Phishing is one of the most effective ways for hackers to breach a network, steal personal data, or conduct identity theft. One would think that after so many years of phishing and spam emails coming at us and all the ways in which companies are training their staff on how to identify phishing that phishing e-mails would all be well-constructed and somewhat sophisticated, making them harder to catch and defeat. Certainly, in many cases we are seeing increasingly advanced, sophisticated, and mature e-mails coming in. However, it is still just as common to see poorly constructed, easy-to-spot phishing emails.
Just this morning, I received the following email (note, it did not get flagged as spam or junk email and it was placed in my “Focused” email list):
This is one of the worst phishing emails I have seen in a long time; incredibly easy to spot. Here’s why:
- “RE:Password Manager”. Attempt to make it look like a response to an email that I may have sent. But knowing I did not, this is the first red flag.
- @londondrugs.com. Not a website or type of website I have ever visited. No familiarity with it is another red flag.
- Sense of urgency: The sender is trying to get me to act fast by telling me my password is going to expire today. Hoping that I’ll act without thinking due to the fear of not being able to access the application
- Blue, large URL: This is the single most blatant and obvious sign of the phish attempt. The size of the URL, the random/repeating letters in the URL, and the domain not matching the sender domain are all clear-cut signs that this link is not to be trusted.
For most professionals these days, spotting this as a bad e-mail should be immediate. So why did the hacker send it?
Sadly, there are still many people out there who fall for these types of emails despite the obvious phishyness of them. Hackers send these out because they can and they work. If they have a huge target base, are not specifically targeting a particular person or organization, and if they are not particularly concerned about who they compromise — these emails fit the bill. You may say that the Hacker’s mantra is, “if it ain’t broke, don’t fix it”. In fact, according to ISACA’s State of Cybersecurity 2018: Part 2 report, phishing is still the most common attack vector at 44%.
So why does this matter to you?
As stated, these emails still work which means there is a lot of room for improvement to train and build awareness in our organizations and across the population as a whole. Education and training is still the number one thing organizations can do to protect themselves from phishing emails.
Training alone is insufficient, however. You also need to look to technology. It is important that organizations employ an email security or endpoint protection tool that provides phishing security and it may be worth going as far as disabling or sandboxing hyperlinks to prevent inadvertent infection.
Security monitoring and detection is also critical. Should a phishing email be clicked and then attempt to drop malware, often the signatures and analytics used by SOCs and MSSPs will detect these activities and alert on them.
Clearly phishing, even obvious ones like above, is not going away anytime soon. It continues to be wildly effective for those advanced hackers targeting your organization directly as well as for those newbie hackers or cybercriminals tossing out a huge net and just seeing what they get. It’s a numbers game and attackers have the advantage when they focus on the weakest link in security – the human factor. That’s why employing a multi-layered security posture that takes into account people, processes and technology will minimize the risk of a successful phishing attack.