At some point, email, the world’s most widely used productivity tool, became the world’s biggest time-suck. Most people fight the tide by getting through their inbox as quickly as they can. Actions required to move an email from “inbox” to “archive” become rote, with employees responding to emails almost reflexively. After all, responding quickly to email is a good habit, right?
This is what email phishing attacks rely on. Their strategy is to lull someone inside your organization into that sense of habit and routine. Their most common goal is credential theft: gaining control of your organization’s internal users’ login IDs and passwords, in order to do damage elsewhere, disrupting systems and digging further for valuable data.
Their approach works when a person in your organization does any of the following things:
- Clicks a link to a familiar site and enter login and password by habit, without noticing that the URL is slightly different
- Downloads an attachment that looks like it comes from a trusted party
- Replies swiftly to what looks like a colleague’s request for login credentials
This post will focus on the most common of these three methods: inducing users to click on a malicious link. We will outline three steps your organization can take to provide contextual information that enables your users to make better decisions when faced with a suspicious URL.
1. Checking against known bad
This one is obvious: Is the URL in the email one that’s known to have been used in phishing attacks? Many organizations already work from lists of such “known bad” URLs, flagging them for their internal users or prohibiting users from accessing them altogether.
If you want to protect against malicious URLs, checking against known bad is table stakes. Cybercriminals acquire new domains by the minute. Security researchers have documented how easy it is for would-be attackers to acquire even trust-inducing .gov domains for these attacks. These fake URLs, many of which closely resemble real and trusted URLs, are used to package phishing campaigns. Having a list of the ones we know are malicious is a good start, but it’s only a start. It’s impossible to have an aggregate list of all known bad or malicious links. To be effective, email security must go further.
2. Identifying suspicious links
Attackers will do research to understand the list of known brands that people in your organization often interact with. They combine that information with intelligence about your organization. The “from” line in a phishing email is often a colleague or a supervisor of the intended target. The level of preparation and sophistication to their attacks can actually be turned against the attackers, when using it to identify suspicious links.
In short, you can thwart these advanced phishing attacks by gathering your own email intelligence: suspicious links are those that resemble links a user often engages with, but are slightly different. Relationship analytics, communication patterns and frequently used URLs can be your guides to understanding the patterns and the possible permutations, and identifying suspicious anomalies. For example: your market research team frequently logs onto amazon.com. An email containing a link to “amozon.com” might slip by a team member rushing to get through his inbox, but it should raise a red flag in your security systems.
Of course, you can’t flag every unfamiliar URL that resembles a well-known website. The sensitivity of systems set up to flag such suspicious URLs should be set based on the risk tolerance of your organization.
3. Contextual warnings for end users
Regardless of how you set sensitivities, many URLs that are benign may end up flagged as suspicious. Email users in your organization need contextual information to enable them to make the right decision about whether to proceed, or halt, with a particular email and URL. Providing users with information will make them an effective front-line defense against email phishing attacks.
One email phishing defense tactic that has proven successful is to notify users of the possibility of a suspicious link within the email, providing the criteria that triggered the suspicious flag. This helps the user make an informed decision in the moment and educates them about what to look for in the future.
Our example of “amazon” vs. “amozon” may be a fairly straightforward URL to mark as suspicious, but what about a URL where the user doesn’t have as much context? The line between suspicious and legitimate may not be as clear-cut. In these cases, users need a way to safely click the link and judge for themselves. The ideal solution would take users to a page that notifies them of the suspicious link and provides a sandboxed version of the page. This way, users can view the contents of the page at the URL in question and determine if it is, in fact, a destination they should visit.
Threat actors can be quite sophisticated in the tactics they use to lull your users into giving up information for credential harvesting. They are looking to exploit users’ routines and habits, in order to dangle a phishing lure that takes advantage of users’ habitual response patterns. To defend against these attacks, your organization must to understand those patterns, as well. This knowledge enables you to identify the small ways in which a phishing attack and a suspicious URL will be different from the normal patterns of use.
Armed with knowledge about what’s normal in your users’ inboxes, you can provide context to users about why a URL or an email should be treated with caution. This gives them the information they need to make better decisions, which transforms your users from vulnerable targets into valuable guardians. Your own people can become your organization’s best line of defense against risky URLs and credential harvesting.