Unless you’ve been avoiding your inbox like a cybercriminal avoids sunlight, you’ve probably seen something like this before:
That right there is a classic example of a phishing email. Most security-aware individuals can spot a phishing email from a mile away. In the past, it used to be the misspellings, such as in this email, that gave it away. Now, misspellings and poor grammar aren’t ideal indicators of phishing attempts. Instead, you should shift your focus to spotting the tonality and level of urgency of the email.
But if the phishing lure contains a threat with possible legal consequences, would that make it more likely for someone to click on a malicious link or provide personal details?
Legal threats are powerful phishing lures
Considering that an attacker’s main goal with phishing is to invoke a sense of urgency or fear in the victim, it’s no surprise that threatening legal action is a go-to tactic that is likely to pique the interest of most people.
In this example, the email appears to come from a legitimate vendor asking for an invoice. Since legal action is likely if a company fails to clear an invoice for several months, people may be intrigued enough to click on the link and fall for the scam.
However, one thing to remember if you encounter a similar message is that a threatening email is the last thing a vendor would do over an unpaid invoice. If this is the first time you’re hearing about an unpaid invoice to this particular vendor, it’s likely a scam. Call the vendor directly before downloading an attachment.
What vendors usually do in these situations is continuously trying to get in touch with the accounts payable department of their client organization. Threatening legal actions is their last resort, and you will likely have been made aware of the unpaid invoice before it ever comes to that.
How are these phishing emails distributed?
Like most phishing operations, threat actors can purchase phishing kits from the dark web containing everything they need to orchestrate a phishing scam, including the phishing message threatening a legal case. (More widely available, legitimate email technologies also work, but they require a higher level of technical skill to implement.)
A highly targeted attack aimed at a specific organization differs from these techniques in that it usually includes more social engineering. This typically falls in the spear phishing category, where the threat actors impersonate a trusted individual, such as a company’s CEO, to get the information they want.
For the most part, though, threat actors target these phishing kits at multiple organizations, hoping to find a weak link. Apart from the phishing message, the kit contains the code needed to mimic any particular website. The script code includes PHP or Javascript code designed to collect a victim’s personal information, including usernames, passwords, IP addresses, credit card information, and more.
Rather than a website, the phishing kit may alternatively include malware distributed as an email attachment. An attachment is more common with phishing scams threatening legal action, as in most cases, attackers will pretend they’re sending a “legal document” that the victim needs to review.
An example of a legal threat in a phishing email
Unfortunately, the made-up scenarios above aren’t the only examples of legal threats in phishing attacks.
One real attack from 2019 targeted over 100,000 business email addresses with fake legal threats harboring malware. Most of the email addresses were Canadian and were included in the phishing kit.
The attackers impersonated a legitimate law firm based in Connecticut, which made their threats more believable.
An email part of that phishing campaign would look like this:
The Word attachment contained a trojan that allowed attackers to drop additional malware into their victim’s system. The most worrying part is that even ten days after the scam started, very few antivirus software solutions could detect the files used in the phishing operation as malicious. System compromise and data theft were the most common outcomes after falling victim to this scam.
Relying on antivirus software to protect you from every threat is a recipe for disaster, which brings us to the next section.
6 Best practices to prevent phishing for CISOs
While your business may not be able to prevent phishing emails from cybercriminals, you do have control over not falling victim to these email scams. Here are a few best practices CISOs should consider.
1. Employee training and awareness
The first line of defense is ensuring employees have the necessary cybersecurity training to protect information. As malicious actors evolve their methodologies, you should provide training beyond the traditional “phishing emails” approach.
Any phishing awareness training should include newer methodologies, like watering hole phishing attacks. Watering hole attacks are targeted attacks designed to compromise a user or a group of users within a particular industry by luring them to malicious websites.
2. Use email filters and anti-phishing software
Although normally associated with “spam filters,” email filters can also scan for additional risks indicating an attempted phishing attack. For example, cybercriminals often hide malicious code in a PDF’s active content or the coding that enables things like readability and editability. Finding the right email filtering solution can help reduce the number of risky phishing emails that make it through to users.
3. Implement multi-factor authentication
Since malicious actors often look to steal user credentials, requiring multi-factor authentication can mitigate this risk. Require users to provide two or more of the following every time they log into your networks, systems, and applications:
- Something they know: a password or passphrase
- Something they have: a device or token (an authentication application on a device, a keycard, or a code texted to a smartphone)
- Something they are: a biometric (a fingerprint or facial ID)
4. Monitor for, and take down fake websites
Organizations in highly targeted industries, like financial services and healthcare, often use companies who can monitor for and spend time taking down spoofed versions of their websites. This is a way to protect your employees and customers who click on a malicious link from giving cybercriminals their login credentials.
Typosquatting or URL hijacking is when cybercriminals target users that incorrectly enter their intended website address. (e.g. SecurityScoorecard.com instead of SecurityScorecard.com). The incorrect domain may be owned by threat actors who use the website for malicious purposes.
5. Monitor and respond to security incidents
Develop an incident response plan for phishing attacks and monitor your network for suspicious activity.
6. Conduct phishing simulation tests
Regularly conduct phishing simulation tests to identify vulnerabilities and train employees to recognize and respond to phishing attempts.
“I opened a malicious email attachment, and hackers penetrated my network… I better call Saul SecurityScorecard”
SecurityScorecard offers several products and services that help organizations fight against phishing attempts:
Our Security Ratings offer easy-to-read A-F ratings across ten groups of risk factors. The Social Engineering Module is one of them, determining the potential susceptibility of an organization to a targeted social engineering attack.
If a cyber incident occurs, our Digital Forensics and Incident Response services will help you quickly triage the situation by stopping further damage, investigating the source, offering communication and guidance, and providing actionable post-incident reporting.
And don’t worry; you don’t need to spend a fortune to try SecurityScorecard. In fact, you can sign up for a free account.
