Phishers, hackers, cybercriminals, script kiddies and everyone associated with email phishing continues to develop creative ways to evade email security protection layers. Security professionals seem to be in a never-ending "cat-and-mouse" game. 

Enabling DMARC, SPF, DKIM is the most commonly prescribed strategy to prevent domain spoofing. But smart hackers can indirectly bypass DMARC, SPF and DKIM by redirecting their mailbox address toward the victim's mailbox and including the fake address in their list of allowed sender addresses. 

Secure Email Gateways (SEGs) are highly effective at securing on-premises email environments. However, as email has moved to the cloud, these legacy dinosaurs have been no match for the virtuosity of nimble bad actors who use emails to continually set traps for employees, customers and business partners.

Multi-factor Authentication (MFA) ensures emails are kept fully secure and can only be accessed by their intended recipients. However, if the selected method for MFA is “SMS” and/or “Phone Call”, it can be abused, and the attacker can gain access to that information by using SIM Swapping.

The next level of security threats

The business community is facing a new level of security threats as text generator technologies like ChatGPT and Jasper are being launched into the market en masse, empowering even the most low-level nefarious actor to create polished phishing emails and malware with an unprecedented ease and speed. MSSPs, MSPs and IT Security Teams will have to work that much harder to mitigate the onslaught of attacks that are predicted to accompany the use of these platforms. 

Phishing attacks have become increasingly sophisticated, blending into existing workflows and digital communication with high-quality phishing emails. Phishing emails encourage quick human action. Many of today’s email attacks replicate workflows to trick victims into reverting to muscle memory before the brain catches up to what’s happening.

Employees are the last line of defense

Phishing sites, accessed by clicking links in email messages, are often designed to look like legitimate institutions’ websites with stolen logos and similar designs. Still, if employees can take a breath and check if the sender’s email address and/or link is legitimate, companies can avoid a phishing attack.

Most phishing emails have one of the following characteristics: 

  1. Asks for payment - invoice, gift card, wire payment, etc. 
  2. Increases psychological pressure by sending an email or sending a follow up email from a “high level” executive” 
  3. Has an attachment – excel file, pdf, word doc
  4. Creates a sense of urgency – pay within the next 24 hours or password expires in 24 hours
  5. Uses a recent crisis to request credentials or money (Ukraine, gun control, SVB Bank, etc.)
  6. Comes from the wrong email address
  7. Asks you to login with your credentials via a link

One sign that an official-looking email is phishing is the email address it came from. Malicious emails usually have a Gmail or Yahoo ending or use similar letters to the spoofed domain. For example, a phishing email that claims to be from US Bank might have email@vsbank.com. Notice the “U” is actually a “V.” This is a little trick of the eye that a scammer will use to make it seem like a legitimate email. If an email address is questionable, do not follow the link. 

No matter how authentic the message looks and how trusted the source is, employees should also look closely at the URL. Malicious URLs usually end in numbers rather than letters, for example, http://www.example.com/1 instead of https://www.example.org/. They may also use lowercase letters, l replaced with the numeral 1.

Bad actors will continue to innovate new methods to bypass email security and lure victims into paying fake invoices, sharing confidential information or obtaining their email address to spread their phishing campaign to new targets.

Threat actors can easily establish imposter or spoofed email accounts, domains and websites. Attacks are typically specific, devious, low-volume, infrequent and targeted and spring up and shut down extremely quickly, making reputation-based detection ineffective. 

Not every phishing email can be stopped from reaching employee’s inboxes. Unfortunately, it only takes one employee to open one malicious email for bad actors to access the network, steal valuable personal credentials, or execute a ransomware attack. Because they are the last line of defense in the cat and mouse game, employees must be continuously educated to spot phishing attacks and stay vigilant.