#BeCyberSmart: Real World Advice on How to 'Fight the Phish'

Posted by Kevin Hutchinson, CISSP on Oct 11, 2021 4:00:00 PM

Preventing phishing in today's changing environment

For over 20 years, I have been telling people the same thing, “Don’t open emails from people you don’t know.” Fast forward to 2021 and that is still true. Threat actors are impersonating people we know, which has created a shift in our thinking toward email. In fact, malicious emails are up 600% since the start of the COVID-19 pandemic (ABC News) and 81% of U.S. organizations faced SMS/text phishing attacks in 2020 (Proofpoint 2021 Report).

We still shouldn’t open emails from people we don’t know, but that is no longer enough. Now, the thought has to be “question every email.” That may seem like a daunting task, but proper and continuous training will help filter most legitimate emails from phishing attacks relatively quickly.

The security awareness training program developed ten years, or even five years, ago is probably outdated and not designed to keep pace with the advances that threat actors have made in phishing attacks—and the attacks are only going to increase.

Sitting through a one- to two-hour security awareness training session once a year does not adequately prepare employees for dealing with the threat landscape of today. Think of it another way: if you were NASA and wanted a successful mission to Mars, would you train the astronauts on mission critical task for one hour in a year? Probably not.

Advances in technology have given threat actors the ability to become more sophisticated in their attacks, but, oddly enough, it is the simple phishing attempts that often have the most success. Attackers often deploy a “spray and pray” technique, sending out hundreds of thousands of phishing emails hoping someone will open the attachment in the email or click on the link. Once you do, they have you.

So how do you avoid falling prey to a phish? Train more often, apply the fundamentals of security awareness training and read, don’t scan, your emails. Here are a few things to indicate a suspicious email:

  • Sender’s name does not match the email address in <sender’s email>.
  • The email was not expected.
  • There's a heightened sense of urgency to get you to do something.
  • The message composition is unusual. Does the sender normally write this way?
  • They are asking for information they should already have.
  • They are asking for personal information.
  • Do you have to click on a link or open an attachment to complete a task?
  • Domain name is slightly off (i.e. exhlbition instead of exhibition, service instead of services, etc.).

Here is an example of a real-world phishing attempt, the recipient’s name and email address have been redacted. Notice anything unusual?

phishing-sample-1

Here is the same message with some red flags indicated. Were you able to identify the indicators of a potential phish?

phishing-sample-1-annotated

Continuous training that evolves with the threat landscape will keep you alert and your phishing detection skills honed.

“We don't rise to the level of our expectations, we fall to the level of our training.” - Archilochos

Learn more about our Cybersecurity Services, including Awareness Training and Virtual CISO services, at IGIcybersecurity.com.