How do you protect against phishing attacks?
Any organization or individual is a target of a phishing attack. What we know is email is the channel used to get you to click on a link or reply to the email and voila – you are now in the attacker’s web. We want to protect against that phish and any compromise.
First, let’s set up strong authentication controls to reduce the likelihood of your email account being compromised in the first place. That means two-factor authentication and email validation protocols.
Two-Factor Authentication (TFA/MFA)
Whether you are MSOutlook, GSuite, or another email service provider, enabling two-factor authentication causes your email to require a secondary authentication in addition to your password. Typically, a code sent to your mobile phone.
How this protects you is the attacker phished you for your email and password. Now instead of them having access to your email account (by inputting the email and your password), the email application sends a code to your secondary device for the code to verify the login. Spoofed email attacker isn’t going to crack that code quickly and you get the text on your phone, so you know something is up since you are either already in your email or not logging in.
Sender Provider Framework (SPF) is a validation protocol that detects and blocks email spoofing. The email exchangers verify incoming mail from a domain is coming from an IP Address authorized by that domain’s administrators. Bad actors are generating quickie domains using free email accounts. SPF is a text record stored in the DNS (Domain Name System) that specifies which IP address and/or servers are allowed to send mail from that domain. Think of this as a return address on a letter you posted. Your emails are confirmed coming from your domain. A spoofed domain will not have that DNS stamp. After you send the email, internet service providers (ISP) check the return-path domain. That compares the IP address sending the email to the IP address listed in that return-path SPF record and confirm they are the same and send the message.
Domain Keys Identified Mail (DKIM) DKIM attaches a new domain name identifier to a message and uses encryption to validate authorization. The identifier is independent of any other identifier in the message. Think of DKIM as stamping your letter like a notary witnesses your signature. DKIM says the content of your email has not been opened or changed and the owner of the email is who they said they are.
Domain-Based Message Authentication Reporting and Conformance (DMARC) authenticates using SPF and DKIM to verify the email was actually sent by the owner of the domain the user (a reader of the email) sees. Think about the spoofed email, the email presented to the reader looks correct like joe schmoe. But the actual email is firstname.lastname@example.org. DMARC flags you to the viewed name joe schmoe is not the domain name. DMARC will not deliver the email.
Next, we should look at improving the process of sending information or money using email. Process descriptions outline the controls or requirements, so everyone is following the same steps. For example, if wire transfer instructions are being sent in an email, a spoofed email scenario would enable the attacker to change the wiring instructions to their own bank.
Changing a process from sending wire instructions in the email, to uploading the instructions to a secured document share site eliminates the manipulation of those instructions if the email is spoofed. To ensure the new process is followed, training employees to know they will never be asked to provide wiring instructions via email. If they do get that request, simply reply or better yet, phone the client, and inform them the instructions are uploaded to the secure file share. A legitimate customer would already know this and phoning the client would reveal the spoofed email.
Now we want to monitor our security and process controls. Monitoring the controls provides management with insight into how effective the security and process are. For example: if no one is using the secure file share, then management can follow-up with employees to learn why not. If two-factor authentication or DMARC are not enabled or used, management can inquire why not. Other monitoring controls may be on firewall security, email server security and other security settings that have alerts on changes to settings or accounts.
Don’t wait for a compromise! Review and update your current email security and processes.