Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11:00 AM
Connect Directly

7 Tips For Mitigating Phishing And Business Email Hacks

You can't stop someone from launching a phishing attack, but there are things you can do to mitigate the threat.

Despite being a well-understood problem, phishing continues to be a major threat to individuals and businesses worldwide. For all the concern about sophisticated new malware and advanced persistent threats, phishing offers attackers a low tech and extremely effective way to breach networks, steal money, credentials and data. The Anti Phishing Working Group (APWG) estimated there were at least 123,972 sites worldwide being used to launch phishing attacks targeting banks and other entities in the second half of 2014, the latest period for which numbers are available.

In the first half of 2015, nearly 41 percent of phishing attacks targeted banks and financial services companies, and attacks against businesses in other industries quadrupled between January and August 2015, according to anti phishing service provider MarkMonitor. Meanwhile, some 7,000 US companies have fallen victim to targeted spear-phishing campaigns or Business Email Compromise (BEC) scams resulting in over $740 million in losses since late 2013, the FBI said in a warning issued earlier this year.

“Phishing emails are one of the biggest threats for technology users today,” says Zachary Forsyth, director of enterprise product line management, at security vendor Comodo. “[Phishing attacks] are successful because they are leveraging the trust that commonly exists between consumers and recognizable brands and entities.”

Businesses have to worry about two kinds of phishing attacks. One of them is of the mass phishing variety that takes advantage of a company’s brand name to try and lure customers to spoofed sites where they are convinced to part with credit card and other information. The other kind of threat is of the spear-phishing variety where impersonation emails are sent to targeted individuals within organizations to try to get them to take certain actions, like sending money to spurious accounts.

Here are seven things that organizations should be doing to mitigate their exposure to both types of phishing threats.

Know if your customers are getting phished

Contrary to popular perception, it’s not only the customers of banks and financial services companies that are being targeted in phishing attacks says Greg Aaron, CEO of security services firm Illumintel and a senior research fellow at the APWG. Any company that has a web presence, has a large customer base, that takes consumer information online and, has online interactions like bill pay or email notification services should assume their customers are targets of phishing scams, he says. “You can't assume phishers just attack banks and financial services companies,” Aaron says. “They are looking for new targets.

Consequently, organizations need to make sure no one is abusing their brand via fake emails or spoofed websites. Numerous services are available these days that can help businesses identify such sites on the web.

Have a response plan

Have a plan in place to respond if any such sites are identified, Aaron says. One response should be to try and get the domain taken down as soon as possible. Companies can either do this themselves by contacting the hosting provider or sign up with someone that can do it on their behalf.

“The faster you can get the site taken down, the less damage to your brand,” he said. This is easier said than done especially in cases where the site is hosted overseas. Still the goal should be to try to disrupt and drive up costs as much as possible for the phishers. Make sure also to communicate with your customers, Aaron adds. Have a communication plan to inform customers of a phishing scam and to let them know what sites to avoid and how to stay safe, he said.

Evaluate your online interaction with customers

Maintaining a communication stream with customers can be very useful, but don’t over do it, says Tim Erlin, director of IT security and risk strategy at Tripwire. Customers who are habituated to receiving a stream of unsolicited emails from companies they do business with are likelier to click on a spoofed email, he says. There’s a difference between sending a confirmation email to a customer that has purchased something or made a payment and sending a large volume of emails that are not the consequence of a direct action by the user, Erlin says. “It makes consumers nervous about using your service if they can’t trust the emails they receive.”

Make DMARC your friend

If you haven’t done so already, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) checks to stop spoofed emails in their tracks, says Dan Ingevaldson, chief technology officer at Easy Solutions Inc.

DMARC is a standard for verifying the authenticity of an email. It offers email receivers a way to verify if a message is really from a purported sender or not. Importantly it also lets organizations set policies for what to do with email that purports to come from their domains but is actually from somewhere else. Companies can use DMARC to prevent spoofed email from getting into their domains and instruct other email servers to reject emails that do not properly authenticate to their domains.

“DMARC is an emerging IETF standard but it is advanced enough where it is heavily deployed,” Ingevaldson says noting that all major email providers including Google, Yahoo, and Microsoft have already adopted the standard “Once it is globally deployed it becomes essentially impossible to send a spoofed message to a major email provider. DMARC makes it obsolete to spoof messages.”

One major problem with DMARC is that it interferes with the delivery of forwarded emails, such as those sent via a list serve. But the issue is getting resolved and the payoff in terms of better security makes it worth considering, he adds.

Identify and educate potential spear-phishing targets

Spear-phishers, or the purveyors of Business Email Compromise scams, typically tend to target executives within organizations who have the authority to transfer money to other entities or take executive actions on behalf of the company. Most attacks involve the use of very convincing emails to such individuals supposedly from some other executive within the company with instructions to transfer money to another entity.

“It’s important for organizations to identify who’s likely to be targeted and to instill in them a general sense of paranoia,” Ingevaldson says. It’s important to educate such individuals about the potential for such scams and to let them know that it is okay to verify the authenticity of money transfer requests even if it means delaying the action. “If you look at the text in these messages they always convey a sense of urgency and authority,” to scare people into taking immediate action on a phony request, Ingevaldson says.

To mitigate risks of BEC, implement strong authentication

Every company has to assume that they have been profiled or researched by spear-phishers, says Aaron from the APWG. “One of the best things a company can do is require multiple authentication to initiate bank transfers,” he says. If somebody receives an email for a bank transfer, the procedure should be to require that the request be authenticated via phone or in person with the person who supposedly sent the request, he said.

Companies should also talk with their banks to ensure they flag any money transfer requests that appear unusual, he adds.

Organizations might also want to consider validating sender domains for how recently the domains were registered, adds Tripwire’s Erlin. Most phishers use domains that have only just been registered to carry out their schemes. By instituting a policy to automatically reject emails from domains that are less than one week old for instance, a company can mitigate the risk of receiving mails from phishing sites, he said.

Use the proper email and web filters

This might appear to be an obvious one. But it’s important to configure email and web filters so as to block phishing attacks, spoofed senders, malicious file types and known bad URLs and files says Forsyth from Comodo. Think also about implementing approaches like containerization and malware sandboxes to intercept and scan unknown files and to place a containment wrapper around them before they are delivered to endpoints, he says.

“Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same,” the FBI advised in its alert on BEC scams this year. “For example, .co instead of .com,” it noted. If possible, it also might be a good idea to register Internet domains that are only slightly different from the original company name, the FBI said.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/30/2017 | 5:02:53 AM
How to get help
I've been receiving phishing emails but because I don't do any banking or bills online its not a big deal that my phone service provider has done nothing when I had call forwarding charges and mobile data usage of 15GB and then slowly it attack my business accounts and any device I use the hotspot never works. Now its spreading through the phones data by stealing app information and my files have been corrupted and the list goes on and on. Just because I haven't had my fincinal breached its never talked about the fact my entire accounts, identity, business online website, and that I can't even delete my gmail because the data to download which I need for all the connections to Google web services has a virus. So I have no way to get my blogger, adsence, GA, and etc changed or the data stored its not that big of a deal to get help. This attack is going through every device that was under my mobile service connection and the accounts that it has been the start of it can't use on new laptops or phone because I'm afraid it will get through to those. So I wanted to know what do I do. The emails original view of code is 11 pages long with my device information when it was only a few lines. Yet T-Mobile hasn't ran test or anything for the past 2 yrs only now the FTC FCC BBB and DOJ is taking me seriously. Only because I'm smart not to do my banking or bills through accounts online and not go paperless its not important topic or issue. If you can tell me where there's any topic on that I would love to read it because I've not found one
User Rank: Apprentice
1/7/2016 | 9:39:17 AM
Not just money transfers
The article focuses on fraudulent requests to transfer money, but intimidating emails like this can also be used on employees without the authority to do such transfers.  These could be intimidated into divulging account numbers, customer data, and other information which could be used in identity theft and other types of crimes.  All users need to be vigilent about such communication and be certain about who they are communicating with.
User Rank: Ninja
1/7/2016 | 7:27:52 AM
URL Preview
I feel like this is the most important thing to encourage people to do to avoid phishing. Not clicking links directly in emails is a great start, but hovering over them and checking the URLs matchup and you know they're safe is one step that can really stop most phishing attacks I feel.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...
PUBLISHED: 2021-05-14
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App o...
PUBLISHED: 2021-05-14
Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.
PUBLISHED: 2021-05-14
Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a victim's web browser.