Why Outdated Anti-Phishing Advice Leaves You Exposed – Stories from the Trenches (Part 1)

We already know that phishing is a significant threat to businesses and individuals. Anti-phishing tips, such as “always hover over the link in an email before clicking” or “be wary of emails with poor grammar”, are meant to help us avoid being tricked by phishing emails. These tips have been circulating on the internet for over a decade, but sadly, the advice is failing to protect businesses from the threat of phishing as attacks they have increased by 1,178% in 2017 according to the 2018 Telstra Security Report.

This is Part 1 of a two-part article. In the second part, we will demonstrate, with real-world phishing emails how the general anti-phishing tips fail to protect you from phishing, and what alternative methods there are to protect you and your business from cybercriminals.

In this article, we will review how the latest phishing techniques are more sophisticated than ever before, and why these common anti-phishing tips cannot safeguard you or your business from becoming a victim of phishing and fraud.

What is Phishing?

Phishing is a cyber-attack typically carried out over email. Cybercriminals aim to trick their victims into clicking a link or attachment, giving away their password, or asking them for money by pretending to be a legitimate online service, client, friend or colleague. Victims of phishing may unwittingly open file attachments containing malware, viruses or ransomware, hand over their passwords to fake websites which look genuine or transfer money to fraudsters believing someone trusted they know has asked them to do so.

Source: https://xkcd.com/1694/

The Anti-Phishing Advice That Fails to Protect Us

Technology websitesprofessional associations and government organisations often circulate a handful of anti-phishing tips in an attempt to help the public from the threat of phishing. These tips usually suggest to carefully check incoming email for irregularities such as poor English, strange wording, non-personalised greetings or an unknown email sender. This anti-phishing advice gives the impression that ‘common sense’ will protect you from phishing, but this is far from the truth.

These usual pieces of advice will leave your business exposed to phishing

These common anti-phishing tips fail to protect the public, as phishing has become the number one way businesses are hacked. A recent industry report found that 90% of data breaches start with a single phishing email and that on average 4% of employees will click a phishing email in a single phishing campaign, despite these widely-circulated top-tips. In other words, all the cybercriminals need to do is to keep inundating their targets with phishing emails until one is eventually clicked.

The Cyber Threat Landscape Has Changed, but the Advice Has Not

One of the significant issues with these common anti-phishing tips is that they have not changed since the early 2000s. While the advice remains the same, phishing is now the primary attack tool used by hackers, making it the number one way computer systems are compromised.

Back in 2013, DocuSign suggested looking for warning signs, such as a “false sense of urgency”“generic greetings” and “misspellings and bad grammar”. As for the validity of hyperlinks, you should “hover your mouse over the link to look at the URL”to check its validity. Similarly, in 2009 CNet recommended to “hover your mouse over the link” to verify where the web link would take our web browser. The article also suggested that an indication of malicious intent in an email is that “phishing email[s] [are] also very poorly written”. In 2005, the Journal of Law, Information and Science advised looking for the lack of a salutation, “emails addressed to a generic name such as ‘Dear Customer’ rather than a username” and linguistic issues such as “spelling, grammar, errors in the organisation’s logo” were indicators of a phishing email.

If these top anti-phishing tips were genuinely effective, phishing attacks would not be on the rise year-on-year for the past decade.

For example, the recent numbers from the Google Safe Browsing service show that phishing has been a growing cyber threat since 2006.

Google reports that the number of phishing websites has skyrocketed over the past decade

Other industry reports also confirm the negative phishing trend: Telstra (‘phishing has increased by 1,178% in 2017‘), Kaspersky (‘2018 can expect to see growth in both fraudulent and phishing “cryptocurrency” spam‘), Webroot (‘Phishing remains one of the most used and most successful attack vectors‘), Symantec (‘Targeted attack groups are on the rise […] 71 percent of attacks began with spear phishing‘) – and the list goes on.

Phishing is More Sophisticated than Ever Before

There are several reasons why the sophistication of phishing has grown. One of them is ransomware, which is a profitable money-extortion scheme mainly delivered by emails. Secondly, the pervasiveness of email and the ever-increasing amount of sensitive data held by industries such as legalhealthcarerecruitmenttravel and hospitality, and real estate has made them lucrative targets of cybercriminals.

As a hacked computer in such industries can yield high monetary returns, cybercriminals now have a strong financial incentive to do their homework and target specific industries and professionals with high-quality phishing campaigns.

A recent example of this is hackers targeting solicitors in electronic conveyancing with highly targeted phishing campaigns, which, in one reported incident is said to have yielded almost a million dollars.

This targeted phishing email was intercepted by our anti-phishing service

These targeted campaigns are often called ‘spear phishing’ – which is a variation of phishing – where the cybercriminals rely on specific information that is highly relevant to their target. For example, leaked data from previous data breaches can help criminals fabricate convincing pretexts for impersonating CEOs or other executives in an attempt to trick employees into transferring money to the cybercriminals’ bank account.

What We Have Learned So Far

There are a handful of anti-phishing tips on the internet that frequently resurface at different outlets, such as Technology websitesprofessional associations and government scam alert websites. Although these tips are meant to be useful to its readers, industry data shows us that the advice is not effective. On the contrary, the recommendations may be harmful as they give people a false sense of security that phishing may be avoided with some common sense tips. In the past decade, phishing has become the number one cyber threat to individuals and businesses worldwide, despite these tips. Cybercriminals with strong financial incentives develop sophisticated phishing campaigns, often targeted at specific industries or individuals and yield high success rates.

In the second part of this article, we will showcase a collection of actual phishing emails to demonstrate how these common anti-phishing top-tips are breaking down in real-life situations. We will also review what you can do to protect you and your businesses from the phishing threat. Make sure you sign up for our newsletter to never miss an update again.

About Iron Bastion

Iron Bastion are Australia’s anti-phishing experts. We offer all businesses the same anti-phishing technology used by big businesses, without the big-business pricing.

Our range of services are cloud-based, fully managed and easily integrate with your existing infrastructure. Our team are qualified cybersecurity professionals, and all our staff and operations are based in Australia.

Contact us for a free consultation, or sign up for a 14-day free trial of our services today.

* * *

This article has first appeared on the Iron Bastion blog and was co-written with Nicholas Kavadias.

Gabor

Gabor Szathmari is a cybersecurity expert and digital privacy enthusiast. In his professional life, Gabor helps businesses, including many small and mid-size legal practices, with their cybersecurity challenges at Iron Bastion.