Sophos, a global leader in next-generation cybersecurity, warns against the emergence of new email phishing scams.
As email continues to dominate business communications both internally and externally, it remains to be the most common entry point for cyberattacks – sneaking malware and exploits into the network, and credentials and sensitive data out.
The latest data from SophosLabs shows that in September 2020, 97% of the malicious spam caught by its spam traps were phishing emails, hunting for credentials or other information. The remaining 3% was a mixed bag of messages carrying links to malicious websites or with booby-trapped attachments, variously hoping to install backdoors, remote access trojans (RATs), information stealer or exploits or to download other malicious files.
Phishing remains a frighteningly effective tactic for attackers, as operators behind them continue to refine their skills and enhance the sophistication of their campaigns.
Sophos noted two recent examples on the rise:
Business email compromise (BEC)
No longer confined to poorly spelled or formatted messages pretending to come from the CEO and demanding the immediate and confidential transfer of significant funds, the latest iterations are subtler and smarter. The attackers are doing their groundwork before launching the attack. They get to know the business and the target executives, adopting their language style and tone, and sometimes even actual email accounts. The absence of malicious links or attachments in such emails make them difficult to detect with traditional security tools.
Phishing emails without links
These phishing emails bring cloned websites as HTML attachments. The attachment would simply open up the enclosed web page in the comparative safety of victims’ browser’s sandbox and ask them to unwittingly fill-up forms that will send off their data to websites controlled by criminals. Email passwords are among the most valuable credentials for crooks to acquire, simply because many people use their email account for password resets on a multitude of other accounts.
Security tips
The good news is that there’s no need to learn a whole new set of precautions against these new phishing scams. To protect yourself, Sophos recommends to: Avoid HTM or HTML attachments altogether unless they’re from someone you know and you are expecting them.
- Avoid logging in on web pages that you arrived at from an email. If it’s a service you already know how to use – whether it’s your email, your banking site, your blog pages or a social media account – learn how to reach the login page directly. If you always find your own way to your account login pages, you’ll never be tempted by fakes.
- Turn on two-factor authentication if you can. Two-factor authentication means that you need a one-time login code, usually texted to your phone or generated by a special app, that changes every time. 2FA doesn’t guarantee to keep the crooks out, but it makes your password alone much less useful to them if they do manage to phish it.
- Change passwords at once if you think you just got phished. The sooner you change your current password after putting it into a site you subsequently suspect, the less time the crooks have to try it out. Similarly, if you get as far as a “pay page” where you enter payment card data and then realize it’s a scam, call your bank’s fraud reporting number at once. (Look on the back of your actual card so you get the right phone number.)
- Use a web filter. A good anti-virus solution won’t just scan incoming content to stop bad stuff such as malware getting in, but will also check outbound web requests to stop good stuff such as passwords getting out. Even in “clickless” attacks, the password exfiltration relies on an outgoing web connection that a web filter could block.