Vulnerabilities / Threats
1/6/2016
11:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

7 Tips For Mitigating Phishing And Business Email Hacks

You can't stop someone from launching a phishing attack, but there are things you can do to mitigate the threat.

Despite being a well-understood problem, phishing continues to be a major threat to individuals and businesses worldwide. For all the concern about sophisticated new malware and advanced persistent threats, phishing offers attackers a low tech and extremely effective way to breach networks, steal money, credentials and data. The Anti Phishing Working Group (APWG) estimated there were at least 123,972 sites worldwide being used to launch phishing attacks targeting banks and other entities in the second half of 2014, the latest period for which numbers are available.

In the first half of 2015, nearly 41 percent of phishing attacks targeted banks and financial services companies, and attacks against businesses in other industries quadrupled between January and August 2015, according to anti phishing service provider MarkMonitor. Meanwhile, some 7,000 US companies have fallen victim to targeted spear-phishing campaigns or Business Email Compromise (BEC) scams resulting in over $740 million in losses since late 2013, the FBI said in a warning issued earlier this year.

“Phishing emails are one of the biggest threats for technology users today,” says Zachary Forsyth, director of enterprise product line management, at security vendor Comodo. “[Phishing attacks] are successful because they are leveraging the trust that commonly exists between consumers and recognizable brands and entities.”

Businesses have to worry about two kinds of phishing attacks. One of them is of the mass phishing variety that takes advantage of a company’s brand name to try and lure customers to spoofed sites where they are convinced to part with credit card and other information. The other kind of threat is of the spear-phishing variety where impersonation emails are sent to targeted individuals within organizations to try to get them to take certain actions, like sending money to spurious accounts.

Here are seven things that organizations should be doing to mitigate their exposure to both types of phishing threats.

Know if your customers are getting phished

Contrary to popular perception, it’s not only the customers of banks and financial services companies that are being targeted in phishing attacks says Greg Aaron, CEO of security services firm Illumintel and a senior research fellow at the APWG. Any company that has a web presence, has a large customer base, that takes consumer information online and, has online interactions like bill pay or email notification services should assume their customers are targets of phishing scams, he says. “You can't assume phishers just attack banks and financial services companies,” Aaron says. “They are looking for new targets.

Consequently, organizations need to make sure no one is abusing their brand via fake emails or spoofed websites. Numerous services are available these days that can help businesses identify such sites on the web.

Have a response plan

Have a plan in place to respond if any such sites are identified, Aaron says. One response should be to try and get the domain taken down as soon as possible. Companies can either do this themselves by contacting the hosting provider or sign up with someone that can do it on their behalf.

“The faster you can get the site taken down, the less damage to your brand,” he said. This is easier said than done especially in cases where the site is hosted overseas. Still the goal should be to try to disrupt and drive up costs as much as possible for the phishers. Make sure also to communicate with your customers, Aaron adds. Have a communication plan to inform customers of a phishing scam and to let them know what sites to avoid and how to stay safe, he said.

Evaluate your online interaction with customers

Maintaining a communication stream with customers can be very useful, but don’t over do it, says Tim Erlin, director of IT security and risk strategy at Tripwire. Customers who are habituated to receiving a stream of unsolicited emails from companies they do business with are likelier to click on a spoofed email, he says. There’s a difference between sending a confirmation email to a customer that has purchased something or made a payment and sending a large volume of emails that are not the consequence of a direct action by the user, Erlin says. “It makes consumers nervous about using your service if they can’t trust the emails they receive.”

Make DMARC your friend

If you haven’t done so already, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) checks to stop spoofed emails in their tracks, says Dan Ingevaldson, chief technology officer at Easy Solutions Inc.

DMARC is a standard for verifying the authenticity of an email. It offers email receivers a way to verify if a message is really from a purported sender or not. Importantly it also lets organizations set policies for what to do with email that purports to come from their domains but is actually from somewhere else. Companies can use DMARC to prevent spoofed email from getting into their domains and instruct other email servers to reject emails that do not properly authenticate to their domains.

“DMARC is an emerging IETF standard but it is advanced enough where it is heavily deployed,” Ingevaldson says noting that all major email providers including Google, Yahoo, and Microsoft have already adopted the standard “Once it is globally deployed it becomes essentially impossible to send a spoofed message to a major email provider. DMARC makes it obsolete to spoof messages.”

One major problem with DMARC is that it interferes with the delivery of forwarded emails, such as those sent via a list serve. But the issue is getting resolved and the payoff in terms of better security makes it worth considering, he adds.

Identify and educate potential spear-phishing targets

Spear-phishers, or the purveyors of Business Email Compromise scams, typically tend to target executives within organizations who have the authority to transfer money to other entities or take executive actions on behalf of the company. Most attacks involve the use of very convincing emails to such individuals supposedly from some other executive within the company with instructions to transfer money to another entity.

“It’s important for organizations to identify who’s likely to be targeted and to instill in them a general sense of paranoia,” Ingevaldson says. It’s important to educate such individuals about the potential for such scams and to let them know that it is okay to verify the authenticity of money transfer requests even if it means delaying the action. “If you look at the text in these messages they always convey a sense of urgency and authority,” to scare people into taking immediate action on a phony request, Ingevaldson says.

To mitigate risks of BEC, implement strong authentication

Every company has to assume that they have been profiled or researched by spear-phishers, says Aaron from the APWG. “One of the best things a company can do is require multiple authentication to initiate bank transfers,” he says. If somebody receives an email for a bank transfer, the procedure should be to require that the request be authenticated via phone or in person with the person who supposedly sent the request, he said.

Companies should also talk with their banks to ensure they flag any money transfer requests that appear unusual, he adds.

Organizations might also want to consider validating sender domains for how recently the domains were registered, adds Tripwire’s Erlin. Most phishers use domains that have only just been registered to carry out their schemes. By instituting a policy to automatically reject emails from domains that are less than one week old for instance, a company can mitigate the risk of receiving mails from phishing sites, he said.

Use the proper email and web filters

This might appear to be an obvious one. But it’s important to configure email and web filters so as to block phishing attacks, spoofed senders, malicious file types and known bad URLs and files says Forsyth from Comodo. Think also about implementing approaches like containerization and malware sandboxes to intercept and scan unknown files and to place a containment wrapper around them before they are delivered to endpoints, he says.

“Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same,” the FBI advised in its alert on BEC scams this year. “For example, .co instead of .com,” it noted. If possible, it also might be a good idea to register Internet domains that are only slightly different from the original company name, the FBI said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mrdesigner
50%
50%
Mrdesigner,
User Rank: Apprentice
4/30/2017 | 5:02:53 AM
How to get help
I've been receiving phishing emails but because I don't do any banking or bills online its not a big deal that my phone service provider has done nothing when I had call forwarding charges and mobile data usage of 15GB and then slowly it attack my business accounts and any device I use the hotspot never works. Now its spreading through the phones data by stealing app information and my files have been corrupted and the list goes on and on. Just because I haven't had my fincinal breached its never talked about the fact my entire accounts, identity, business online website, and that I can't even delete my gmail because the data to download which I need for all the connections to Google web services has a virus. So I have no way to get my blogger, adsence, GA, and etc changed or the data stored its not that big of a deal to get help. This attack is going through every device that was under my mobile service connection and the accounts that it has been the start of it can't use on new laptops or phone because I'm afraid it will get through to those. So I wanted to know what do I do. The emails original view of code is 11 pages long with my device information when it was only a few lines. Yet T-Mobile hasn't ran test or anything for the past 2 yrs only now the FTC FCC BBB and DOJ is taking me seriously. Only because I'm smart not to do my banking or bills through accounts online and not go paperless its not important topic or issue. If you can tell me where there's any topic on that I would love to read it because I've not found one
gfish66
50%
50%
gfish66,
User Rank: Apprentice
1/7/2016 | 9:39:17 AM
Not just money transfers
The article focuses on fraudulent requests to transfer money, but intimidating emails like this can also be used on employees without the authority to do such transfers.  These could be intimidated into divulging account numbers, customer data, and other information which could be used in identity theft and other types of crimes.  All users need to be vigilent about such communication and be certain about who they are communicating with.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
1/7/2016 | 7:27:52 AM
URL Preview
I feel like this is the most important thing to encourage people to do to avoid phishing. Not clicking links directly in emails is a great start, but hovering over them and checking the URLs matchup and you know they're safe is one step that can really stop most phishing attacks I feel.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.