Cyber-criminals, state-sponsored cyber warriors, cyber-terrorists, and law enforcement cyber divisions all face the same choice when launching a campaign against a person, company, or governmental agency – do I start with a hard target or a soft target? Modern networks, even for small businesses and individuals, are usually tough to breach from the Internet side. Networks are hardened with layers of defensive hardware and software that make a direct attack difficult, even close to impossible..
Of course the soft target, a human, is always easier to breach. If I can trick a human into sharing their network or email credentials, or install a remote access Trojan by getting someone to open an attachment, my attack just changed from an outsider attack to a much easier insider attack. This is why over 90% of network attacks start with a phishing email.
Some of that hardware we mentioned earlier include devices such as packet filtering proxy servers and email gateways that look for phishing emails in the data stream, and remove them before they get to someone’s inbox. But no matter how good these devices become, attackers eventually find a way to get past them, if only for a while.
So the best line of defense is still a trained, motivated, and vigilant human. It is important to teach our family, friends, and coworkers how to spot a suspicious email, and give them a rule set of how to respond. One of the best combinations is cybersecurity awareness training coupled with phishing simulation exercises and games.
Here are some of the most commonly used phishing email subject lines, from an article in Tech Republic. These subjects are designed to play on people’s curiosity, or to stimulate a reaction based on fear. Train your people to be on the lookout for approaches such as these ones:
- Change of Password Required Immediately
- Microsoft/Office 365: De-activation of Email in Process
- Password Check Required Immediately
- HR: Employees Raises
- Dropbox: Document Shared With You
- IT: Scheduled Server Maintenance – No Internet Access
- Office 365: Change Your Password Immediately
- Avertissement des RH au sujet de l’usage des ordinateurs personnels
- Airbnb: New device login
- Slack: Password Reset for Account
- SharePoint: Approaching SharePoint Site Storage Limit
- Microsoft: Anderson Hauck has shared a Whiteboard with you
- Office 365: Medium-severity alert: Unusual volume of file deletion
- FedEx: Correct address needed for your package delivery on [[current_date_0]]
- USPS: Your digital receipt is ready
- Twitter: Your Twitter account has been locked
- Google: Please Complete the Required Steps
- Cash App: Your Account Has Been Closed
- Coinbase: Important Please Resolve Error Now
- Would you mind taking a look at this invoice?
Here are some other tips from Sophos Naked Security to help you resist a well-crafted phishing email.
- When in doubt, confirm EVERYTHING. Avoid using email for confirmation, it is better to confirm by text or telephone call.
- Don’t believe the email just because the sender seems to know a lot about you.
- If it looks like it came from the boss or someone else you know, it may be spoofed or coming from a hijacked account.
- Don’t hurry. Attackers will create a false sense of urgency to get you to respond without thinking.
- Details provided in an email by an attacker are proof of nothing. Use an independent third party to confirm identity of the sender or legitimacy of the request.
- Do not follow instructions about how to view an email that are provided in the email.
- Get a second opinion. Not sure? Share your concern with a coworker or IT support.
- Create a point of contact to report suspicious emails.
- Tell IT support about it.
- IT support – listen to your users.
The person receiving a phishing email can be “patient zero” in the next malware outbreak or network attack, or a deputy cybersecurity analyst. The outcome depends on whether they get exposed to effective cybersecurity awareness training or not. In my experience, trained employees become enthusiastic network watchdogs. Empower yours to do likewise.
More Information:
- Tech Republic – Most Popular Phishing Subject Lines
- Sophos Naked Security – Tips to Avoid Spearphishing Attacks
FEB
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com