- The Relentless Growth of Phishing Attacks
- 17 Easy Hacks to Prevent a Phishing Attack
The relentless growth of phishing attacks
According to Andrew Conway, General Manager for Microsoft 365 Security, about 80% to 90% of the data breaches that his team saw were attributed to phishing. Even though Microsoft and others are taking steps to detect these attacks before they hit a user’s inbox, such algorithms can’t catch all of them — and then it’s up to the user to know what to do!
Here is a first-hand account from an IT administrator who bore the brunt of a phishing attack.
So, what exactly is phishing?
What are the different types of phishing attacks?
1. Business domain impersonation
Here is an example of how an employee of Disney fell prey to a phishing scam and sent over $700,000 to someone she believed to be a Disney vendor.
2. Brand impersonation
Here is an example: A lot of unsuspecting individuals received the Netflix Account Disabled! notification email. Upon clicking a button in the email, they were prompted to enter their credit card details. Of course, the email was a scam, and if an unsuspecting victim had entered the credit card information, the attacker would have had instant access to the credit card information.
3. Suspicious link
The 2017 Anti-Phishing Working Group report says that people are often fooled by URL shorteners – which hide the destination domain – or by brand names inserted in the URL. Here is an example of a suspicious link:
4. Name impersonation
5. Content injection
Content injection is a type of phishing attack where the attackers use a set of macro codes to create an infected email attachment or a visual content. Clicking on this attachment will either lead the victim to a phishing page or result in the download of a malware from a remote server.
6. Man-in-the-middle attack
Here is an example of a phishing attack that came to light in Europe. The attackers used sophisticated techniques to intercept corporate email communications and made payment requests.
7. Search engine attack
17 easy hacks to prevent a phishing attack
1. Use spam filter for Gmail and Microsoft 365/Outlook
Here is how you can configure the spam filter settings for Gmail:
- Go to “Gmail Admin Console.”
- Choose “G Suite” from the “Apps Tab.”
- Select “Settings for Gmail”→“Advance Settings”→“Spam Settings.”
G Suite administrators can also access a report on spam detected in their network. By analyzing the spam report, an administrator can gain useful insights such as:
Unsafe browsing behavior: Any unusual spike in the spam graph can be a result of users visiting unauthorized websites.
Irrelevant subscriptions: Personal subscriptions using a business email address can trigger a jump in spam.
Pretexting attacks: A sudden growth in spam could indicate the possibility of attackers attempting to gather personal details of employees before launching a phishing attack.
Spam filtering in Office 365 Office 365 also has a comprehensive set of features to control spam. This feature is available for all subscription levels.
2. Use multi-factor authentication
Google authenticator Integrate Google Authenticator with your applications. It is an app that generates 2-Step verification codes on your mobile device. In addition to your password, you’ll also need a code generated by the Google Authenticator app on your phone to sign-in to an account. Refer to this Asaf article to enable Google Authenticator for your applications
A popular alternative for Google Authenticator is Duo Security.
Security code Another way to prevent unauthorized access is by enabling the security code settings in your email account. All subscription plans of G Suite and Office 365 – except trial versions – enable users to get a security code on their mobile device to verify their identity. The administrator can also set the mode of communication for receiving the security code – as a text message or a call.
USB device as authenticator/signature device Critical applications or sensitive data stored in your network can be protected with the help of a USB device. The USB authentication will require employees to insert the USB device encrypted with the signature and enter a security code to access the application. Yubico is one such authentication device.
3. Configure email for secure data flow
DomainKeys is an email authentication mechanism that verifies the credibility of the emails generated from a domain. Emails with authenticated DomainKeys are termed as DomainKeys Identified Mail (DKIM)-Passed. Using this DKIM protocol, the administrator can whitelist various business domains to prevent phishing attacks from external domains.
How to enable/disable email authentication and file sharing settings for Gmail: For enabling email authentication:
- Go to “Admin console”→“Apps”→“G Suite”→“Gmail Suite”→“Settings for Gmail”→“Authenticate Email”
- Customize the outgoing email settings with DKIM authentication
For enabling secure sharing settings:
- Go to “Admin console”→“Apps”→“G Suite”→“Settings for Drive and Docs”
- Select the suitable option and apply for your domain
How to enable/disable sharing settings for Office 365:
- Go to “Admin”→“Service Settings”→“Sites and Documents Sharing”
- Select one of the following options accordingly:1. Turn on external sharing2. Turn off external sharing
4. Monitor suspicious external sites
How do you determine if an external site is genuine or fake? The following factors should be assessed before classifying a website as safe/unsafe:
- Search traffic
- Unique visitors
The Alexa rank for a website can provide a pointer to the credibility of the website.
If you were looking at a duplicate version of the Google website, the Alexa stats will be different. It is recommended to use a third party tool likeSysCloud Phishing Securityto automate the flagging of suspicious websites that users in your network might have visited.
5. Perform real-time scan
SysCloud Phishing Security is one such real-time scanning application. This application allows the administrator to detect and remove threats from a domain. It covers G Suite as well as Office 365 applications.
How to perform a real-time scan with SysCloud Phishing Security application:
- Go to “Admin console”→“Data Loss Prevention”→“Sharing Insights
- Select the domain from the domain drop-down menu and click on “SCAN NOW” to see the results
Real-time scan enables you to:
- Look into the collaborators of a particular document
- Detect data leaks
- Receive details about the threats from scan results
6. User and entity behavior analytics (UEBA)
For example, if you are using Office 365 with the enterprise E5 subscription plan, there is an option called Audit log, wherein the administrator can define suspicious activities for their domain.
If you are not using Office 365, you can also choose from third-party UEBA tools. Here is a list of UEBA vendors published by Gartner.
7. Implement solutions for malware and spyware
Some of these objectives are to:
- Steal confidential data
- Use the victim’s IT Infrastructure as a host for a mass phishing attack
- Demand a ransom by encrypting the files
In 2017, WannaCry ransomware made big headlines as it caused significant financial loss amounting to billions of dollars across hundreds of countries.
Here is the 2017 Gartner peerinsights report on the best endpoint solutions chosen by customers.
For a direct comparison of anti-malware security solutions, refer to the comparison table from the PC Magazine.
8. Implement secure document sharing
Internal to the domain: For G Suite, enabling the “Authorised Email gateways – SMTP” option can whitelist all the channels – like gappssmtp – used for internal communication.
To enable this option, go to “Admin Account→Apps→G Suite→Settings for Gmail.” This will prevent emails with unauthorized SMTP addresses from being accessed by employees. For example, in the image below, “syscloud.com” is spoofed through the “smtpservice.net” portal and a phishing link is sent to the employees.
External to the domain: Communication with an unauthorized external domain may put your organizational data at risk. Cyber attackers often use spoofing to steal sensitive data. For example, “email@example.com” and “firstname.lastname@example.org” look similar, but they are two different domains.
Private among few users of the same domain: IT administrators can create multiple internal groups within their domain. This makes communication easier among a group; however, groups can also make it easy for attackers to carry out name-impersonation phishing attacks. A single email can reach a number of potential victims in your organization. For example, “email@example.com” can give the attacker the opportunity to target all key members of the group using a single email.
9. Prevent phishing on your G-Suite domain
Go to “Admin Account” →“Apps”→“G Suite”→“Security.”
2-Step verification: Enabling this option will provide a multi-factor authentication for the users in your domain.
Access permission for only trusted apps: Enabling this option will prevent suspicious apps from accessing your data.
Avoid unsafe attachments: Enabling this option will protect the user from receiving attachments via suspicious emails.
Links and external links: Enabling this option will help the admin to block unsafe links and images.
Spoofing and authentication: Enabling this option will stop name impersonation/spear phishing attacks.
10. Enable Office 365 phishing protection
For Office 365 users, ATP anti-phishing protection – part of Office 365 Advanced Threat Protection – is available for the Office 365 Enterprise E5 subscription plan.
To protect your organization from phishing attacks, you can set up an ATP anti-phishing policy:
Go to protection.office.com and sign in with your work or school account.
- Choose the “Office 365 Security & Compliance Center” option.
- In the left navigation pane, choose the following: “Threat management”→“Policy”→“ATP anti-phishing.”
- To add a new policy, click on “Create” option.
- To edit an existing policy, click on the specific policy name and choose “Edit policy” option.
- Specify the name, description, and settings for your policy.
- Click on “Create this policy” or “Save,” as required.
11. Enable secure browsing with virtual desktop infrastructure
12. Deploy password alert extension for G Suite
13. Use encryption for data transmission
Gmail and Outlook provide out-of-the-box encryption options for administrators. Administrators can set outbound email communication for either Transport Layer Security (TLS) – standard encryption or S/MIME – enhanced encryption.
- Go to File tab, click on “Options→Trust Center→Trust Center Settings→Email Security.”
- The encryption setting will be on the right pane of the window in the section “Email Security.”
- Click on “Encrypt contents and attachments for an outgoing message.”
- Click on “OK” to finish the process.
- Scroll down to the S/MIME setting and check the “Enable S/MIME encryption for sending and receiving emails” option.
- Under the “Organizations” option, select the domain or organization you want to configure.
- Go to “Apps→G Suite→Gmail→User settings.”
Open Google Admin console.
- Optional setting: If you want to let users upload certificates, click on “Allow users” option.
- Additional controls: If you want to upload and manage root certificates, use the S/MIME trusted certificates controls:
- Click on "Add to Accept these additional Root Certificates" for specific domains
- Click on "Upload Root Certificate."
- Browse to select the certificate file and open it.
- From the "Encryption level" option, select the encryption level that needs to be used.
- Under the "Address list", enter at least one domain that will use the root certificate.
- Click on "Save."
14. Enable OAuth
Two-legged OAuth (For administrator-managed applications):
Three-legged OAuth (For user-managed applications):
- Go to “Admin console→Security→Advanced Settings→Authentication.”
- Click on“Manage API client access.”
Connect to Exchange Online PowerShell.
- Do any one of these steps:
- Run this command to enable modern authentication in Exchange Online: Set-OrganisationConfig - OAuth2ClientProfileEnabled $true
- Run this command to disable modern authentication in Exchange Online: Set-OrganizationConfig - OAuth2ClientProfileEnabled $false
- To verify that the change was successful, run this command: Get-OrganizationConfig | Format-Table - Auto Name, OAuth*
15. Communicate the latest attacks
Dropbox Scam: An email that’s designed to look like a Dropbox notification can easily infect the organization network with malware.
DHL parcel scam: Here, users are asked to verify their personal details for parcel delivery.
FedEx scam: This is a package delivery scam. In the below image, clicking on the “here” option will download malware into the system.
- Select a topic or a cluster of relevant keywords for a topic.
- Click on “Create an Alert” option.
- Go to the Google Alert email in your inbox.
- Click on “More”→“Filter messages like these”→“Don’t include chats”→“Continue.”
From the “What happens when the message arrives” setting, click on “Forward to:” option to add the respected group of people.
- Click on “Create filter” option.
16. Use third-party tools
How to create a phishing policy?
Click on “Compliance” tab→“ Policies.”
- Click on “Create Policy” to create a new policy.
- A new policy will be created with the standard name “Phishing policy_MM/DD/YYYY HH:MM:SS” – You can enable the policy for the entire domain, or individuals, or business units accordingly.
- Define the cloud applications that will be covered by the phishing policy. The administrator can select G Suite, Office 365, or both.
- Select the protection level.
- The administrator can define real-time actions against phishing attacks:
a. Audit only: This action will retain the infected email in the inbox, but it will report the issue in the admin console.
b. Add banners and labels to email: This action will add caution banners and quarantine labels to the flagged email.
c. Move to trash: This action will move the email to the spam folder.
- Exception management is an add-on feature for users. Here, users can raise an exception query if they feel that the received email is safe.
Click on “✓ Finish & Active” button to enforce the policy.
17. Use a phishing simulator
- What is phishing?
- What does it look like?
- The dangers of opening emails with enticing subjects
- Perils of emails prompting you to take action immediately
- Brand impersonation and domain impersonation
- SecurityIQ PhishSim
- Simple Phishing Toolkit (sptoolkit)
- Phishing Frenzy
- King Phisher
- SpeedPhish Framework (SPF)
- SpearPhisher BETA
If you have implemented Office 365, and also have Enterprise E5 subscription plan – which is the highest subscription level – you can simulate phishing attacks.
1. Spear phishing attack,
2. Brute-force password attack, and
3. Password spray attack.
If you have follow-up questions or want to learn more about SysCloud, please contact us.