Organizations spend ridiculous amounts of money to protect their network and data. They are constantly implementing the newest technology to stay a step ahead of malicious attackers. But malicious attackers know this. Why would they spend hours-on-end trying to circumvent these barriers when all they have to do is deploy a social engineering-based attack and have a human let them in? This is the reason why risk associated with social engineering-based attacks (e.g., phishing, vishing, in-person engagements) is so great and it is not going anywhere.

It is a constant battle and an expensive one, implementing the newest technology to maintain a security posture that won’t keep you up at night, and it is important. The cost of the technology is 100% worth it. But just as important as ensuring you have the needed software and hardware to keep your assets safe, is the training you provide for your employees.

At Secure Guard Consulting (SGC), as part of our full cybersecurity / information technology audit, we perform social engineering assessments. These assessments include phishing assessments, vishing assessments, and in-person (physical) assessments. In this article we will focus on phishing assessments.

How many emails do you think you get in your inbox on an average day? Ten? Fifty? One hundred? According to the Radicati Group, a technology market research firm out of Palo Alto, California, the average business user alone receives and/or sends nearly 130 emails per day. When factoring in everyone else, the total worldwide count for emails sent and received per day is nearly 250 million. That’s a lot of emails. It also happens to be a lot of opportunities for the bad guys to make you, your family, or your organization suffer. Whether for business, interpersonal communication, or consumer notifications, there are an infinite number of reasons to open an email and peruse its contents, click its links—and one enormous reason not to.

It’s called phishing, and it’s by far the most popular technique used by scammers and social engineers to induce individuals to hand over personal information, including credentials and other pertinent knowledge or otherwise influence them to make a decision, good or bad. There are various types of phishing, more of which will be discussed later in this article. First, however, I wanted to share a couple of real-life examples of phishing attacks that led to some of the largest and most costly breaches in recent history.

In 2013, the retail giant Target Corp. was breached, losing 40 million payment card credentials and 70 million customer records. While this may seem like a small breach with regards to the standards of today, this was a seismic event in the retail and InfoSec spaces as this was one of the first times that the consumer base was hit on such a large, personal scale.

One might ask, how could something of this magnitude happen to a corporation of Target’s size? Well, it was quite simple. The criminals gained access to Target’s computer network via credentials that were stolen from a third-party vendor. Any guesses as to how the credentials were stolen? Phishing, of course! An employee at the third-party vendor clicked a link within a phishing email that downloaded malware onto the user’s computer, which in turn stole credentials that gave access to Target’s corporate servers. While the total cost of the breach is still being determined, the cost for reissuing credit cards by financial institutions has already reached $200 million—before any fraudulent charges or lawsuits were considered. The bottom line is that this dramatic and expensive breach was probably avoidable, given the right knowledge and tools.

Another well known breach was the RSA Security breach in 2011. This breach came courtesy of a malicious excel spreadsheet attachment to an email that was deliberately sent to low-level RSA users. What’s interesting about this particular case is that RSA’s spam filters caught these emails and sent them over the users’ Junk folders. Unfortunately, one user went out of their way to open this email and attachment within the Junk folder, giving attackers access to the internal network and critical information regarding RSA’s products.

One can see here why knowing about the dangers of phishing is extremely important. Even when the technological safeguards worked as intended, the human element was taken advantage of. Following the breach, parent company EMC, spent $66 million on cleanup costs, including transaction monitoring and implementing encryption token replacements. Understanding the dangers and safeguards of phishing and social engineering attacks is paramount to protecting yourself and your business from reputation smearing breaches and costly cleanups.

More examples of famous phishing campaigns:

1. Nigerian Prince Email Scam
2. Operation Phish Phry
3. The Moscow World Cup Vacation Rental Scam
4. Facebook Email Scam
5. Bank of America Scam
6. FedEx / UPS Delivery Scam

Now that we’ve seen just how devastating phishing attacks can be, let’s take a closer look at phishing. Phishing itself is defined by Merriam-Webster as “a scam by which an Internet user is duped (as by a deceptive e-mail message) into revealing personal or confidential information which the scammer can use illicitly.”

In a general sense, phishing can cover a wide array of email scams that all attempt to get you to click a link, download an attachment, or in some other way manipulate the user into oversharing critical information. These links or attachments may install malware onto the user’s computer, gathering everything from user credentials to intellectual property. Typically, companies and individuals are often targeted by cybercriminals via emails designed to look like they came from a legitimate bank, government agency, or organization.

A user may get an email that looks to be from their personal bank, stating that if the user doesn’t click the link provided to update their account information immediately, their account will be suspended and access to their money restricted. This, of course, would be enough to make nearly all of us “panic click”, as we take our money very seriously, especially when we think we might lose it! Next, let’s take a quick look at a few more key types of phishing.

There are a few more types of phishing that you will likely see in the wild. Vishing is the telephone equivalent of phishing, whereby instead of emailing, someone may call you up pretending to be with your credit card company, manipulating you into sharing or confirming your credit information under the guise of assisting you with an account issue. Vishing can be particularly dangerous when paired with regular phishing. Sometimes, the bad guys will send a phishing email first, and then call shortly after, claiming to be the person who sent the email, adding extra credibility to the phish. You’re more likely to trust someone after they validate the information that they just sent you, so you must be extra careful with regards to callers and emails, especially when you don’t specifically know them or their business.

Spoofing is a technique used within phishing to make it look like the email is coming from a different person and/or address than it really is. The core protocols for email do not have any mechanism for authentication, so it is common for spam and phishing emails to forge addresses to confuse the recipient about who exactly is sending the message. It’s easy to see why this would be a typical tool used by scammers and social engineers. The recipient is much more likely to open an email and click a link if it looks like it’s from a legitimate address.

Spear phishing is a type of phishing attack that has been specialized for a specific recipient. What makes a spear phish unique (and very dangerous) is that the attacker has done their research on you. By scanning your social media pages, search engine results, and anything else with your name on it, social engineers may know more about you than you think. Where you work, those in your family, your interests and tastes—they know it all. In most cases, the recipient gave this information away willingly online without thinking of the consequences. With this information in mind, a skilled social engineer can send you a personalized spear phished email that you are inclined to believe is real because it included information so close to you that it must be real.

The message will create some sort of instant emotion within you, praying on your lack of ability to think critically when you get it. Say you get an email from the National Center for Missing and Exploited Children, and it contains a report with pictures of your child’s face and information on it, stating that they’re missing, and you need to click the provided link immediately to assist with the investigation. In that moment, however, you likely click immediately because the email appealed not only to authority but had added credibility for you personally with real information about your child (that was probably easily extracted from social media). This is just an illustrative example of course, but the bad guys won’t hesitate to pray on fear, greed, and anxiety.

Why are these attacks so successful? It has something to do with our biology. The attacks utilize something called Amygdala Hijacking to make you act before you think. The amygdala is a set of neurons located deep in the brain’s medial temporal lobe, responsible for processing emotions. That includes the fear circuit within your brain, capable of activating your flight-or-fight response when faced with a perceived threat. When this occurs, the amygdala triggers an immediate and intense unconscious emotional response that shuts down the cortex, making it difficult to think clearly about the situation.

This is perfect if you’re a social engineer. Utilizing fear, greed, and anxiety (among other things) within a phishing email can make the user react emotionally without considering whether the email is legitimate. You can see it within the examples we laid out earlier. If you think you’re about to lose access to your bank account or that your child has gone missing, your flight-or-fight response in the amygdala activates and in a haze of panic and fear, you probably click the link. But with the proper knowledge and some tips, you can ensure that you and your business avoid becoming a part of another breach statistic.

Here is a list of some things to look out for when trying to decipher whether an email is legitimate or not (if the email has these things, there’s a high likelihood that it is not legitimate):

• Vague greeting/sign off
• Unknown/suspicious sender
• Links to unknown/suspicious web addresses
• Typos and grammar, spelling, and punctuation errors
• Implausible pretexts
• Urgent language

Do they use the following to coerce you into immediate action? If so, it might be a phish. If you’re greeted by these emotions when opening an email, take a few seconds to think about whether it’s real and don’t immediately take action:

• Greed
• Fear
• Respect for authority
• Desire to connect
• Curiosity
• Compassion

Finally, here is a checklist you can run through if you think you might be the recipient of a phish:

• Take your time and think critically, was I expecting this email or information?
• Would this individual, organization, or government agency really contact me by email?
• Is there any personally identifiable information in the email or is it vague?
• Hover the link in the email (but do not click), does the website link shown match the website text in the email?
• Does the URL look real? Are there any spelling errors (e.g. rnicrosoft.com instead of microsoft.com, one contains an “m” and the other does not)? Is there a false domain?
  • There’s certainly more to look for with regards to URL deciphering, but for now we’ll leave it at the basics. For more information, do a quick Google search; there are several online tools available to help you with this valuable skill.
• If you’d like to take an extra step, do the email headers look normal and/or match what you’d expect for this individual or business? Was the email sent from the correct country or region?
  • Again, for more information on analyzing email headers please consider looking up a guide (it’s a little different for each email provider, so I can’t really provide specifics).

In closing, recall that the human element is the most simple and effective way for cybercriminals to get through your defenses. Even when technological safeguards are in place, humans can still be taken advantage of, and they will be. It’s not so much a matter of if it can happen to me or my business, it’s a matter of when. That’s why it is important for individuals and organizations alike to be aware of the dangers lurking in their emails and inboxes. In today’s information age, one clicked link can bring down an organization or have an identity stolen. If you’re an individual, take note of the tips and information above to avoid getting phished. If you own a business or would like to see the one you’re a part of stay secure, consider implementing a phishing safety awareness program to share information about the threats that your employees face – more of this explained below.

One way to become more secure is to run social engineering security assessments like phishing assessments on your staff and train accordingly. Here at SGC, there are different levels of “strength” to our phishing assessments. A weaker attack on our side usually equates to a lower fail rate on the client’s side. A weaker attack would be something along the lines of a generic spoofed email that says you have emails that have been quarantined and you need to click a link to view them.

As mentioned above, email spoofing involves the use of a header appearing to have originated from someone (or somewhere) other than the true source. So, for example: I send an email from Sally Mae and in your inbox it will show that Sally Mae sent you an email but the email address it came from is not Sally Mae’s legitimate email address; instead, it is from azureessentialsshade.com (for example).

A stronger attack on our side usually equates to a higher fail rate on the clients side and an example of this could be us sending a spear-phished email from the Information Security Officer (ISO) to an employee with the goal of trying to get the employee to click a link or provide us with credentials of some kind.

As mentioned above, spear phishing is an email targeted to a specific individual within an organization that appears to be from a trusted source. So, taking the example above: I send an email from Sally Mae and in your inbox it will show Sally Mae sent you an email and the email address it came from is actually Sally Mae’s legitimate email address.

When we initially perform a phishing assessment for a client, we normally will send a weaker attack, yet it is not out of the norm to see click-rates (individuals who clicked the malicious link) around 40% or higher. As we continue to work with the client, and perform more phishing assessments, we would like to see the click-rates go down, even when we begin to send stronger attacks. The closer to 0% you can get, the better! But what happens when you as an organization continue to have repeat offenders?

This is a question that we are asked quite often. Our clients are concerned – rightfully so – that the training they are performing isn’t cutting it and not matter what they do or say, it seems as if the importance of secure email practices stop as soon as the training has ended.

We have clients that perform quarterly or even monthly phishing assessments and are discouraged because no matter the attack, some of the same individuals continue to click. They don’t know if it’s due to subpar training or lack of consequence for an individual who clicked and wonder what they need to do. So, what do should we do? Tune in to the next article as we dig deeper into this.

Article written by:

Dylan Koenen, Cybersecurity / IT Auditor

Chad Gutschenritter, Senior Cybersecurity / IT Auditor

Information gained from: Phishing Dark Waters: The Offensive and Defensive Side of Malicious E-mails, written by Christopher Hadnagy and Michele Fincher.