Phishing attacks are regularly successful because people are curious and like to click on things. (“Don’t push the red button!”)

Hackers (Criminals) carefully design and tailor their attacks to their victims by collecting personal information about them that is publicly available, and then play to their sense of urgency to get a response. The attackers only need one person within your business to click on the link in the email or open a legitimate looking attachment. Often, the goal of the attack is to capture or harvest account credentials (usernames and passwords), allowing the hacker to move laterally across the company IT environment and ransom the entire organisation.

Traditional ransomware has exploited known vulnerabilities in software, operating systems and network hardware to hack into organisations. The problem for cybercriminals is that today, businesses are wising up to this approach, and a lot of these vulnerabilities have been patched and so are not as easy to exploit.

This has pushed hackers to combine phishing and ransomware into a single, perfect attack path where hackers get a backdoor into business IT networks because people click on links from sources they think they trust.

Protect your users from phishing attacks

Organisations looking to protect themselves against these new strategies used to spread ransomware should first focus on protecting their credentials and access to systems. This requires a two-pronged approach:

  • First, invest in detection and response tools
  • Second, focus on training your users

Even though 2-Factor / Multi-Factor authentication protection technology is touted as the solution to protect accounts, this is really a last resort tool, albeit, an essential one. But, if the attackers get as far as knowing the credentials, they have already got too far. You need to stop the attackers using email to get to your users. This is done at the email gateway.

Email protection technology should focus not only on the detection of malware delivered through links or attachments, but it should also recognise when attacks use social engineering tactics designed to bypass filtering technology and trick users into action. It should look for malicious intent within an email, even when it does not include a malicious payload. Email security that uses machine learning algorithms (AI) can detect social engineering attacks with a higher degree of accuracy, looking for the smallest deviations from usual communication patterns.

Protecting users’ credentials can’t be done without proper protection against account takeover. 2-Factor / Multi-factor authentication (MFA) remains best practice and is something that should be adopted by every business right now. However, it’s not a silver bullet, and it’s not always enough. Hackers find ways to get around MFA either by tricking users into installing malware on their verification devices or giving fake apps access to their accounts. Organisations need to have account takeover protection in place that will quickly identify and alert about malicious activity such as suspicious logins or attacks launched from compromised accounts

As the last line of defence, it’s crucial to train your employees and end-users to recognise and report attacks. Make security awareness training and phishing simulation part of your regular employee training.

Historically, phishing attacks were associated with email only, but today’s cybercriminals will use other channels such as SMS (smishing) and voice (vishing). Use phishing simulation for emails, voicemail, and SMS to train end-users to identify cyberattacks, test the effectiveness of your training, and identify those most vulnerable to attacks.

All of the techniques we have discussed in this article are easily implemented with little or no friction to your day-to-day operations. Talk to PS Tech today about how we have helped other organisations get a handle on email phishing attacks and dramatically reduced the risk around ransomware.

October 14, 2021 — Paul Stanyer