Why Phishing Still Works (and What To Do About It)

October 13, 2021

Executive Viewpoint

This is Part 2 in our four-part blog series for Cybersecurity Awareness Month. Read Part 1 | Part 3 | Part 4.

This week’s Cybersecurity Awareness Month’s theme, “Fight the Phish,” is a very challenging one for cybersecurity professionals as one of the best defenses against this popular adversary tradecraft is education. As such, this week’s theme presented a great opportunity to again provide a tool to cybersecurity professionals to help spread the word and educate end users about ransomware in simple terms. The following blog from CrowdStrike Chief Information Security Officer, Jerry Dixon, is designed for cybersecurity professionals to share directly with their end users as a tool for education.

The term “phishing” dates all the way back to 1995. This cyberattack tactic has been used by a wide range of adversaries, from script kiddies to the most sophisticated nation-state actors. The biggest threat phishing presents to cybersecurity professionals is not the tactic itself (described below) but the damage it can cause.

One of the most effective ways to protect against this threat is to teach people how to spot a phishing attempt and why they must report it to the right people. In the following blog post, I describe the phishing threat and outline the best practices for tackling this persistent problem. 

Let’s start with an explanation of this important piece of adversarial tradecraft. Phishing is a social engineering technique that uses email to entice or trick unsuspecting people to click on web links or attachments that appear to be legitimate but are instead designed to compromise the recipient’s machine or trick the recipient into revealing credentials or other sensitive information. Adversaries, whether an individual criminal or a nation-state, craft such messages to appear to be legitimate. A phishing email can appear to be from your bank, employer or boss, or use techniques to coerce information out of you by pretending, for example, to be a government agency.

Whether an adversary is an individual criminal or a nation-state determines the motivation behind the phishing attempt. Motivations are many and varied; in a phishing email an adversary may attempt to:

  • Steal account credentials to siphon funds from you or your company 
  • Steal your work account credentials to access your employer 
  • Deploy malicious software that will allow them to gain entry to your work or home computer or access your network to steal intellectual property 

No matter the motivation, phishing presents adversaries with a low-risk attack method that offers a high potential for financial gain. And that’s why the phishing threat keeps us CISOs on our toes — adversaries use the tactic over and over because it works. People are often busy and distracted, prone to clicking on links without thinking when they quickly check their email between meetings or other activities. The data bears this out: organizations on average have a click rate of 10%, which represents a high chance of users clicking on an illegitimate link and giving up information or providing their account credentials to a phisher.

A typical phishing attack entails the mass sending of emails in hopes of getting anyone to click on malicious links. The intent could be to deploy ransomware, to steal existing account credentials, to acquire enough information to open a new fraudulent account, or simply to compromise an endpoint. Because everyone has an email address, and because the tactic offers so many options for the adversary, phishing is a numbers game played in a target-rich environment in which only a relative few need be tricked in order for the adversary to profit.

A less typical attack is the spear-phishing attack, a more specialized tactic in which the adversary specifically targets senior leaders or other sensitive roles within an organization. To craft a spear-phishing email, the adversary typically collects information about their targets that’s readily available on corporate websites or social media such as LinkedIn, Facebook and Twitter. The adversary uses such information to tailor highly personalized emails to entice the user to click on a link, aiming to pilfer sensitive information from their machine or network, or using the information to target other employees through business email compromise to steal money from the organization.

Phishing is challenging to fight with technology alone. While many solutions can help prevent such attacks, most are reactive rather than proactive, meaning that some phishing emails — upward of 20% with some solutions — will get through. And in some cases, such as when a company’s corporate email account is compromised and used to send phishing emails, anti-phishing technology won’t stop an email that’s sent from a legitimate source. 

Stopping phishing, then, relies on more than just technology — it requires vigilance by everyone. People must be trained to recognize and constantly be on alert for the signs of a phishing attempt, and to report such attempts to the proper corporate security staff.

Here are five signs of a phishing attempt to watch for and report:

  1. An unexpected email that prompts you to take action such as changing a password, sending funds, buying gift cards or logging in to a website 
  2. An email whose body appears to be legitimate, but was sent from a known free email site or an unfamiliar web domain (e.g., an email that appears to be from your local electricity provider but was actually sent from a @gmail account)
  3. An email with misspelled words, bad grammar or poor formatting
  4. An email that appears to contain suspicious file attachments
  5. An email containing web links that appear legitimate but are revealed to be from fake or unknown web domains when the cursor is hovered over them

Often, phishing emails are easy to spot and can readily be reported. Others, however, can be less obvious. Whenever you are unsure about the legitimacy of an email, report it anyway to your security team and await their guidance before acting in any way on it.

Remember, phishing — and social engineering in general — just works. Most everyone has an email address, and peoples’ trusting nature and willingness to help others often makes them susceptible to manipulative phishing attacks. Protecting yourself and your organization from these cyberattacks is a team sport that requires vigilant people to keep an eye out for suspicious clues and reporting them to the appropriate staff. 

Jerry Dixon is Chief Information Security Officer of CrowdStrike.

Additional Resources

Related Content