Beware of the Phisherman
Phishing is not new, but has become a growing threat to all businesses. If you receive an email from us with congratulations on your recent lottery win or offering pictures of Britney Spears, that is very likely to be a phishing attack. We look at the nature of these attacks and the steps businesses can take to protect themselves.
Phishing and email fraud
The term “phishing” was first coined in the 1990s and is still a widely used type of attack, with the number of reported cases doubling over the last ten years  . A phishing attack uses a communication faked to appear to come from a trusted source. This is typically by spoofing an email to make it look like it comes from an entity the recipient knows or trusts.
The attack might be to obtain sensitive information or to hack into a system; for example, a phishing email could have an attachment containing a virus or a link to an infected website that will cause a virus to be downloaded. This can lead to a cascade attack where the attacker uses one compromised user to attack others, for example sending further emails to the compromised user’s contact list. However, it is not always apparent what the attackers are after. They may simply be gathering information – so-called “social engineering” – to launch a more sophisticated, credible attack later.
The technique is closely related to other forms of email fraud; particularly authorised push payment fraud in which the recipient is tricked into sending money to a fraudster’s account. This is often done by creating an email purporting to be from a supplier containing a fake invoice, or asking that an existing (legitimate) invoice be paid into a different bank account. The invoice contains the fraudster’s bank details or, more likely, those of a money mule enlisted by the fraudster. Statistics from UK Finance suggest that authorised push payment fraud grew by 44% in the UK last year.
From very dumb to very smart
Phishing attacks range from crude mass market campaigns to sophisticated and targeted attacks on high value targets.
At the mass market end, the email might purport to come from your bank claiming your account is about to be frozen unless you urgently log in via a handy link. Or it may contain an unexpected invoice from an ecommerce site with a link to allow you to log in to cancel that transaction. In either case, the link will be to a fake website where you will be asked to provide your username and password along with other account details and bank card information.
These attacks are generally easy to spot; sometimes deliberately so. Certain campaigns deliberately use emails that are poorly constructed or contain typographic errors to filter out alert and suspicious recipients early on.
At the other end of the spectrum is a “spear phishing” attack where an email is individually crafted to tempt the recipient to open, read and interact with it. This often involves a degree of social engineering where information about the recipient is collected from various sources, including social media, to give the email a high degree of authenticity.
Many phishing attacks are supported through the use of a fake domain. For example, “liinklaters.com”, “linklatersllp.com” or “linklaters-lawfirm.com”. These can be used to create fake email addresses (e.g. firstname.lastname@example.org) which are then used to send phishing or otherwise fraudulent emails. Where the names of actual employees are used in these email addresses, it can be very difficult to spot - particularly when viewing emails on a mobile device where the underlying email address may be hidden.
Where a fake domain is being used fraudulently, it is normally relatively straightforward to have it suspended or transferred into your domain portfolio, depending on the circumstances:
- Most domain registrars (e.g. Go Daddy) will, on request, suspend or cancel a domain name that has been used fraudulently. There is usually an online form or dedicated email address for that purpose, e.g. email@example.com.
- Separately, if you can establish that you have rights in the name (e.g. trade marks corresponding to the domain) and that it has been registered in bad faith (e.g. for the purposes of fraud), you could bring a UDRP (Uniform Domain-Name Dispute-Resolution Policy) action to recover it. This is a streamlined administrative dispute resolution procedure for abusive domain names offered by a number of arbitration centres including WIPO. WIPO proceedings cost US$1,500 for one domain and a one-person arbitration panel. Some form of UDRP is offered for all generic and most country code top level domains (.com, .org, .co.uk, .fr etc.).
We have successfully recovered all of the domain names listed above in 2019. We have also reported certain incidents to our regulator in the UK, the Solicitors Regulation Authority and, in some cases, for example in the case of identity theft, to the police. The Solicitors Regulation Authority has a special website dedicated to informing the public about scams targeting the law firms they regulate. We continue to actively check for the use of fake domains and have processes in place to ensure they are swiftly taken down.
Businesses can also protect themselves by making protective registrations for similar looking domain names. However, there are often a very large number of potential fake domains that can be created through minor misspellings and additions. Added to that, fake domains can be created across a large number of generic and country code top level domains. Protectively registering all the different variants is therefore likely to be prohibitively time consuming and expensive.
Educate employees, don’t punish them
The core to countering phishing and email fraud is your employees. They are the target for these attacks. You need to educate them to spot a phishing attack and know how to deal with it.
Part of this educational process should come from general IT and cyber security awareness training. This might involve eLearning as well as regular reminders and topical articles in newsletters and the like. Like all such awareness training, it should be targeted to the threats faced by the specific business unit (such as training the accounts department on authorised push payment fraud) and brought to life through real life examples.
However, many organisations have gone further and run simulated phishing attacks on their employees. There are some advantages to running this exercise, namely:
- this can make the risk of phishing “real” for your employees, rather than a dry and abstract threat. An employee who falls foul of a fake phishing attack will likely be more alert to a real one;
- there may be a regulatory expectation that this type of penetration testing will take place. For example, the CEBST framework created by the Bank of England for intelligence-led penetration testing of systemically critical organisations would very likely require some form of simulated phishing attack; and
- a simulated attack will allow you to assess your overall level of vulnerability. If large numbers of employees fall foul of relatively simple simulated phishing attacks, that may demonstrate a significant security weakness.
However, a simulated phishing exercise can create problems, particularly if it is not handled carefully. The purpose of the exercise should be to help employees and not to trick them. Most importantly, you should not punish employees who “fail” a simulated phishing exercise. Given the sophistication of some phishing attacks, no employee can be expected to spot 100% of phishing emails. Punishing employees is likely to lead to a closed and defensive mindset to these types of attacks. Most importantly, if the punished employee falls for a real phishing attack they are less likely to report it, which will significantly hamper your ability to detect and respond to that attack.
In addition, a simulated spear phishing attack will involve the collection of information about the employees from a variety of sources, including social media. This use of personal data will need to comply with data protection laws. For example, in the EU, the General Data Protection Regulation requires personal data to be processed fairly, lawfully and transparently. This means:
- the proportionality of this measure will need to be considered carefully. While there may be strong reasons to conduct this type of simulated attack, some employees may be very concerned about their personal information (and possibly information about their family members) being collected for this purpose;
- a variety of controls should be put in place regarding: (a) what data can be collected, e.g. to stop sensitive information about the individual’s sexuality or similar being collected; (b) what can be done with that information, (c) what happens if it reveals unrelated misbehaviour; and (d) how long that information will be retained;
- the approach to these issues may vary from jurisdiction to jurisdiction. This type of activity may be harder in some jurisdictions compared to others; and
- in many cases, you will need to document your approach through a Data Protection Impact Assessment.
All businesses should assume that they are regularly subject to phishing attacks and other forms of email fraud. The steps needed to counter these attacks will vary from business to business and need to fit into your wider information security response. However, most businesses should use a multi-layered defence by taking some or all of the steps set out below:
- Employee awareness: Employees should remain vigilant. In particular, they should be suspicious of unexpected emails, cautious about opening any attachments/clicking on links in suspect emails. They should be judicious about the amount of information they share on social media. There should be clear guidelines on what to do with suspect emails and, most importantly, what the employee should do if they have inadvertently fallen foul of a phishing attack.
- Simulated attacks: Simulated phishing attacks may be helpful in some cases. Where the attack involves collecting information about an employee, the business should be mindful of the depth and breadth of those attacks, and their obligations under relevant privacy laws like the GDPR.
- Organisational awareness: Businesses should remain alert to this risk. This means both keeping track of attacks on their business and new forms of attack in the market. Equally, businesses should be alert to their own name and brand being used to attack others.
- Fake domains: Where a fake domain name is set up to mimic a business’ name or brand, steps should be taken to suspend or recover that domain name.
- Authenticating your own communications: What steps can you take to ensure your customers can authenticate your own emails? For example, including customer specific information or warning customers you would never use email to ask them for sensitive information.
- Technical: There are various technical measures that can be used to protect against phishing attacks. First, your existing spam filters should be configured to remove obvious phishing emails and to block spoofed emails (e.g. to verify an email purporting to come from an email address, was really sent from that domain). Secondly, you can route all internet traffic through a proxy server to filter out inadvertent attempts to access malicious domains. Thirdly, you should ensure your general anti-virus and intrusion detection systems are up to scratch and security patches are implemented as quickly as possible.
- Operational resilience and response: Despite these measures, most businesses should assume that they will be breached at some point. Your cyber response plan should therefore also address phishing attacks. Employees should know how to report concerns and processes should be in place to respond promptly, including bringing in specialist IT security experts where necessary.
The National Cyber Security Centre has a detailed guide to protecting against phishing attacks at https://www.ncsc.gov.uk/guidance/phishing.
 Statistics from 2008 to 2018 from Anti-Phishing Working Group, Inc.
 UK Finance, 2018 half year fraud update, September 2018.