Ad Image

Plenty of Phish in the Sea

phishing

phishing

Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Aamir Lakhani of Fortinet looks at some of the different bait being dropped by hackers on phishing expeditions people are still falling for.

Expert Insights badgeAs ransomware incidents continue to climb, we’re seeing that even as things change, there’s a lot that still stays the same. Bad actors are still using the same playbook – and it’s working. A recent survey on ransomware found that phishing remained the top tactic (in 56 percent of cases) that malicious actors used to infiltrate a network and launch a ransomware attack.

If it’s not broke, don’t fix it, right? In a sea of possibilities, if the same tactic continues to work, bad actors will keep using it. And phishing has proven time and time again to be highly effective, especially when it’s based in social engineering. It’s also getting easier than ever. Sophisticated phishing tool kits are sold or given away for free on many hacker forums; they’re available to download on sites such as GitHub, and they’re available or distributed through TOR or BitTorrent.

[box style=”3″]

Looking to touch up your endpoint protection? Check out our free Endpoint Detection & Response Buyer’s Guide!

[/box]

Plenty of Phish in the Sea

Preying on Human Nature

Cyber-attackers make the most of any chance they are given. They feed on human nature as well as weaknesses in security. The overarching risk that can’t be patched or corrected easily is the human factor.

We’ve all seen it: that email that comes in from a co-worker asking you to respond to them for something urgent or an email purporting to be from a magazine you subscribe to asking you to address an issue with your account by clicking on this link. Or maybe it seems to be from a sender from a nonprofit organization that aligns with a cause dear to your heart with a link asking for donations.

Some of the recent examples of social engineering-based phishing attacks we’ve seen include:

  • Tax Day-based lures: No one likes paying taxes, and almost everyone fears the IRS, no matter how above-board they are. So an email purporting to be from the IRS that comes near April 15th is bound to spark some concern. Every year, we see a number of phishing campaigns that target people who may not be as savvy about tax laws and navigating the tax system such as new taxpayers younger than 25, taxpayers over 60, small business owners and Green Card holders.
  • COVID-19: The pandemic was ripe with opportunity for social engineering attacks. For example, we saw enticing titles like “New COVID-21 Variant” and “An Urgent Computer Update” used in spearphishing emails to different security branches of the Ukrainian government. The attackers’ objectives included installing Saint Bot Downloader, which has previously downloaded infostealers and other downloaders, and stealing private files and documents.
  • The lost or forgotten password: This one is tried-and-true and not tied to any specific event, news item, or social occurrence, but we see it all the time because bad actors have determined it has a good chance of being effective. The typical method of delivery with these is an email purporting to be from Amazon, a bank, credit card company, etc., and stating that a person’s password needs to be changed and urging them to click on the link to supposedly re-set that account’s password,

Tackle Social Engineering From a Training Standpoint

In terms of training, it comes down to practicing good cyber hygiene and keeping your staff (all of them) up to date on the latest best practices. Employees can learn how to recognize risks, safeguard their businesses, and protect themselves with the support of broad cybersecurity awareness training. It’s important to convey that these aren’t just practices for their work life; they apply to their personal digital life, too.

Make sure your training program teaches employees to create different usernames and passwords for every app. This is nothing new, but it remains crucial. Consider including a phishing simulation service to help employees learn to spot phishing attempts. Such a service employs real-world simulations to assist enterprises in testing user awareness and attention to phishing dangers as well as to teach and reinforce proper procedures when users come across phishing attempts.

And be sure the training teaches employees these tactics:

  • Check for typos and grammatical errors. Phishing emails frequently have flaws like this that are obvious. Be sure to check the sender’s email address, too, for legitimate domain names.
  • Maintain a healthy skepticism. Always be suspicious of any unusual or unexpected emails or phone calls.
  • When connected to public Wi-Fi, use a VPN. An easy vector for attackers to spread ransomware is through public Wi-Fi. By securing the connection, a VPN prevents outsiders from inserting viruses.
  • Don’t divulge private information. Never share credit card numbers or Social Security numbers over the phone or via email.

Bolstering Defenses From a Technology Standpoint

Use endpoint protection and firewalls to help stop cyber-attacks. Enterprises should deploy next-generation firewalls (NGFW) that can analyze incoming traffic from both directions and look for malware and other risks. With this approach, a firewall can ascertain the origin and destination of a file and offer other crucial details to find out whether it includes ransomware.

It’s essential to provide workers with the appropriate endpoint security. Proactive attack surface reduction, malware infection prevention, real-time threat detection and mitigation, and automated reaction and remediation processes with customizable playbooks are all capabilities of advanced endpoint security. Optimizing zero trust network access (ZTNA) and multi-factor authentication (MFA) is important.
Additionally, when an event is discovered, emergency incident response services can offer a prompt and efficient reaction. Finally, by using readiness evaluations, IR playbook preparation, and IR playbook testing (tabletop exercises), incident readiness subscription services offer tools and insight to assist organizations in better preparing for a cyber incident.

Security in a Sea of Threats

In the world of cybersecurity, some things never change. Phishing remains the top tactic used by bad actors to infiltrate networks and launch ransomware attacks, and social engineering remains a highly effective tactic for infiltration. However, organizations can take steps to protect themselves. Comprehensive cybersecurity awareness training is crucial for all employees, as is having a comprehensive security technology stack. By taking these steps, organizations can reduce the risk of falling victim to phishing and other cyber threats.

Download Link to Endpoint Security Buyer's Guide

Aamir Lakhani
Follow Aamir
Latest posts by Aamir Lakhani (see all)

Share This

Aamir Lakhani

Aamir Lakhani is a cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs. He formulates security strategy with more than fifteen years of cybersecurity experience, with the goal to make a positive impact on the global war on cyber-crime and information security. Lakhani provides thought leadership to the industry and has presented research and strategy worldwide at premier security conferences. As a cybersecurity expert, his work has included meetings with leading political figures and key policy stakeholders who help define the future of cybersecurity.  

Related Posts

Endpoint Security and Network Monitoring News for the Week of July 7
Best Practices
Endpoint Security and Network Monitoring News for the Week of July ...
Endpoint Security and Network Monitoring News for the Week of June 23
Endpoint Security News
Endpoint Security and Network Monitoring News for the Week of June ...
Common Cybersecurity Myths
Best Practices
Debunking 7 Common Cybersecurity Myths

IAM Solution Suggestion Engine

Ad Image

Follow Solutions Review