If you feel like your phishing response team has been seeing more attacks than ever before, you’re not alone.
The frequency of phishing and spearphishing attacks appears to be ever-increasing as people conduct more of their work and personal lives online.
This post will cover the state of the art in anti-phishing techniques, with a focus on strategies that SOC teams, anti-phishing teams and fraud teams can use to defend customers against phishing attacks, and staff against spearphishing attacks.
At Cosive, we work with many high-profile fraud targets, such as major banks, that face thousands of attempted phishing attacks every year. These anti-phishing strategies are borne out of these experiences.
Phishing vs. Spearphishing
Customer-facing organisations often need to deal with two main types of phishing attacks: phishing attacks targeting customers and spearphishing attacks targeting staff. We’ll address both of these separately, although some of the anti-phishing strategies listed here are useful in protecting against both types of attacks.
Outline privacy boundaries and things you’ll never ask for
When your organisation is clear about things it will never do (such as asking customers to share their password or pin number over email) it is much easier for users to identify phishing attacks that violate these boundaries. A good place to communicate these service boundaries is during user onboarding and via email newsletters sent to customers.
According to IBM researchers, 70% of credentials are harvested within the first hour of a phishing attack, on average. This means that taking down phishing sites immediately is a critical step in limiting the impact of an attack.
As soon as you discover a phishing site you’ll want to perform a lookup on the domain using a WhoIs service and note down the name servers, registrant and registrar, and abuse contact information. Next, you can repeat the WhoIs lookup on the name servers to obtain their contact information. Contact the hosting service and the domain registry to report the malicious website and (hopefully) get it taken down as quickly as possible.
Sometimes, phishing websites are hosted on legitimate domains that have been compromised. In this case, you’ll need to contact the business to get them to take action to remove the malicious site.
Use canary credentials to ruin the payload for credential harvesting attacks
Similar to canary tokens, canary credentials are realistic fake user credentials that organisations can use to deter phishing attacks and track the activity of credential harvesters.
Anti-phishing software like Phishfeeder can be used to automatically poison phishing websites with canary credentials while you wait for the website to be taken offline. This negatively impacts phishing attackers in three ways:
Give customers clear and easy to follow steps for reporting phishing
A savvy customer receives a phishing email impersonating your business. They want to notify you about the attempted attack. What happens next?
Many customers will google ‘report a scam <your business name>’ to look for information on how to report what they perceive as a scam (they may not be familiar with the term ‘phishing’).
Provide a page on your website with instructions on what to do about a suspected phishing email or SMS. As shown below, National Australia Bank (NAB) goes so far as to provide a dedicated email address and phone number for forwarding phishing lures.
Configure DMARC, SPF and DKIM to prevent spoofing of your domain
Spoofing attacks involve the sender using forged email headers to display a fake sender address (typically one that the user would be expected to recognise, or trust).
With DMARC, SPF and DKIM configured, receiving email servers can determine whether the sender is actually authorised to send email from the domain, check the email’s digital signature to authenticate it, and follow the rules for handling unauthenticated messages specified with DMARC (do nothing, quarantine, or reject).
It’s worth noting however that many phishers register their own domain because people often don’t twig that phishing URLs aren’t owned by the legitimate organisations they’re impersonating (such as a bank). While we definitely recommend configuring DMARC, SPF and DKIM, it can only help protect against certain specific types of phishing attacks involving email spoofing.
Use anti-spam email filters updated with machine-to-machine feeds to protect against spearphishing attacks and block suspicious emails
While almost every organisation uses some kind of email filter, not every organisation keeps these filters up to date with the latest threat intelligence (learn more about threat intelligence here). Doing so can provide a powerful layer of extra protection against phishing attacks.
For example, let’s imagine you are subscribed to a threat intelligence feed which identifies an email address as potentially malicious because of its association with recent phishing attacks. With the right tools and configuration, details about this email address can be automatically pushed out to your email filter without any human intervention, potentially preventing your organisation from being targeted by the same attacker. This is one of the most powerful use cases for Threat Intelligence Platforms (TIPs) like MISP.
Focus on staff education
Organisations are doing a better job than ever before at equipping staff to recognise phishing attacks.
Even so, aiming for 100% detection isn’t realistic. It’s equally important to equip staff to recognise when they’ve fallen victim to an attack, and to feel safe to report this. You can’t mitigate phishing attacks that you don’t know about.
A core part of this step is maintaining a blame-free culture around phishing and having realistic expectations that staff will occasionally fall victim to attacks.
Run phishing simulations
An excellent way to test the effectiveness of your anti-phishing training is to run a phishing simulation. This involves your organisation or a trusted external party launching a fake phishing attack against your users and observing the results. The most valuable use of this data is to identify trends in your organisation’s response to phishing attacks. Running multiple simulations using different techniques and at different times can help you to identify gaps and weak spots in your anti-phishing training.
Phishing attack simulations have proven to be such a useful tool that Microsoft have added phishing attack simulations into some enterprise editions of Microsoft 365.
Expand your staff phishing training to cover more channels than just email
Phishing lures are increasingly being delivered via SMS (a.k.a. “smishing”) and on services like LinkedIn, WhatsApp, Office 365, Google Workspace, Telegram, Slack, Teams, and others (source). In particular, SMS is one of the fastest growing phishing channels.
Many core business processes are moving out of email and into SMS and specialised services, making them a valuable target for phishing attackers. It’s important that your anti-phishing training and education programs also covers SMS and other ancillary services, rather than focusing solely on email.
Have clearly defined and documented business processes that apply to everyone, regardless of seniority
Many spear phishing attacks involve faking extraordinary, urgent requests from senior leadership, such as a rushed request from the CEO to transfer money to a previously unknown bank account.
Having clearly documented business processes makes it much easier for staff to identify when such requests go against protocol.
If your organisation doesn’t have a strong culture around documentation, start with documenting your most sensitive processes first: things like approving payments, initiating bank transactions, sharing documents, providing access to systems, or providing customer or employee data.
Develop and share a simple and clear process for spearphishing victims to notify you
Sometimes victims don’t recognise a phishing attack until after they’ve fallen victim to it. Perhaps only after opening a file did the victim realise it contained malware. Or perhaps only after inputting sensitive data did the victim realise that the website was suspicious.
The worst thing that can happen after a phishing attack is that the victim fails to notify anyone that they’ve been compromised. There are two common reasons why this happens:
As mentioned earlier, establishing a blame-free culture around phishing attacks is key to addressing the first reason. Victims should be able to report phishing attacks confidentially, and without negative repercussions. Rather than punishing the victim, treat these reports as a data-point that you feed into your overall anti-phishing training program.
Having a clear process for reporting phishing attacks is the first step to addressing the second reason why victims might not report a successful attack. Victims should know who to contact and what information to include in their report. Victims should also be assured upfront that the report will be treated in confidence. Finally, phishing reports must be responded to as quickly as possible. Every minute a phishing site is online increases the risk to your organisation.
Mitigate the impact of the attack (as much as possible)
Finally, your reporting process should help you efficiently extract the information you need to mitigate the impact of the attack, such as by isolating and analysing machines potentially compromised with malware, or figuring out which credentials have been stolen.
Implement a patching regimen to keep all your organisation’s devices up to date
Timely patching of software is one of the best ways to combat phishing attacks involving malware. Malware often “phones home” to the attacker to transmit information about the compromised host machine. If malware repeatedly fails to infect your systems because your devices fully are patched and up to date, it’s logical that malware attackers may decide to move on to perceived “softer targets” without an effective patching regimen.
Enable safe browsing filters in web browsers
Another strategy is to enable safe browsing filters in web browsers to block malicious content, since most modern browsers include a built-in safe browsing mode. However, keep in mind that there’s often a lag between a phishing lure being sent out and protection being effective in the browser.
Limit administrator accounts and unnecessary access
Of late, there have been many high profile data breaches involving compromised employee credentials. One high-profile example is the CircleCI data breach which occurred in late 2022, where an attacker used malware to steal an authenticated session cookie. This allowed the threat actor to log in as the compromised employee, a software engineer with access to production systems.
What’s especially notable about this attack is the amount of sensitive data the threat actor was able to access with this employee’s credentials, including customer environment variables, tokens, and keys. Although the data was encrypted, the threat actor was able to use the same stolen credentials to access encryption keys and decrypt the data.
In this case, a single software engineer’s credentials gave the threat actor the “keys to the kingdom”, so to speak.
This attack demonstrates the importance of assuming that employee credentials could be compromised at any time, and therefore limiting their scope to only the products, services and tools essential to the employee’s current scope of work.
Administrator access should be given only to employees who can’t perform their role without them, and only for the systems essential to their role.
Equip employees to verify untrusted attachments
In some roles it is impossible to avoid opening untrusted email attachments from third parties (in particular, any role that interfaces with the public or with third party vendors). You can mitigate some of the risk of malware by having employees run unknown files through a malware analysis tool like VirusTotal to check whether security vendors or sandboxes have flagged the file as suspicious. (However, keep in mind that the confidentiality of files uploaded to VirusTotal can’t be guaranteed.)
Use Multi-factor Authentication (MFA) to limit the impact of compromised credentials
If employee credentials are compromised in a phishing attack, MFA can prevent the attacker from logging in with those credentials. Google researchers determined that the most effective form of MFA are security keys (such as YubiKey), followed by on-app prompts (such as Google Authenticator). Although convenient, SMS authentication is vulnerable to SIM card cloning or hijacking and is therefore the least effective form of MFA.
Leverage anti-virus and anti-malware software to protect employee devices
Malware is a common payload for phishing attackers, delivered either via an email attachment or a phishing website. Protecting employee devices with anti-virus and anti-malware software can help to mitigate the impact of an employee downloading a malicious file.
An effective anti-phishing strategy includes tactics in each of the four layers we’ve covered here: filtering, target response, detection and mitigation, and prevention and deterrence.
We’ll leave you with some helpful questions you can work through as a team tasked with anti-phishing responsibilities. These questions can help you identify the strengths and weaknesses in your organisation’s anti-phishing strategy.
Anti-phishing and anti-spearphishing is one of our main areas of focus at Cosive. Feel free to reach out to us for a no-obligation chat around opportunities to strengthen your organisation’s anti-phishing strategy.