Posted by Trevagh Stankard on Tue, Aug 23rd, 2022

It’s safe to assume that at some point, every one of your clients have received an email that looked like an order confirmation, a file sharing download, or a request from their bank. That email probably had a link for them to click, along with a compelling reason why they should do so without hesitation.

If your client clicks one of those links -- and you know the odds are that they will -- they were almost certainly compromised by malicious software. Because phishing works so well, it’s become the most prevalent means of initiating a cyberattack. In turn, this means that it’s safe to assume that many of your clients are just ticking timebombs waiting to be hacked, leaked, ransomware, or worse.

What is Email Phishing?

Phishing is a form of social engineering often used to gain sensitive information such as credit card numbers, passwords, or user login data. It is also used to deliver malware into unsuspecting networks by means of fraudulent links or spoof websites.

While phishing can occur over a variety of communication channels, email remains the most popular modern delivery method.

92.4% of malware is delivered through email. - Verizon Data Breach Investigation Report

In total, roughly 91% of all data breaches were caused by phishing according to KnowB4. As such, cyber defense experts encourage organizations of all sizes to adopt a series of protective measures, including technical controls/email security tools, end-user training, and process redesign.

Types of Phishing

Phishing attacks come in a variety of flavors, and hackers will choose the method of attack based on their target and their specific goals. Let’s take a look at the spectrum of email phishing attacks that your clients are facing:

SPEAR PHISHING

This method is used when a specific individual, business or organization is targeted, usually to steal account credentials or financial information. Malicious actors will research their target and customize their fraudulent communications to include details that make the email seem more credible. Because spear phishing is so deliberate, it’s often the most difficult to defend against.

WHALE PHISHING

This technique isn’t as widely discussed as the others, largely because it’s aimed at well-known individuals who tend to be wealthy and powerful. A hacker with a whale phishing plan will typically target a celebrity or politician. These attacks are not always financially motivated and may be carried out to discredit the target.

WATERING HOLE PHISHING

This technique is used by a cybercriminal to target large groups of people assembled in online communities. While this specific type of phishing was largely associated with forums and online chat rooms in the past, the idea carries on through mass attacks on social media or attempts to skim personal information from members of online communities.

BUSINESS EMAIL COMPROMISE (BEC)

This attack is often carried out by a malicious actor who has gained access to or can spoof a known individual’s email. For example, the hacker may send an email to accounting that appears to have been sent by the company’s CEO. In such emails, the cybercriminal will ask for payments to be issued, account numbers to be changed, or other tasks that result in money being diverted into their accounts. The popular phish where “the boss” would ask someone in the company to purchase a large number of gift cards and email the numbers back is an example of a very simple BEC attack.

SlashNext Threat Labs saw a 57% increase in phishing attacks from trusted services from the fourth quarter of 2021 to the first months of 2022. - Dark Reading

 

Why Phishing Attacks Are Still Increasing

Even though phishing has garnered plenty of attention over the past few years, it remains a serious cyberthreat well into 2022. Cybersecurity experts know that phishing attacks will only continue to increase as long as they remain profitable, but there are other reasons why this infiltration method is so widespread.

Phishing attacks are very effective, and there’s already tons of actionable target data available to hackers from previous breaches. Phishing is also a relatively low-skill hack, and it doesn’t take a large investment of time, money, or technical resources to carry out. Because this method is the lowest cost means of executing a cyberattack, there’s little hope of the problem going away on its own.

Adding to the matter, numerous integrated email protection tools like those wrapped into M365 often give end-users a false sense of security. Phishing will only increase as long as end-users remain ambivalent about the risks.

That said, it falls upon IT professionals and managed services providers (MSPs) to guide consumers toward more effective, purpose-built solutions that will actually stem the tide of inbound phishing attacks.

And while it’s trendy to follow the news and get lost in discussions about the latest zero-day or supply chain attack, the fact is that most hackers are opportunists that will reach for the low-hanging fruit. As we all know, that easily-accessible fruit is most often found through socially engineering an unsuspecting user’s email account.

 

How To Identify A Phishing Email

One step that you can take as an IT provider is to keep your clients informed. Cybersecurity training is an important consideration, but even sharing details on how to avoid phishing scams can be helpful.

When teaching your clients what to look for, share the following tips and best-practices.

First and foremost, your average phishing email will stand out because they invoke a sense of urgency. They will usually communicate some sort of deadline, an emergency, or an overdue balance that requires immediate attention. The idea here is, of course, to give the reader limited time to react and compel them to rush to action.

In addition to this urgency, your clients should look out for these telltale signs:

• A sending domain name or a URL that seems a little off. Hackers will often use close approximations of legitimate domains to trick their targets, i.e. putting the word “microsoft” somewhere in the domain or subdomain.
• Look out for any mismatched URLs. If the sending domain doesn’t match an included link, or if the sending and reply-to domains aren’t the same, it’s usually a sign that something “phishy” is going on.
• Beware of any notices that involve account suspensions or suspicious activity. Malicious actors will often send these notices to cause a panic and compel the email recipient to enter their login credentials in a fraudulent web page.
• The same goes for emails that ask the user to update their password. When in doubt, never click from an email link to a login screen. Instead, the user should type the correct URL for the platform or service directly into their browser.
• Notifications from file sharing sites (real or fictitious) are commonly used. Think twice before clicking links on emails that say “A file has been shared with you” even if they appear to come from Dropbox, Google Drive, or any other legitimate source.
• Of course, always be on the lookout for spelling and grammatical errors. One of the most common red flags is still poor writing.
• Be wary of any attachments, especially if they come from an unfamiliar source. 

Your clients should also be aware of BEC phishing techniques and be prepared to confirm any strange or unexpected emails via phone or other method even if they come from within their organization. Any emails asking for financial information or requesting payments or account changes should always be confirmed.

 

Email Security Tools to Stop Phishing

While awareness is a powerful tool for combating phishing, it is still critical to employ a comprehensive email security solution. Human error is inevitable, and you don’t want a client to become compromised simply because someone clicked a link a little too quickly.

You should equip each of your clients with an email anti-phishing tool that incorporates advanced threat detection, antivirus, email scanning, and spam blocking. The best solutions, such as our award-winning SpamTitan tool, will use behavioral statistics and machine-learning algorithms to identify and block even the newest phishing threats.

SpamTitan is trusted by thousands of organizations worldwide to provide top-to-bottom protection against spear phishing, whaling, BEC, and other forms of social engineering attack typically carried out via email.

IT service providers especially love SpamTitan for its granular control, reporting, and easy deployment across multiple clients. Our solution even offers direct integration with Microsoft 365, making it easy to incorporate with the productivity solution that many MSPs already offer.

We recommend taking a test drive of SpamTitan to see its benefits and simplicity for yourself. Within minutes, you’ll learn why our proven solution is fast becoming the go-to email protection tool for IT service providers worldwide.