What is phishing? Ask an IT professional and the definition of what it means will vary.
The most common understanding of phishing is an email that falsely claims to be from a legitimate organisation, usually combined with a threat or request for information.
Sophos’ latest study, entitled Phishing Insights 2021, conducted with 5,400 IT professionals globally, found fewer than six respondents defining phishing as the above case.
About half (46%) of respondents consider emails with a malicious attachment to be phishing, and more than one-third (36%) think thread jacking (when attackers insert themselves into a legitimate email thread as part of an attack) is phishing.
Considering this wide variation among IT professionals in how they understand or define phishing attacks, it’s reasonable to expect a similar or greater interpretations among non-IT and business employees.
The understanding of phishing varies amongst different IT professionals
This lack of definition of what ‘phishing’ means by IT professionals will present problems if they are mistakenly downplayed and companies become complacent.
“There is confusion about what constitutes phishing in every region. The temptation for organisations is to view phishing attacks as a relatively low-level threat, but that underestimates their power because phishing is often the first step in a complex, multi-stage attack,” says Chester Wisniewski, principal research scientist at Sophos, in an interview with ITNews Asia on the study.
“We’ve seen first-hand how a seemingly innocuous email can ultimately lead to a multi-million-dollar ransomware attack. Crypto jacking, data – and even financial – theft are all potential outcomes after a phishing attack has opened a door for adversaries.”
Why is phishing such a pressing concern?
Wisniewski says that the definition of phishing appears have over time blended with all other types of messaging attacks.
“Initially it was easy to discern between spam email and phishing email, but as email attacks diversified and the mediums we receive bogus lures expanded to include SMS, phone and other messaging systems most IT practitioners simply throw them all in the phishing bucket.”
The Sophos study reiterates that phishing is one of the most potent cyber attack techniques primarily because it continues to evolve. It is also becoming worse as adversaries have been quick to identify new phishing opportunities and develop new tactics and techniques.
This is also borne out in the study, where a majority (70%) of all IT teams globally said the number of phishing emails hitting their employees increased during 2020.
Many are taking advantage of the opportunities presented by the pandemic and the blurring of home/work boundaries the past two years.
According to the report, skilled adversary groups are now focussing their targeted attacks on countries with higher GDP. At the same time, phishing is also used in mass market ‘spray and pray’ attacks where the adversaries hope that if they try enough people, eventually someone will fall for the scam.
Almost every country has seen phishing attacks rise
Why is it easy now to fall prey?
Wisniewski says that as many employees are working from home, they have to determine if something is a scam without the help of the collective wisdom of their teams.
“People are less likely to ask a colleague ‘What do you think of this?’ and may end up clicking on more malicious content. The criminals themselves have focused on refining their lures to take advantage of hot topics like mask policies, vaccinations and other pandemic related topics likely to increase the likelihood of an interaction.”
While it is difficult to ascertain how an initial foothold in a ransom attack was acquired, Wisniewski believes that phishing is playing a significant role as an entry or backdoor for ransomware.
“The three primary first steps to compromise are unpatched external-facing services, remote access tool abuse and email-based attacks. Often they are combined and a phishing attack is used to gather valid credentials which are then used to abuse exposed remote access services.”
How can we stop or mitigate these new phishing threats?
Wisniewski explains that firstly employees need to be clear about what constitutes phishing and companies need to know on how to act.
Concise communications are essential to eliminate errors in policy definition. Because of the confusion amongst IT teams, he says it is important to specifically define what problem a security policy is meant to address to ensure you are in fact applying the correct control, tool or mitigation.
People are less likely to ask a colleague ‘What do you think of this?’ and may end up clicking on more malicious content. The criminals themselves have focused on refining their lures to take advantage of hot topics like mask policies, vaccinations and other pandemic related topics likely to increase the likelihood of an interaction.
- Chester Wisniewski, principal research scientist at Sophos
Wisniewski recommends three approaches to tackling phishing attacks.
- Have emails scanned not just for spam, but also with sandboxing technologies will dramatically reduce the amount of malicious documents that reach users' inboxes.
- User education, especially reporting new phishing attacks to the security team can increase visibility and even allow faster responses to find victims of ongoing operations.
- The deployment of multi-factor authentication will reduce the likelihood that stolen credentials will lead to a compromise.
Sophos also advises that corporate phishing awareness and education programs consider the wide range of perceived phishing definitions and include training for non-technical employees that explain the different facets of phishing and email attacks.
This training needs to be viewed as both a preventative and a reactive tool, emphasises Wisniewski.
“Reducing the amount of malicious links and files being clicked is important and improves security, but reporting of phishing can be equally important to security teams. If five staff members receive a lure and one of them is alert enough to report it, the IT security team can approach the other four and clean up any malicious files, change passwords, etc.
“The reduction of the links clicked and reporting of malicious emails received is a solid approach to measure the progress of your training efforts.”