Defending against phishing, spoofing and business email compromise

Everyone can fall victim to a well-crafted social engineering attack. Learn how hackers use phishing, spoofing and business email compromise (BEC) to trick users into giving out sensitive information and downloading malicious files — and how you can protect your org.

The art of cybersecurity is a never-ending game of cat and mouse. As hackers race to come up with new forms of attacks, cyber defenders work diligently to tighten their analytics and detection tools to try and intercept threats before they infect corporate networks and cause financial harm. But there’s one form of hacking that has proven notoriously difficult to prevent and defend against — the hacking of people, or, as it is better known, social engineering.

Everyone can fall victim to a well-crafted social engineering attack. Even employees who have been warned and educated about the possibility of someone spoofing an email address or impersonating a company executive occasionally fall for a scam. Most social engineering campaigns are aimed at getting people to click on malicious links, buy counterfeit products, give up sensitive information — either about themselves or their companies — or transfer money to hackers’ accounts under the guise of legitimate payments to vendors, partners or contractors.

Social engineering takes many forms, but perhaps the most damaging types of attacks are phishing and spoofing, which are often used in tandem to maximize the attackers’ chances of finding an unsuspecting victim. Let’s unpack the relationship between these attack methods and take a closer look at a form of phishing that is most often used against organizations and government agencies — business email compromise, or BEC.

Phishing: convincing people to do something by impersonating a trusted source

In phishing attacks, bad actors send an email that appears to be coming from a trustworthy source (the company’s executive team, a vendor, or a legal representative) or with an enticing offer, with a goal to deceive employees into clicking on a malicious link, opening an attachment, giving out information or even initiating money transfers.

Many of the most notable breaches are a result of email phishing. Take, for example, the Colonial Pipeline breach in May of 2021. The oil supplier in the Eastern U.S. was forced to shut down operations for a week, costing the company millions in lost revenue in addition to the $4.4 million they paid to the hackers. And while it was ultimately ransomware that brought the company’s operations to a halt, the attackers gained initial access to the Colonial Pipeline’s networks through phishing. More recently, Kaiser Permanente reported a breach that potentially exposed patients’ records and other sensitive information. It was determined that hackers gained access to an employee’s email address and password, and Kaiser confirmed that an affected employee has received additional training on safe email practices.

Some forms of phishing, like spear phishing, take a more targeted approach, going after a specific person, group or business rather than attempting to snare just anybody. Actors behind spear phishing campaigns carefully research their targets to make their emails appear genuine and focus on topics that are of interest to their intended recipients.

An even more niche form of spear phishing is called whaling — an attack that’s directed at a company’s executive or a high profile public figure (i.e., a “big fish”). On the one hand, C-suite executives and public personas are more savvy when it comes to email scams, but at the same time, with so much information available about them on the internet, attackers have an easier time crafting a message that appears to relate to a legitimate event, making even a seasoned executive fall for a ruse.

Bad actors often put a considerable amount of research into obtaining believable insider information to deceive their victims, and their tactics are always evolving. Recently, cybersecurity researchers identified a new tool, which they named multi-persona impersonation (MPI), where hackers copy multiple email addresses on a thread (belonging to fake personas, or “sock puppets”) to engage potential victims in realistic-looking conversations. The goal, of course, is to convince people to click on links and download files without arousing suspicion. Ultimately, these downloads often contain ransomware or executables that steal login credentials, public IP addresses or even give hackers remote access to the victim’s computer.

Spoofing: stealing identities of legitimate users for ongoing attacks

Similar to phishing, spoofing attacks are designed to make the users believe that they are opening an email, answering a call or text, downloading a file or visiting a website that originates from a trusted source. Often, it’s disguised as a message from a bank or a well-known website or app like Amazon or Venmo, urging the user to immediately click on the link to confirm a purchase, verify payment information or enter login credentials. Hackers can even spoof file extensions, disguising executable malware files as benign .txt or .pdf documents, spoof IP address to conceal their true location or spoof Wi-Fi networks to intercept traffic and set up man-in-the-middle attacks.

For organizations, the most common — and damaging — form of spoofing typically occurs via email. Hackers find a way to gain access to a legitimate email address (usually by breaking through weak email server defenses) or send emails from a typosquatted domain (replacing small details in the address to appear genuine — like substituting a letter for a lookalike number). Often, hackers take the ruse even further by creating close replicas of legitimate websites, enticing users to enter their login credentials.

Phishing and spoofing are often used together to make people unwittingly commit financial fraud against their employers or infect their endpoints through drive-by malware downloads.

Both types of attacks have been around for decades, and unfortunately, they are not showing any signs of slowing down. In fact, hackers continue to fine-tune their strategies to go after bigger payouts — specifically targeting corporations through cleverly engineered attacks such as business email compromise (BEC).

How to recognize phishing, spoofing and BEC attacks and defend against them

Predicting when an attack will happen and how the hackers are going to try and deceive its victims is extremely difficult. Yet, there are certain measures that organizations can take to mitigate the risk.

Education and awareness

Employees can learn to recognize signs of an attack. Requests to do something unusual, outside of typical workflows and timelines, should raise red flags. Sure, it’s not uncommon to get urgent requests from high-level executives, but it may be a good idea to first double-check such requests with a teammate or a supervisor. It is also suspicious to receive an email from a CEO or CFO using a Gmail address instead of their company credentials, or to have the “from” and “reply to” addresses not match. Some spoofed emails are carefully crafted, while others use bad grammar and misspelled words. Can legitimate emails contain typos? Sure! But it’s another reason to double-check the message and sender address before doing anything or clicking on any links.

Stronger email security

Strong passwords and two-factor authentications are a great first line of defense against hackers who are trying to gain access to a company’s email servers. Organizations who have fallen victim to phishing and spoofing scams often admit that their email security was lacking, as they relied on built-in protections from their email provider without considering adding more layers.

Anti-phishing solutions

There are many modern solutions that use sophisticated AI technology and indicators of compromise to analyze the users’ previous email communications to identify possible impersonators and suspicious senders.

Web isolation

If (or rather, when) attackers still manage to get past the perimeter defenses, it helps to know that no malware can reach the endpoint or infect corporate networks. Cloud-based isolated browsing allows organizations to air gap their devices and networks from the web and all web-borne threats. Whether leveraging a separate cloud browser or isolating interactions transparently to the user, companies can allow their employees to surf the web, click on email links and open attachments without fear — all activity is completely separated and contained within a remote browser session so that zero code can access the endpoint. Even if malware is present, it is irrelevant when a session is closed, preventing intruders from gaining access to internal email addresses and executing further spoofing attacks.

Secure web access with Silo – single, secure point of leverage to control all web scenarios

Silo combines access, policy controls and audit into a dedicated, isolated, centralized browsing platform designed to eliminate companies’ attack surface for web-borne malware. With Silo, organizations can direct their web activity — including email links — into an isolated, cloud-based browsing environment that’s separated from the company's users, devices and networks.

Organizations and government agencies around the world use Silo in combination with user education and other prevention measures to protect against spoofing, phishing and BEC attacks. And while an isolated browser may not be an effective way to dissuade an employee from sending money on request of a fake CEO, it can help prevent malware from reaching the network and exfiltrating corporate data.

Isolated browsing gives you a much-needed extra line of defense against some of the toughest and most cunning forms of cyberattacks. Learn more in this resource.