Dear Employees,

As you may already know, phishing is a common cybercrime in which

attackers send fake emails or create fake websites in an attempt to trick
individuals into giving away sensitive information, such as login
credentials or financial information.

We all need to be aware of these threats and take steps to protect

ourselves from phishing attacks.

Humans can be the weakest link:

Unfortunately, the human element can be a source of security pain.

This is particularly true regarding phishing, designed to prey on users’
weaknesses. According to Verizon’s 2023 Data Breach Investigation
Report, “74 percent of all breaches include the human element, with
people being involved either via error, privilege misuse, use of stolen
credentials, or social engineering.” The report also states that Business
Email Compromise attacks have almost doubled since 2022 and
represent over half of all social engineering incidents.
What Is Phishing?

Phishing is an electronically delivered social engineering attack in which

a perpetrator, often posing as a legitimate entity, attempts to obtain
sensitive information from an unsuspecting individual or infect their
device with malware. The motivations for phishing attacks vary widely,
but often attackers are after valuable user data, such as personally
identifiable information or login credentials that can be used to commit
fraud or access the victim’s finances. Sometimes, they may be trying to
steal research, financial data, or health records from an institution.
Some attackers may use phishing for social or political gain, as part of a
hacktivism campaign, or to cause disruption or spread disinformation.
Since these attacks usually aim to trick Internet users into sharing
credentials or following a malicious call-to-action (CTA), the
consequences of falling prey to an attack can be dire. An IBM report
released last year found that phishing was the second- most common
cause of a data breach (accounting for 16 percent of breaches) as well
as the costliest, leading to USD 4.91 million in average breach costs for
organizations.

Types of Phishing Attacks

Mass phishing:
This targets a large group of people with a generic message. The
attacker may send out thousands or even millions of emails that are
identical or similar in content in order to cast a wide net and capture as
many victims as possible.
Spear phishing:

This is a targeted attack in which the attacker researches the victim and
customizes the attack to make it appear more credible and convincing.
The attacker may use information gathered from social media profiles,
public records, or other sources to create a personalized message that
appears to be from a trusted source, such as a colleague, boss, or
friend, with the intent of tricking the victim into revealing sensitive
information or performing a specific action, such as transferring funds
or downloading malware.
Additionally, phishing attacks can come through a variety of channels,
including compromised websites, social media, fake ads, and text
messages. While email is the most common attack vector, others
include QR codes, workspace collaboration tools, and photo or audio
attachments that may lead to advanced steg- anography attacks (hiding
something malicious in a file that looks innocuous).
A more specific type of attack is called typosquatting, also known as
URL hijacking, wherein an attacker registers domain names that are
similar to well-known and frequently visited websites with the hope
that users will accidentally mistype the legitimate website’s address
and land on their fake website instead. These fake websites might look
almost identical to the real ones and can be used to phish for users’
login credentials, credit card information, or other personal data.

Another example is an adversary-in-the-middle (AiTM) attack, also

known as a man-in-the-middle (MiTM) attack, which involves the
attacker intercepting communication between two parties to secretly
eavesdrop, modify, or inject malicious code into the communication For
instance, the attacker may intercept communication between the
victim and a trusted organization, such as a bank or an online retailer,
and then uses this information to impersonate the organization and
trick the victim into providing sensitive information such as login
credentials or credit card numbers.
Malware Phishing:

In a malware phishing attack, the attacker trick victims into

downloading an attachment that will install malware on their
devices.
Polymorphic Phishing Scams:

Attackers make small changes to an email’s elements so

signature-based email defense programs cannot detect or flag the
message.
Browser Hijacking:

The scammer poisons search engine results so a user is redirected

to a malicious site, allowing the former to generate fraudulent
advertising revenue, collect user data, or log user keystrokes.
The Phishing Attack Process:
A typical phishing attack involves getting the victim to click on malicious
link or weaponized file delivered by email, whereupon the victim’s
device will become infected with malware, or the victim will be directed
to a clone of a trusted website and prompted to enter their login
credentials. However, there are several other tactics attackers may
employ.
Typically these attacks take the following order:
Reconnaissance:
 Stalk potential victims on social media to discover vulnerabilities (for
instance, find out where they work, where they live, what interests
they have, and so on)
Weaponization:
Craft an attack plan based on vulnerabilities from the information
gathered.
Delivery of attack:
Send fraudulent emails, social media messages, or text messages based
on vulnerabilities. These can contain malicious links or attachments and
often alarmist content to drive a sense of urgency.
Exploitation:
Steal credentials and personal information via fake portals that the
victims were directed to.
Monetization:
Access the victims’ financial assets with harvested credentials then sell,
siphon, or ransom off stolen data or assets. This is what drives many
attackers to go to the trouble of setting up an attack.

Steps toward resilience:

So, how do you get started in building resilience? The most successful
organizations tend to take the following steps (sourced from Cisco’s
research):
Foster a culture of security.
Employees should be made aware of the crucial role they play in
keeping their organization safe from cyberattacks. They should be
encouraged to report phishing attempts, potential malware, and other
incidents. Establish accountability across all levels of business through
security awareness training to improve cyber vigilance and maintain
compliance. Organizations that foster a culture of security see a 46
percent increase in resilience.

Identify your weaknesses.

Carry out an audit of systems, processes, technologies, and so on to
uncover any weak areas that could potentially be exploited by a
cybercriminal. Know your external risk from third parties, ensure that
systems have no single points of failure, and prioritize using risk-based
context analysis and continuous trust assessment of everyone and
everything.
Develop executive-level representation.
Security resilience isn’t just the security team’s problem. There needs
to be buy-in from the top levels of leadership. Organizations that report
poor support from top executives show security resilience scores that
are 39 percent lower than those with strong backing from the C-suite.

Have your resources in place.

Having surplus internal staff and resources on hand in order to better
respond to unexpected cyberevents can improve an organization’s
resilience by 15 percent. If this isn’t feasible for your organization,
consider partnering with an external incident response service
provider. Doing so could result in an 11 percent improvement in
security resilience.
Implement a “security-by-design” mentality.
Establish strict security protocols and ensure that they’re followed by all
stakeholders. Don’t wait for a breach to happen develop an incident
response plan as soon as possible.
Utilize threat intelligence as part of your detection and
response capabilities.
Good cyber threat intelligence helps organizations improve their
detection and response capabilities by helping them know what to look
for and how to find it. Implement automated real-time continuous
monitoring of endpoints.

Focus on simple-to-manage, flexible technologies.

When it comes to cybersecurity technology, simplicity is key, whether
you’re using on-premises or cloud environments. For example,
multifactor authentication (MFA) can boost resilience by 11 percent
and is generally simple to roll out and manage.

Implement layered security everywhere.

This includes implementing MFA for users, using endpoint detection and
response (EDR) for endpoint security, securing email, protecting web
traffic and cloud-based applications, and safeguarding the data they
generate. Comprehensive visibility and control for all business resources
must be ensured across on-premises, cloud, and multi-cloud
environments. It is also essential to have visibility and control for
employees, contractors, and third-party business partners.
Keep attackers out with zero-trust security.
For organizations of all sizes that need to protect sensitive data at scale,
Duo is the user-friendly zero-trust security solution for all users, all
devices, and all applications.
Zero trust is the future of information security. It takes security beyond
the corporate network perimeter, protecting your data at every access
attempt, from any device, anywhere.

Duo delivers zero-trust protection by enabling you to do the following:

Verify user trust:
Ensure that users are who they say they are at every access attempt and
regularly reaffirm their trustworthiness.
Establish device trust:
See every device used to access your applications and continuously verify
device health and security posture.
Enforce adaptive policies:
Assign granular and contextual access policies, limiting exposure of your
information to as few users and devices as possible.
Secure access for every user:
Provide appropriate permissions for every user accessing any
application anytime and from anywhere.
Secure access to every application:
Reduce the risk of credential theft by enabling users to securely access
their applications with a single username and password.

The Russia-Ukraine War Encourages New Threats.

Ukraine has been defending itself from a variety of sophisticated
cyberattacks since at least 2014, but Cisco Talos has observed an
unprecedented number of adversaries clustered in the same threat
landscape since the outbreak of the Russia-Ukraine war in February
2022. Ukraine’s cybersecurity agency has claimed that it has witnessed
a threefold increase in cyberattacks since the war began.
Various types of email ures related to the conflict, such as those with
themes of humanitarian assistance and fundraising, have been sent by
attackers. Although the primary intention of these emails is to carry out
scams, they have also been used to deliver a range of threats, including
remote access trojans (RATs), which are a type of malware that allows
hackers to control machines remotely.

Additionally, cybercriminals have been observed trying to

exploit Ukrainian sympathizers by offering offensive cyber tools to
target Russian entities. In reality, these tools were malware.

Log4j Exploitation Attempts Remain High:

At the end of 2021, a critical security vulnerability was discovered in
Log4j, a popular logging library for Java applications developed by the
Apache Software Foundation. This library was widely used by numerous
applications and programs, both commercial and open source.

According to an article in Wired, cybercriminals are still

exploiting the vulnerability, which has been dubbed Log4Shell, often
using phishing techniques as the attack method to distribute malware
and execute malicious code, even though patches have been released.
If an attacker exploits Log4Shell, they could completely take over an
affected server. This is why the vulnerability has been assigned a
Common Vulnerability Scoring System (CVSS) score of 10, which is the
highest possible and indicates that it is a critical vulnerability.
Log4j is another example of a zero-day attack. There have been many
that have occurred in the past and they likely will continue in the
future. Preparation is critical.