Identify and Neutralize Phishing Attempts

Introduction  

Countless reports have emerged in recent years, and seemingly more frequently in the last year, of organizations confirming they have experienced a cyberattack or unauthorized entities accessing their systems, networks, or data stores. After extensive research into the root cause of these attacks, many organizations have found that the threat actors behind these malicious activities are finding their way in by sending phishing attempts to employees working for these major organizations. 

The Scary Truth About Phishing Attempts 

Dating back to 1995, threat actors have had plenty of time to evolve their phishing tactics and become better at what they do. Phishing attempts have become harder to detect and, therefore, more arduous to neutralize and prevent the cyberattack or unauthorized access to your organization’s systems, networks, or data stores, that follow. When phishing attempts successfully convince a victim to unknowingly click a malicious link or download a maliciously scripted file, it becomes the entry point into your organization.   

When phishing attempts are successful, becoming phishing attacks, there is no telling what they will do once inside your network. Threat actors could use this opportunity to install various versions of malicious software, including trojans, worms, and one of the worst of all, ransomware.  

RELATED: “The Threat of Phishing: Common Types of Phishing Attacks” 

Identify Phishing Attempts with the S.L.A.M. Method 

The S.L.A.M. (Sender, Link, Attachment, and Message) method of identifying an email as a phishing attempt is a helpful tool to remember the properties that give away if an email is malicious.   

Sender 

One of the first signs that an email is malicious is if it blatantly originates from outside your organization. However, threat actors will impersonate members of your organization (usually managers, directors, or c-suite executives) to trick users into believing it is a legitimate message from the person they claim to be. No two emails are the same, so that is your first step to verifying if an email is legit.  

In some cases, threat actors can obtain login credentials through brute-force password attacks and send malicious emails from a verified account within your organization. When this happens, the email can still present itself as suspicious. In this case, your best bet is to reach out to the rightful owner of said email address through another channel, such as chat or voice, and confirm with them that they indeed sent the email. 

Link 

Phishing emails are well-known for the malicious links they include within the contents of their messages, whether it’s a link in the text body or hyperlinks to hide the URL as much as possible. These links will direct you to malicious sites scripted to do several things that would cause harm to you or your organization, including downloading malware to your machine without you knowing. 

To best identify where a link may take you, hover over it with your cursor. By your cursor or in the corner of your screen, the URL embedded in the hyperlinked text will display. Based on what you see, you can decipher if this link is okay to click on or not. If an email claims to be coming from a specific site (Microsoft Online, Amazon, or your bank, for example) that needs you to perform an action once opening the link, it is best that you visit that site directly by searching it in your browser instead of using the link provided. This way, you can verify if a suspicious email is legit. 

Attachment 

Aside from the links in a phishing email, threat actors will also use file attachments to download malware to your machine. They can hide scripted malware in various file types, but the two primary forms are PDFs and Word Documents. Once you or a user within your organization downloads the attachment, the phishing attempt is successful. Phishing emails with links and attachments may come from a trusted coworker’s account. However, any unprompted emails from your coworkers requesting that you open a link or download an attachment should be deemed suspicious. Threat actors can crack passwords and log into your accounts to access your data or perform actions deemed as admin-level privileged access capabilities. Verify with your coworker that they sent the email and why. 

Message  

The last step in the S.L.A.M. method is to examine the message. You may not recognize that an email is suspicious at first glance. The Sender, Link, and Attachment could all seem like just another email you get from your coworker. Nonetheless, numerous grammar and spelling errors within the same message are strong indicators that an email might not be legitimate. You should double-check the subject line and body of the email to scope out any inconsistencies, misspelled words, or grammatical errors.   

There are other aspects to look out for in the message of an email. Phishing emails will often try to rush you to click a link, download a document, or share your credentials. Verbiage usually falls along the lines of: 

• “Hello, this is your CEO. I am in an important meeting and urgently need your help with...” 
• “Claim your $250 gift card prize at the link below while it is still available!” 
• “Hello, I can’t log into my ___ account. Could I borrow your login credentials? Please hurry.” 

Spear Phishing 

Spear phishing is a social engineering attempt, just like any other phishing campaign. Nonetheless, it emphasizes how much work and detail is put into convincing a user to believe it is legitimate. Threat actors conduct research on their potential victims through an organization’s website, LinkedIn, and other social platforms to learn their name, title and job responsibilities, and even events occurring in their personal lives. This information is used to weave a compelling and targeted message that can influence a user to commence a cyberattack through a phishing attempt. Threat actors could impersonate:  

• A user’s bank regarding their financial standings. 
• A colleague or friend worried about a victim’s home situation 
• Their child’s school, looking to “schedule” a parent-teacher conference, all to convince a user to click a link or download a document to their computer.    

RELATED: “Human Hacking: Protecting Yourself from Social Engineering” 

Neutralizing Phishing Attempts 

Upon identifying a phishing email using the S.L.A.M. method, you must neutralize it. There are a few routes you can take: 

1. Deleting the email and getting it out of your system. 
2. Reporting it as phishing to your email provider. 
3. Reporting it to your I.T./Security department, which is recommended. 

By sending the phishing email to your security team, you are allowing them to examine the threat and spread the word around your organization to NOT open any links or download any files.   

The S.L.A.M. method is a helpful tool for scoping out malicious emails. To better protect your organization, it is beneficial to include this acronym in the cybersecurity awareness training your users must complete. By adding this, you further strengthen your organization’s human firewall, thus slimming down your chances of experiencing a cyberattack. 

Why You Shouldn’t Rely on Phishing Training Alone 

The human firewall is your first line of defense against phishing attempts. Be that as it may, it should not be trusted to act as your only line of defense. The number of organizations falling victim to malware attacks is increasing dramatically. Many reports show that threat actors succeeded in their attempts because they convinced an employee to open a malicious email. Organizations of all sizes and types have been compelled to report that they have experienced cyberattacks or unauthorized entities within their data stores. 

A cybersecurity stack creates layers of protocols, software, and policies, all working together to protect your organization from cyberattacks. So, aside from your cybersecurity awareness training, especially your phishing email training, you will need to invest in reliable, zero trust software. By implementing this software, you reinforce a more robust security stance within your organization against cyberattacks that derive from phishing emails. 

Conclusion  

ThreatLocker’s solution platform operates on a Zero Trust security posture that strictly enforces default deny. Products like Allowlisting and Ringfencing™ work together to prevent malicious software like ransomware from taking over your organization’s infrastructure. With Allowlisting, you can stop applications you do not use from becoming weaponized by malware by blocking them from operating. Ringfencing™ enables you to control what applications can do, like whether they are allowed to communicate with each other or call out to the internet, preventing the download and spread of ransomware. When running in your environment with the right policies, these applications can proactively defend your organization from a malware attack, whether from phishing or not.   

If you are interested in learning more about ThreatLocker’s Zero Trust endpoint security products, schedule a call with the Cyber Hero Team for a free demo.