Issue No. 116April 2022

Goin’ Phishing

As many of our readers are already aware, phishing attacks represent an ever-present danger in today’s business environment. They carry not just the risk of a compromised email account, but potential financial and reputational consequences that any business owner would be loathe to ignore. Below, we outline some tips on what to watch for to prevent falling victim to a phishing attempt, and some strategies on how to best educate your team and protect your business.

In recent years phishing attempts have grown increasingly sophisticated. Attackers use multiple techniques to mask the true origins of the malicious emails they send, specifically target individuals within organizations with access to capital, and employ advanced behavioral and social engineering techniques to ensure the greatest chance of successfully compromising corporate assets. By breaking down and examining these techniques, we can arm individuals inside organizations with the knowledge they need to spot phishing attempts before they lead to compromise. First, let’s examine how an attacker masks their email address.

The protocols that govern email date back to the early days of the internet. As such, they have become increasingly vulnerable to individuals that would like to exploit flaws for malicious intent. One of the ways this is done is by changing the display name, or envelope address. This allows an inbound email to impersonate a legitimate one, and largely takes advantage of the way that different email programs like Microsoft Outlook display emails. For instance, an email might originate from [email protected], but the display name might show up as Your Company CEO. Masking the envelope address requires a bit more sophistication, but actually obfuscates the email address itself. So although [email protected] sent the message, the email purports to be from [email protected]. It might also come from an address that doesn’t exist at your organization, but has the correct domain associated (the stuff after the @ in an email address is the domain.) Either one of these attacks can be mitigated by most third party email filtering services, but should an email make it through it is important that end-users are aware of these techniques so that they can guard against them. One means of doing so is validating the actual email address of the sender, something that you should be able to do with just a few clicks in a piece of software like Outlook. Next, let’s take a look at how a scammer will target specific individuals within an organization.

Most phishing email is entirely automated. A malicious actor sets up an email blast, similar to one done by a marketing department and sends emails out to a number of individuals, likely across a broad swath of organizations. Once someone’s credentials have been compromised, a sophisticated attacker will gain entry, and then bide their time performing reconnaissance before taking any further action. Generally speaking this would mean using access to the mailbox they’ve gained entry into to try to determine the corporate structure. Although the compromise might happen with a lower level employee, the attacker will use the access to their mailbox to determine who in the enterprise has access to whatever they’re looking for, generally money. They might then seek to target the CFO or Controller, use that access to intercept wire or direct deposit transactions, and then disappear before they’re discovered. Users can guard against this type of behavior by validating any unusual requests by a method other than email, like a phone call or face-to-face meeting. Finally, let’s take a look at some other examples of social engineering that a threat actor will use to gain entry into an environment.

Social engineering is at once the simplest and most sophisticated methodology employed by malicious actors. Essentially, they are using knowledge of human behavior to elicit the types of responses they’re looking for. Techniques of this type are also employed by the phishing emails more analog cousin—the con-man. Perhaps the most common technique is playing on an employees sense of urgency. A user might receive an email purporting to be from the organizations CEO, saying that they’re in a high level meeting and need the employee to immediately procure some gift cards for…reasons. What the attacker is counting on is that the importance of the CEO, coupled with the impression of urgency, will get the employee to overlook the overall oddity of the request and simply comply with it. This is similar to an old scam called the Spanish Prisoner, in which someone receives a letter from a ‘relative’ who claims to be imprisoned and requires funds to be released. The greatest defense against social engineering techniques is incredulity on the employees part. Would the CEO really be asking ME for something like this? Would they really need it that quickly? Does this vendor that I have never heard of really need immediate access to sensitive systems with no approval from the ‘powers that be’? By asking themselves these questions, and consciously working against the false sense of urgency, an informed employee is the best line of defense against social engineering scams, whether they be digital or analog.

In summation—an informed employee is a better protected employee. By facilitating training for your team, you empower them to question suspicious emails and constitute another line of defense for your corporate infrastructure. When training of this type is coupled with spam and phishing filtering, access controls, and multi-factor authentication, an organization becomes a much less attractive target to malicious actors. Ensure that your employees recognize a suspected phishing email when it is received, if they’re ever in doubt, send it on to your IT provider. Phishing emails that can potentially compromise a mailbox are a perfect example of, better safe than sorry.

Written by KTS Operations Manager, Tristan Collopy