Despite being a well-understood problem, phishing continues to be a major threat to individuals and businesses worldwide. For all the concern about sophisticated new malware and advanced persistent threats, phishing offers attackers a low tech and extremely effective way to breach networks, steal money, credentials and data. The Anti Phishing Working Group (APWG) estimated there were at least 123,972 sites worldwide being used to launch phishing attacks targeting banks and other entities in the second half of 2014, the latest period for which numbers are available.
In the first half of 2015, nearly 41 percent of phishing attacks targeted banks and financial services companies, and attacks against businesses in other industries quadrupled between January and August 2015, according to anti phishing service provider MarkMonitor. Meanwhile, some 7,000 US companies have fallen victim to targeted spear-phishing campaigns or Business Email Compromise (BEC) scams resulting in over $740 million in losses since late 2013, the FBI said in a warning issued earlier this year.
“Phishing emails are one of the biggest threats for technology users today,” says Zachary Forsyth, director of enterprise product line management, at security vendor Comodo. “[Phishing attacks] are successful because they are leveraging the trust that commonly exists between consumers and recognizable brands and entities.”
Businesses have to worry about two kinds of phishing attacks. One of them is of the mass phishing variety that takes advantage of a company’s brand name to try and lure customers to spoofed sites where they are convinced to part with credit card and other information. The other kind of threat is of the spear-phishing variety where impersonation emails are sent to targeted individuals within organizations to try to get them to take certain actions, like sending money to spurious accounts.
Here are seven things that organizations should be doing to mitigate their exposure to both types of phishing threats.
Know if your customers are getting phished
Contrary to popular perception, it’s not only the customers of banks and financial services companies that are being targeted in phishing attacks says Greg Aaron, CEO of security services firm Illumintel and a senior research fellow at the APWG. Any company that has a web presence, has a large customer base, that takes consumer information online and, has online interactions like bill pay or email notification services should assume their customers are targets of phishing scams, he says. “You can't assume phishers just attack banks and financial services companies,” Aaron says. “They are looking for new targets.
Consequently, organizations need to make sure no one is abusing their brand via fake emails or spoofed websites. Numerous services are available these days that can help businesses identify such sites on the web.
Have a response plan
Have a plan in place to respond if any such sites are identified, Aaron says. One response should be to try and get the domain taken down as soon as possible. Companies can either do this themselves by contacting the hosting provider or sign up with someone that can do it on their behalf.
“The faster you can get the site taken down, the less damage to your brand,” he said. This is easier said than done especially in cases where the site is hosted overseas. Still the goal should be to try to disrupt and drive up costs as much as possible for the phishers. Make sure also to communicate with your customers, Aaron adds. Have a communication plan to inform customers of a phishing scam and to let them know what sites to avoid and how to stay safe, he said.
Evaluate your online interaction with customers
Maintaining a communication stream with customers can be very useful, but don’t over do it, says Tim Erlin, director of IT security and risk strategy at Tripwire. Customers who are habituated to receiving a stream of unsolicited emails from companies they do business with are likelier to click on a spoofed email, he says. There’s a difference between sending a confirmation email to a customer that has purchased something or made a payment and sending a large volume of emails that are not the consequence of a direct action by the user, Erlin says. “It makes consumers nervous about using your service if they can’t trust the emails they receive.”
Make DMARC your friend
If you haven’t done so already, implement Domain-based Message Authentication, Reporting and Conformance (DMARC) checks to stop spoofed emails in their tracks, says Dan Ingevaldson, chief technology officer at Easy Solutions Inc.
DMARC is a standard for verifying the authenticity of an email. It offers email receivers a way to verify if a message is really from a purported sender or not. Importantly it also lets organizations set policies for what to do with email that purports to come from their domains but is actually from somewhere else. Companies can use DMARC to prevent spoofed email from getting into their domains and instruct other email servers to reject emails that do not properly authenticate to their domains.
“DMARC is an emerging IETF standard but it is advanced enough where it is heavily deployed,” Ingevaldson says noting that all major email providers including Google, Yahoo, and Microsoft have already adopted the standard “Once it is globally deployed it becomes essentially impossible to send a spoofed message to a major email provider. DMARC makes it obsolete to spoof messages.”
One major problem with DMARC is that it interferes with the delivery of forwarded emails, such as those sent via a list serve. But the issue is getting resolved and the payoff in terms of better security makes it worth considering, he adds.
Identify and educate potential spear-phishing targets
Spear-phishers, or the purveyors of Business Email Compromise scams, typically tend to target executives within organizations who have the authority to transfer money to other entities or take executive actions on behalf of the company. Most attacks involve the use of very convincing emails to such individuals supposedly from some other executive within the company with instructions to transfer money to another entity.
“It’s important for organizations to identify who’s likely to be targeted and to instill in them a general sense of paranoia,” Ingevaldson says. It’s important to educate such individuals about the potential for such scams and to let them know that it is okay to verify the authenticity of money transfer requests even if it means delaying the action. “If you look at the text in these messages they always convey a sense of urgency and authority,” to scare people into taking immediate action on a phony request, Ingevaldson says.
To mitigate risks of BEC, implement strong authentication
Every company has to assume that they have been profiled or researched by spear-phishers, says Aaron from the APWG. “One of the best things a company can do is require multiple authentication to initiate bank transfers,” he says. If somebody receives an email for a bank transfer, the procedure should be to require that the request be authenticated via phone or in person with the person who supposedly sent the request, he said.
Companies should also talk with their banks to ensure they flag any money transfer requests that appear unusual, he adds.
Organizations might also want to consider validating sender domains for how recently the domains were registered, adds Tripwire’s Erlin. Most phishers use domains that have only just been registered to carry out their schemes. By instituting a policy to automatically reject emails from domains that are less than one week old for instance, a company can mitigate the risk of receiving mails from phishing sites, he said.
Use the proper email and web filters
This might appear to be an obvious one. But it’s important to configure email and web filters so as to block phishing attacks, spoofed senders, malicious file types and known bad URLs and files says Forsyth from Comodo. Think also about implementing approaches like containerization and malware sandboxes to intercept and scan unknown files and to place a containment wrapper around them before they are delivered to endpoints, he says.
“Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail but not exactly the same,” the FBI advised in its alert on BEC scams this year. “For example, .co instead of .com,” it noted. If possible, it also might be a good idea to register Internet domains that are only slightly different from the original company name, the FBI said.