Getting Off the Hook: Understanding and Avoiding Phishing Attacks

It is difficult to go more than a few news cycles without encountering a story related to a catastrophic data breach or ransomware attack. Experts agree that the vast majority of these cyberattacks begin with a simple but deadly weapon: phishing. To anyone who has not fallen victim to a phishing attack, it would be easy to dismiss this threat based on its benign name. However, anyone who has had the misfortune of clicking on these weaponized emails is acutely aware that the catastrophic impact of phishing belies its innocent appellation.

To understand how to avoid the threat posed by phishing, it is important to understand its origin, as well as its rapid evolution that continues to hinder our ability to detect and avoid its devastating effects. Here are a few key points in the phishing timeline:

• In the mid-1990’s, individuals impersonated America Online (AOL) employees and began sending deceptive emails to trick (i.e., “hook”) unsuspecting users into turning over their personal information and login credentials. In terms of the spelling of the name “phish,” hackers sometimes opted to utilize the letter “ph” instead of “f” (e.g., phreaking, the term used for hacking a phone system).
• The first widespread phishing attack was the “Love Bug” attack that took place in May 2000. Close to fifty million inboxes were inundated with a message entitled “ILOVEYOU.” The instructions in the body of the email said to “Kindly check the attached LOVELETTER coming from me” by clicking on what appeared to be a nonthreatening file attachment. However, when the file was opened, it unleashed a worm that damaged files and quickly replicated itself to the victim’s email contacts.
• The “Nigerian Prince” phishing emails began over a decade ago and involve sending out requests for cash to massive numbers of individuals, ostensibly to help out a prince until he is back on his feet. While the requests have varied over the years, many spam filters are now able to easily identify and eliminate these emails before they reach our inbox. However, ADT Security Services reported that these types of attacks still brought in over $700,000 as recently as 2019.
• Over the last few years, as more of us post our personal information to social media, LinkedIn, and our corporate websites, criminals have learned to gather and refine this information for nefarious purposes. Mass email blasts are now laser focused into emails that appear to originate from a trusted source, replete with authentic-looking images, signature blocks, and header information. Their goal is to get you to respond with sensitive information, open an attachment (to release malware such as ransomware) or to click a link that takes you to an infected site or a facsimile of a trusted site (e.g., your bank) to harvest your credentials. This progression from “carpet bombing” to “smart bombing” emails earned these attacks the name “spear phishing".

While being armed with an understanding of phishing is helpful, the next question is: how do we avoid getting hooked by an attack? Here are some strategies to help keep you and your business off the hook:

• Check the sender’s email address to confirm it is legitimate (e.g., abc@microsoft.com vs abc@micro-soft.com ).
• Hover before you click on a link to display the destination and ensure it matches the website you were expecting.
• Avoid opening unfamiliar file attachments or those that you were not expecting, as even Word and PDF documents can be used by cybercriminals to deliver malicious payloads.
• Implement a warning banner that alerts users that an email originated from an external source.
• Ensure that your antivirus is on and that your spam filters are set to automatically delete or quarantine suspicious emails.
• Provide regular training to all employees to create a human firewall against phishing attacks. While training is critically important, verify employee awareness with a spear phishing simulation to determine if anyone is susceptible to future attacks.
• Ask yourself the following question when receiving an unexpected email asking you to provide sensitive information, click on a link, or open an attachment: did you expect this email from this sender at this time? If you are not absolutely certain, contact the sender by phone to confirm the legitimacy of the email or simply delete it.

Armed with the knowledge of how phishing emails work and how to avoid them, you can greatly reduce the chance of you or your business falling prey to these attacks. Whether it’s developing a customized on-demand cybersecurity awareness training or executing a spear phishing simulation campaign, Citrin Cooperman’s team of security experts can help your business remain safe and secure. To learn more, contact Kevin Ricci at (kricci@citrincooperman.com) or Michael Camacho (mcamacho@citrincooperman.com).