From a bad actor perspective, phishing is the cheapest and easiest way to infiltrate organizations and personal information to make a profit. By nature, humans are curious and are oft en overconfident when it comes to security. Phishing is an even greater threat for mobile users, too. Without key visual cues, like the ability to hover over a link to determine its destination, it is much easier for a user to make the simple mistake of clicking a bad link and falling victim to a phishing attempt. The popularity of social media has also made it much easier for hackers to find valid email addresses and research users’ life activities to create sophisticated, tailored phishing attacks. From a security perspective, there are typically three approaches to solving the phishing problem – email security gateways, web proxies and security training awareness—but each has its own limitations.
Email security gateways look at all emails coming in and have information on spam and reputation. However, when a click actually occurs, their primary defense is prior knowledge of the website obtained through crowdsourcing, resulting in a ‘patient zero problem.’ In other words, the first few users are allowed to access the potentially malicious website until there’s a verdict available regarding the website rating.
Web proxies, on the other hand, know almost everything there is to know about HTTP, but are clueless when it comes to email. More importantly, they lack the important context of a website visit originating from an email click, as opposed to a user typing in the URL bar on their browser. Security awareness training may help mitigate the risk, but training is never enough because any software used to train the user is largely out of the picture when a real phishing email link is clicked.
Often times, bad actors are taking the time to classify websites as ‘good’ so they can bypass all of these defenses. Simply put, phishing is a social engineering problem that puts everyone at risk. Fortunately, an easy fix to this problem is to move to a strategy of isolation, one that offers organizations a safe-allow option. Hackers have become so creative because companies are still trying to figure out if websites are ‘good’ or ‘bad,’ but after shifting to isolation, the only thing that matters is access, or the lack thereof.
Even if isolation services are unavailable, there are still a number of ways to combat phishing. The first is by practicing simple email hygiene. Ignoring and deleting emails that reference free rewards, vouchers or social media posts is always the best policy. Another is to always go directly to the source. Instead of following embedded links found within emails, users should access the website they want to visit directly from the URL bar. Finally, avoiding open authentication programs by creating new, separate accounts – or even using fake email addresses to sign up for these accounts – is recommended, as they’re less likely to be phished. By following these simple steps, or adopting isolation, users and organizations can keep ‘off the hook’ and avoid falling victim to email phishing attacks.