Protecting Against Brand-Impersonating Phishing Messages

Virtually everyone who has ever set up and used an email address is familiar with the concept of phishing emails. These are the emails that claim to be from a trusted source but, upon closer inspection, turn out to be anything but. They’re the email equivalent of scam phone calls: attempting to use deceptive means to get you to give up valuable personal information or, sometimes, money.

Phishing attacks haven’t always been particularly sophisticated. The clue is in the “fishing” name: they’re the digital equivalent of an angler tossing out a baited hook and waiting for something (or, in this case, someone) to bite. Because the digital world makes it easy to send out hundreds or thousands of messages at once, at virtually no cost to the would-be attacker, a person staging a phishing attack can afford for 99.9% of attempts to fail. They’re just waiting on the one person willing to bite, and bank on the fact that this will be worth their while.

But things are changing fast. Here in 2021, phishing attacks are getting more convincing all the time — and that makes them a whole lot more dangerous.

Social Engineering Attacks

Phishing messages frequently pose as trusted companies or organizations, since that is an easier scam to pull off than pretending to be an individual who has to gain your trust from the ground-up. Often the emails will contain a link that asks a user to, for instance, “confirm” their username and password by entering it into what looks like a legitimate data entry field.

For this reason, phishing attacks are also known as “social engineering” attacks since they rely on psychological manipulation, rather than hacking, in order to break into accounts or access confidential information.

Once compromised, private information may be either sold on by attackers or used to access other genuine accounts utilizing the user’s provided information. In some cases, where phishing attacks have been successful in gaining a foothold in a network belonging to a company or government organization, they can be used as the basis for a larger attack; potentially helping attackers to spread malware, circumvent security systems, and/or access or exfiltrate confidential data.

Attacks Are Getting More Convincing

As with all cyberattacks, phishing attacks have gotten more sophisticated over the years as users have smartened up to some of the threats involving social engineering attacks.

For example, in February 2021, scammers hit around 10,000 mailboxes with highly convincing phishing messages claiming to come from delivery services DHL Express and FedEx. In the case of the DHL messages, users received an email claiming that they received a package, but that this had been unable to be delivered due to incorrect delivery details. The email featured the victim’s email address as a form of personalization. Attached to the email was an HTML “shipping file,” which showed a preview of a spreadsheet for a shipping document. Over the top of this was a login request box designed to look like it was from Adobe. Entering information into this box resulted in it being forwarded on to the attackers.

Fortunately, details about the scam were published online, hopefully resulting in increased awareness of it, which could filter down to potential targets. Nonetheless, it is more evidence that phishing scams have come a long way from some of the clumsier, early phishing attempts seen a few years ago.

Simply put: As potential targets have become increasingly aware of the threat of phishing attacks, so too have the attackers had to up their game in order to continue being successful.

Use the Right Tools to Defend Yourself

There are several measures that organizations can implement in order to defend against phishing attacks. The first is education. As noted, phishing attacks are getting more convincing all the time. Vigilance is essential. Individuals should be accustomed to searching for details that do not quite add up, such as unusual domain names, spelling errors in messages, or simply companies asking for login information via email in a manner that seems suspicious to the user.

Two-factor authentication (2FA) is also an effective way of fighting phishing attacks, adding an additional layer of verification when it comes to accessing secure information. This means that, even if a password is stolen by attackers, this on its own would not be enough to successfully compromise a system or user account. Companies should additionally insist that users change their passwords regularly and ensure that they are unable to recycle previous passwords on multiple occasions.

On top of 2FA, companies and organizations may want to consider investing in tools such as Web Application Firewalls (WAFs). These can help safeguard against some of the larger attacks that might result from successful phishing incidents, by blocking malicious requests at the edge of a network.

The threat of phishing attacks is not going away. But by deploying the right tools and approach, you can maximize your chances of not being the victim of one. Doing so is one of the most prudent decisions you can make.