data theft is going to be something very prevalent as well, including financial gain and identity theft too, as well as disruption. This can include disrupting an operation or service manipulated by victims. All right, next, so we want to make sure what to look out for. I'm going to go through some of the different phishing cues that have been used and then Marie's going to definitely get into these a bit further so just want a high level explanation. A generic reading, so if you get an email with a title or a greeting of < " Dear user," as opposed to your actual name, since the attacker may not know that, that can be something to look out for. Suspicious email addresses, so an unfamiliar email address, maybe the domain has a character or two different from what you're currently used to. Urgent or threatening language, so this is going to be used to create pressure to take that immediate action. Unusual URLs and hyperlinks, so the phishing email may contain URLs and hyperlinks that appear legit, but upon closer inspection, if you hover over it, you can see where the redirect is going to end up and potentially might be to a malicious website. Then requests for personal info, so phishing emails are going to be requesting information such as credit card details, social security numbers, even your phone number, any personally identifiable information, that's going to be requested in a phishing attack. Then finally misspelled words. Something to note, looking through an email and you're seeing commonality on misspellings and grammatical errors, that could be an indicator of a lack of professionalism and a potential scam, so also something to look out for. With that, I'm going to pass it on to Marie who's going to discuss more explicitly verifying legitimacy and how we do that.

Marie Joseph: Yeah, so jumping into it all a little further, we'll list it out some ways to verify legitimacy when it comes to emails since it tends to be one of the most common phishing attacks for businesses but feel free to look for some of these signs through other forms of communication too, like on your phone calls or through text messages. Christina touched on a few already, but like she said, I'm going to jump into them a little further. Checking for grammatical and punctuation errors, threat actors often have grammatical errors within their emails themselves. Often they're doing them and writing them pretty quickly to get more out at a consistent manner so that they can get more data for more people, so watch for any inconsistencies that might seem suspicious. Then evaluating the content in the call to action. You're most likely getting an email from someone you do business with or that or it might seem that way, so make sure that the content or any other requests actually seem like a logical request. If it seems like an odd ask or the person does not seem to be themselves, then it's most likely a scam and it's really not that person. With threat actors, they often try to create a sense of urgency and they really know how to trigger those certain human emotions to get you to act on it on a quick manner and hopefully try to make you not think in a logical way, so be sure to take the steps to verify if it all feels logical and legitimate. Then the next one is verifying the link before you click on it, which Christina did touch on a little bit too, but on your desktop it's a lot easier to do. You'll be able to hover over a link and kind of see the preview in one of the bottom corners of your browser. From there you can really see is that a legitimate website or not? Often it won't look like a real website if it's someone trying to scam you. Then being beware of shortened links. Like I mentioned in the last bullet, be sure to use that hovering over technique and make sure the website is even spelled correctly. A lot of the times it'll have some sort of grammatical error even in the link, so just be extra cautious. It is recommended you type out the link yourself if you can too. I always recommend that. I try not to click on the links within emails. If I know the way to directly get to it through whatever the software is, through that login, I try to go through the link my own way. Then lastly, it's basically just to talk to your coworkers. Bring up suspicious emails to your coworkers and see if they're getting them too. That's kind of one of the best ways of seeing what other people are seeing and seeing if other people are getting the same type of phish-y emails that you are. Business phishing attacks occasionally will go to multiple people in your company, you're not usually the only one being targeted, they're trying to get in at multiple different points, and that is often how you can tell if your security team is testing your phishing knowledge too, because in some cases it might be some sort of phishing campaign that your security team is trying to test you on. But that's just a few from verifying email legitimacy, there's lots of other ways to find, but these are some of the more typical ones. Then moving on to some best practices for phishing prevention. We'll talk about some of those. There are a lot of different technical controls that you can put into place at your business and also in your personal life, so just always take all of these things can put them in your personal life where you can too. It doesn't just have to be in a business setting. The first one I want to talk about is email filtering and anti- phishing software. Filters work well to catch spam and any sort of phish-y, scammy type of emails you're getting in your main inbox. These are especially nice in a business standpoint as they often will mark emails as coming from an external user. That helps you be able to tell that you should probably take extra caution when it's coming from someone that's external. Make sure it's actually one of your clients, one of your vendors, one of your partners or someone you're expecting an email from because there's a good chance if it's someone you're not familiar with, it could be a phishing attack. But in other cases, like Christina was talking about earlier, spoofing is really big too, where they do claim to be your boss or someone higher up at your company or someone that you might have worked in the past claiming to be them just to try to get that information. Those filters can help prevent that in some ways, but just be careful and take extra caution. Then there's also multifactor authentication or MFA, which is you often hear it shortened. MFA should be used wherever you can, so turn that on wherever possible. If credentials were to be compromised through a phishing email, this MFA would give that extra safeguard to your account that a threat actor would need like that one extra code to be able to access it even if you already clicked on the link or accidentally gave some of the credentials away because it was a suspicious email and you didn't realize. h Having MFA turned on could possibly prevent the attack from going any further. We talked about it earlier too a couple weeks ago in our last webinar, it was MFA related, so if you're curious to learn more about it, I would recommend going back and watching that recording. There are plenty of things you can do internally to help train yourself and your employees to spot phishing attacks, so we just listed a few of those here. We recommend establishing a phishing awareness program, and these includes a few of the following which are interactive simulations and exercises. I think I talked briefly about them already, but for example, this would be sending out phishing campaigns that lead employees to more mandatory training if they fail. This helps train your people and hopefully always have them thinking about security first when interacting with any sort of line of communication. The next is identifying red flags and suspicious elements, so making sure that you let your employees know the tips and tricks of spotting something phish- y. It doesn't need to be something you keep a secret to people. If there are certain tactics they should look for, just let them know. This can also come from the interactive training on your regularly scheduled security awareness trainings that you most likely are doing at your company already, typically on a monthly or annual basis. Then there's reporting procedures and escalation pathways. I personally think this one is really important. You should make it super easy for your employees to be able to report suspicious activity and messages. If it's not an easy process, then people aren't going to do it. I recommend making it a process that anyone with any background, any job title can understand and do so that they're constantly reporting things that might not seem logical or accurate, so just making that part really easy is super important. Then keeping employees updated on current threats. It's good to continually update your staff on the ever- changing social engineering attacks. They are changing every day, different tactics, because occasionally we'll have putting controls in place or we'll have new ways to limit that risk, so threat actors are constantly changing their mind to figure out how they can manipulate people a little more to get that data from you. Then next we want to talk about why it's essential to start and get ahead of the attacks. I talked about some of them briefly, but like I have been doing, going a little bit more in depth with each. First is data protection, so it's important to safeguard sensitive information and to prevent unauthorized access and data breaches. Then second, this one is about financial security. Honestly, this is probably one that I've been seeing come up a lot more recently and a lot of people have probably heard it in different audits and stuff too, which is fraud. A lot of people are getting asked about that on their risk assessments, through their different security audits, but this is important when it comes to protecting against financial losses resulting from fraudulent activities and scams. Then third, which I think above fraud is a little bit more important, is your reputation management, so maintaining a trustworthy image and protecting your organization's reputation is very important. That reputation is something that is really hard to improve once any damage has occurred to it, so being proactive on this is very, very important because like I said, you can't replace it what you have. If you lose trust in someone or some company, it is really hard to gain that back. It's kind of almost irreversible. Then another one is compliance and legal consequences, so getting ahead of these attacks can help you avoid costly legal consequences and regulatory non- compliance. Security and privacy incidents can occur from these breaches and can lead to expensive legal issues, and in some cases, these issues can cause businesses to completely go out of business and it's really hard for them to bounce back from. Following different compliance and legal things beforehand can be a great way to proactively go get ahead of the game. Then lastly, I want to talk about business continuity. It's very important to ensure uninterrupted operations by preventing downtime caused by security breaches. This can go back to some of the legal requirements I was just talking about that you have with clients because if there's downtime in some cases, depending on what your revenue is, it can cost thousands if not millions of dollars per minute depending on how long your website's down, so just making sure that everything can run smoothly if something were to happen in one area of your business. Now we really want to give a recap of what we learned today and some quick takeaways. If you were to learn anything, it'd probably be these main points or you probably already know them, so just reiterating them, but the first one that we learned today was really what phishing means. It's a social engineering attack that is used to get access to your accounts and personal information, and in some cases, money. Then there's also different types of phishing, and there's also the difference between spoofing and phishing, which I know Christina talked about earlier too, which very important to know the differences there. But we also learned about spear phishing, phishing, whaling, smishing, tailgating, and clone phishing, and there's so many others with funny names, but they're not a funny thing if they're happening to you. They're pretty interesting to learn about, so recommend taking a deep dive into them if you haven't already, but taking that deep dive can help you also learn more of the telling signs of how to catch that within your own organization and in your personal life too. I think it's really important, again, to bring it in your business world and in your personal world because they're coming from every angle. Then we also acknowledge the signs. Some of the things we talked about to kind of catch these types of attacks were to check links before clicking, looking for grammatical errors or those odd requests, there's always asking for something that's always seems like a little off. It never seems like it's part of your normal day conversation with someone, it just comes out of nowhere, which you should check on that, which also brings into the last one I wanted to talk about was a sense of urgency. Attackers are always going to try to play into your emotion because that's how people tend to respond quicker and in a faster manner. Always think about that logical ask and take time to respond. I always live by the fact that you can always tell when it's super urgent and even if it is, just give a few minutes and think about it and then you can tell. Then also just ask around with other employees, " Is this legitimate?" Then we also talked about best practices, so training your employees is super important. You can also be training your friends and families. I think it's so important to bring it outside of work and noticing those signs are huge, so continually stay up with best practices, stay up with the trainings, all those current events. Another thing to bring up again is that easy reporting process. Anyone from any background, any title within your organization should be able to report it very easily and that way it'll get people talking more too. Then also, once again, just staying up with those current threats. I think one of the big ones recently was those attacks on the casinos in Vegas, and I think that brought a lot of awareness to a lot of different people how easy social engineering is, just a phone call was how some of those attacks happened, so just being aware of what you're doing and what information you're giving out is super important. Then lastly, I just want to leave off with something I've been hearing more people in the security field reiterating, and it's that people are known to be your weakest link when it comes to security, but they can also be your strongest link. It's becoming easier to prove to people why it's important as more and more businesses get hacked. Bouncing back from attacks are not fun or easy in most cases so it's important to get ahead of it all, like we were mentioning earlier today, and that all starts with your people. Your people are the most important factor. That's it about phishing, so don't know if we want to open up for questions, if Jara wants to come back in. Oh, no, you're muted, Jara.

Jara Rowe: Geez, Louise, man.

Marie Joseph: Happens.

Jara Rowe: Well, thank you two. If anyone has any questions, please feel free to use those in a Q and A. I definitely learned a lot. I do have a question personally. Christina, you were talking about phishing and spoofing and they just seem very, very similar still. Can you just dive into that a little more about how we can tell the differences between the two?

Christina Annechino: Yeah, so definitely. With the spoofing attack, really the main difference that I want to highlight and just reiterate is A, the legitimate source that's going to be sending the sender for the phishing attacks is already created, made to look legitimate. With spoofing, that profile that you're looking at is already going to be finalized based from additional spoofing that a attacker has conducted to create that profile. Really it's just having that something look very, very legitimate based on previous work that the attacker has done. Just want to make sure to that we're protecting against spoofing and phishing, so to know the difference and to make sure that we're aware.

Marie Joseph: Agreed, and also touch on that, a lot of people get those names from LinkedIn. LinkedIn's one of the biggest ways for people to figure out who's your CEO, who's your boss? It's super easy for people to figure out your organization's tree so always look at what email it actually is coming from too. They can use your boss's name all the time, but it's not coming actually from the actual email address of your boss.

Jara Rowe: Yeah, wow.

Christina Annechino: I would actually like to add, sorry, one more thing.

Jara Rowe: Oh no, go for it. I love it.

Christina Annechino: Just to add on what Marie said, so an email that you got from your boss, maybe the syntax is first name, last name, and your company domain. Potential spoofing email could be first name, company domain. That could be something that the attacker would lean towards. Being aware of these emails and just making sure that you're double checking everything is really important as well.

Jara Rowe: Mm- hmm. Wow, Marie, you mentioned LinkedIn and the Vegas stuff and from what I read, they got on LinkedIn and found someone important's name and then was able to figure out and pretend to be them. It totally makes sense. Scary, very. We have another question here. They asked, " How can I best educate my employees to be cautious of these types of attacks?"

Marie Joseph: That's a great question. I think that it really shows in current events. I heard a lot more people that I know personally talking about those Vegas ones because they were just so interested and were just thinking, " Oh, these things really do happen." In a lot of cases, people don't think they're important until they actually happen to them, which that does really suck when it had to happen to you and you lost something or got some accounts compromised and that's what took you to figure out, " Oh, this is important to do." I think just reiterating things that have really happened, and I don't like saying it, but putting that fear tactic in them is pretty important because that's the only way they'll take it seriously, and in a lot of cases, people knowing their job might be on the line is also important. A lot of businesses put in a three strike rule where if you do our phishing campaigns and click on them three times within X amount of times, it's probably going to end up on your review, your annual review that happens every year, so just having that. It's doesn't look really good and other employers aren't going to find that looking really good either because they don't want you to be a risk to them. But not sure if you have anything else to add, Christina for that.

Christina Annechino: No, I was actually, yeah, just one more thing, conducting security awareness trainings can be something really great. InfoSec has a lot of great security awareness trainings, especially leaning towards phishing so definitely looking into those and any other resources in terms of trainings, yeah.

Jara Rowe: Great. There's another question. " Are there specific roles that attackers attack more often than not?"

Marie Joseph: Oh, definitely. One particular, anyone that does your finances is really one of the main attacks. People want money, that's really one of the main ones. Otherwise, it's the data. You'll typically see, I believe anyone in finance, sometimes HR, because HR also has a lot of that data where they could take that data and then connect it to more things, and then your security is easier to hack into the business. Also anyone higher up like your CEO, that is the one of probably the biggest targets. But Christina, do you want to dive in on any?

Christina Annechino: Yeah, I was just going to mention, yeah, so anyone in higher- up position is definitely a really main target. For whaling, just specifically on that attack, it's quite prevalent.

Marie Joseph: Yeah, and they like to target anyone that probably will have more admin access to any of your accounts, because once you get into that, you can just branch down to the entire business, which is not fun.

Jara Rowe: Yeah. All right. Well, if there are no more questions, we will give you all some time back into your day.