Securing the Digital World

Phishing is the Oldest Cybercrime in the Book—Here’s How to Turn the Page

Oct 13, 2021 | by Kelly Sarber |
Visualization of email phishing

During Cybersecurity Awareness Month, SecurID will highlight insights and best practices to help all businesses and users do their part to protect themselves, secure remote work, and “#BeCyberSmart.”

It may have all started with American Online. Supposedly, sometime around 1995, an early internet user was about to run out of time on AOL’s free 30-day trial period. Rather than start paying for internet service, they posed as an AOL administrator and asked other users for their long-in credentials. Phishing was born.

What started as a way to fuel the free use of instant messenger and chat rooms quickly grew into something a lot more sinister: the National Cyber Security Alliance (NCSA) estimates that, since the pandemic began, “phishing attacks account for more than 80 percent of reported security incidents.” Our colleagues at Outseer found that both malware and phishing “continue to be the most prevalent online fraud tactics of the past decade.” Phishing accounted for 21% of all attacks observed by Outseer in the first quarter of 2021.

It’s no surprise, then, that NCSA is devoting week 2 of Cybersecurity Awareness Month to fighting phishing. Here’s a closer look at what cybercriminals are trying to accomplish through phishing scams and how what we can do about it.

What is phishing?

Phishing attacks use email with malicious attachments or website links to infect your machine with malware or to trick you into providing your user credentials. Cybercriminals hope that by the simple interaction with a document or by clicking on a link, they will obtain a foothold onto your device or capture your account information.

Phishing emails may appear to come from a real financial institution, e-commerce site, government agency, or any other service, business, or individual. The email may also request personal information like account numbers, passwords, or Social Security numbers.

Phishing nets $16 billion in e-commerce fraud

But there’s no real way of knowing what a cybercriminal might come up with if they get a hold of your credentials.

One outcome could be an Account Take Over, or ATO. If someone has my email address and password, I could be locked out of my account—someone else could effectively become me, at least by email.

When you think about what a cybercriminal is after, obtaining ownership over a reliable credential is a huge win. If I get an email from a trusted source, I’m likely to click on it. And hackers know this: they can use ATO to pivot to other parts of an organization, move laterally and ultimately get further access into a network.  

The MITRE ATT&CK analysis of internal spearphishing summarizes how dangerous ATO can be: the Syrian Electronic Army “compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times’ IT department and were able to compromise even more users.”

Phishing preys on human psychology: if you get something from someone you trust, you’re more likely to trust that email, link or attachment. That’s what makes it so attractive to the bad guys—and so profitable: Outseer found that, in the first quarter of 2021, 71% of global e-commerce fraud originated from known accounts and new devices, which are indicative of ATO. In fact, ATO led to more than $16 billion in losses in the U.S. alone in 2019.  

Fight the Phish

No matter what anyone tells you, technology alone can’t solve phishing. Every user needs to be aware of phishing scams and change their behaviors to keep their information safe. We are the weakest link in any information security program.

That said, certain methodologies and technologies can help mitigate that pesky human behavior. Here are some best practices to protect yourself from phishing:

  • When in doubt, report it out: Links in email and online posts are often the ways that cybercriminals compromise your computer. If it looks suspicious—even if you know the source—it’s better to be cautious. Ensure your organization has enabled a “Report Phish” button in their email client that’s easy for your users to see and use. If it you’re receiving a suspicious email at your personal account, leave it alone or again, utilize that 'report message' function.
  • Think before you act: Be wary of communications that implore you to act immediately, offer something that sounds too good to be true, or ask for personal information. If you’re in the U.S., government agencies will never contact you by call, email, text or social media asking for money or to confirm your information.
  • Use stronger authentication: Always opt to enable stronger authentication when available, especially for accounts with sensitive information, including your email or personal bank accounts. Stronger authentication helps verify a user has authorized access to an online account. For example, it could be a one-time PIN texted to a mobile device, providing an added layer of security beyond the password and username. As it happens, SecurID offers one of the strongest multi-factor authentication solutions on the market.
  • If you have to use a password, make it long and strong: Passwords are garbage: they’re insecure, expensive and inconvenient. If you have to use one—and if MFA isn’t an option—make passwords harder for hackers to guess. Combine capital and lowercase letters with numbers and symbols to create a more secure password or utilize a 'passphrase' to achieve a length over 8 characters. Never reuse passwords between websites! And don’t use personal passwords for corporate systems. 
  • Be wary of hyperlinks: Avoid clicking on hyperlinks in emails; type the URL directly into the address bar instead. If you choose to click on a link, ensure it is authentic before clicking on it. You can check a hyperlinked word or URL by hovering the cursor over it to reveal the full address.
  • Now’s the time to go passwordless: To my fellow CISOs, if you haven’t started thinking about moving towards a passwordless experience, now is the time. Is there a lot of hype around passwordless and zero trust principles? Absolutely. But the fundamentals—including instituting least privilege, minimizing your risk profile, and eliminating as many passwords as possible—are just good cybersecurity practices. 
###