There are always new places to go phishing. For any phisherman, there’s always a new place, always a new horizon.
Originally, a quote about literal fishing from Jack ‘The Golden Bear” Nicklaus, it – with a little spin put on it – opens up a different perspective of perceiving the threat of digital phishing.
It is this perspective that will help us understand why phishing has become such a dreaded phenomenon in cyberspace.
What Is Phishing?
First things first, let’s get the definition out of the way.
Phishing is a technique used by scammers to obtain personal and sensitive information about their victims. Usually, attackers can pull it off by fabricating or disguising themselves as a trustworthy entity – representing a website, a service, or a product in use.
Much to the surprise of many, phishing is a technique that has been around for a long time.
First described back in the 1980s, phishing has stuck around to date. Nearly 90% of organizations experienced targeted phishing attacks in 2019. To this day, it continues to be one of the main attacks utilized by hackers to penetrate organizations’ defenses.
Why Is Phishing Still a Thing?
You know what they say – if it isn’t broken, don’t fix it. This applies to phishing too. The main reason why phishing is still around and flourishing is that it still works.
But why does it work? What enables it to thrive? How do you prevent phishing?
Email Exploitability
To answer that question, we’ll have to take a closer look at email and its history.
The email was first introduced back in 1973, that is even before the internet was a thing. Yet when the internet came about, a conversion took place which introduced changes to the core of how email service works.
That very core is still at the heart of the current email. The problem is, however, that email was never really designed with security in mind.
Simple Mail Transfer Protocol (SMTP) was made with a single purpose – to deliver messages in plain text and over open mail relays.
It got the job done.
But fast forward to 2020, not a lot has changed, there were no significant changes to how emails are sent out online.
In light of the current cybersecurity standards, you can say that email is insecure by design. Cybercriminals know it, and it didn’t take long for email to become the go-to exploitable tool at their disposal.
Email Spoofing
Email spoofing is a process of forging sender email addresses. More precisely, forging the sender's domain name.
What makes email spoofing possible is the absence of SMTP server authentication. This allows scammers to use mail servers to send unauthorized and unsolicited emails, e.i. carry out a spear phishing attack (a type of phishing directed against a particular person) requesting personal information from the recipient.
Messages with forged email addresses may, for example, appear to be from your bank, where criminals urge you to send some sensitive information such as your credit card information or social security number back to them.
Example of Spoofed Email Address
The structure of ordinary email consists of two sections:
- The so-called envelope, that holds MAIL FROM: and RCPT: fields.
MAIL FROM defines the sender of the mail message (reverse-path). It is not normally visible to the end-user as well as there is no requirement for the MAIL FROM address to be the same as the address given in the From field of the email itself.
RCPT TO defines the recipient of the mail message (forward-path). Normally it is not visible to the end-user.
- And data, that comprises message headers From:, Subject:, Date:, To:, Reply-To:, and body text (text of the message).
Here's what the spoofed message might look like:
MAIL FROM: <JoePhisher@spooferdomain.com>
RCPT TO: <Alice@corporate.com>
From: Joe Job <joejob@corporate.com>
To: Alice <Alice@corporate.com>
Date: April 15, 2020, 4:14 PM
Subject: Request for New Wire Transfer Details
Please send me our updated bank details.
What Makes Email Spoofing Possible?
The reason that makes email spoofing a critical security threat is the following.
If there are no requirements for a MAIL FROM address to be the same as the address given in the From field and no email authentication protocol (when everyone can send emails on behalf of your domain), there is always a loophole for attackers to take advantage of.
And when Alice hits “Reply”, all she’ll see in the Reply-To field is the “Joe Job” name.
Reply-To: Joe Job
But when she does this, the sensitive data will go back directly to the spoofer’s email address - JoePhisher@spooferdomain.com.
But, unfortunately, the flawed SMTP is only a part of the phishing problem.
The Human Factor
Another vulnerable cybersecurity aspect that phishing capitalizes on is the human factor.
2019 Cost of Data Breach Report indicates that 49% of data breaches are a result of human error or a system glitch. Sending an email with sensitive data to the wrong recipient, misplacing information, or leaving things out in the open – humans are prone to making privacy-threatening mistakes.
Blame rush or lack of attentiveness, but both the risk of a data breach and its damage can get infinitely greater once someone with a malicious intent starts purposely looking to abuse human decision-making in the state of that clouded perception.
Phishing is still thriving because it excels at applying pressure on the most fragile areas of existing business cybersecurity efforts. SMTP’s lack of authentication and the human factor are only making phishing attacks more effective.
Why Existing Solutions Don’t Prevent Phishing Attacks?
Phishing prevention is a challenge that organizations have been undertaking for the longest time.
Most commonly, attempts to prevent phishing are carried out through ongoing staff education, simulated phishing email campaigns, and other cybersecurity awareness activities. Nevertheless, awareness alone can’t prevent email phishing attacks.
It could prevent end-users from interacting with phishing emails hitting your company, sure, but it wouldn't resolve the issue of spear phishing.
Spam filters
Spam filters are a no-brainer. You need to enable it if your email provider has one (they usually do).
Even if this does not prevent all phishing from reaching your inbox, the enabled spam filter will stop a few heading your way. For example, Gmail blocks 18 million malicious COVID-19 emails daily.
Don’t get your hopes up though, as a targeted spear phishing attack will have no problem bypassing regular filters.
Education
There is no denying that education is a must when it comes to cybersecurity. It should raise staff awareness and provide helpful techniques to spot a phish.
However, education is not a reliable solution to phishing.
Again, it just cannot guarantee security.
Hackers continue to get craftier with their attacks, which are becoming significantly harder to detect, let alone teach to spot.
Anti-Phishing Software
Did you know a website opened within a tab can access the information in all other tabs? And what about the fact that extensions can access the information that pops up in your browser, email included?
Talk about secure email in a browser.
To add insult to injury, the majority of these extensions end up analyzing this information and exchanging it with the server to provide their service.
While anti-phishing software can do a significantly better job at preventing a significant number of phishing emails from reaching you, they simultaneously expose your data to other threats.
How to Prevent Phishing and Spear Phishing Attacks?
To shut down most email phishing attempts from getting through your organization’s inboxes, you must deal with vulnerabilities phishing capitalizes on.
The outdated email delivery protocol and the human factor.
As we have already said, emails travel in plain text over unsecured mail relays.
Hackers take advantage of this to spy on your conversations, catch and edit original emails while in transfer, and effectively use the information, combined with personal data that could be found online, to orchestrate a targeted spear phishing attack.
If we talk about security in general, phishing is only one of many reasons why email needs immediate cybersecurity attention.
The dangers of the human factor are very self-explanatory. It is dealing with it that becomes a real challenge.
Obviously, you will not be substituting human employees with robots, but you still need a solution that could give you control over the flow of the organization’s sensitive data so you could contain the human factor.
How StealthMail Helps Prevent Phishing Attacks
StealthMail is a multi-layered privacy and security solution for business email correspondence.
StealthMail's 14 years of experience in mission-critical telecommunications security helped to create a patented Stealth Technology that later was conveniently adapted to the software solution for secure email communication.
The solution provides complete protection for your email communication from major email threats, and, most importantly, StealthMail mitigates the possibility of phishing.
With StealthMail, your data never travels over the public Internet. It gets stashed in a company-controlled environment and only a unique Stealth Link (that doesn’t contain any data and restricts access to sensitive information to unauthorized users) is delivered to the recipient via regular email.
Your organization finally gets to rise above the human factor. StealthMail enables you to maintain full control over the data even within emails that have already been delivered, allows you to block copying, forwarding, and printing of emails for particular recipients.Learn more about StealthMail’s thorough approach to email security in our Technical Datasheet.
Link copied to clipboard!