In today’s world, it’s difficult to find many certainties. But one constant is the continued threat posed by phishing scams.

Many organizations have been moving toward options for a remote work environment, and with this new remote environment comes an increase in cyberattacks and employees falling victim to phishing attacks.

Examples of Phishing Attacks

By now, many, if not almost all of us, have received at least one of the following types of nefarious emails:

• An email with a resume attached for a position that doesn’t exist.
• An email that appears to be from a customer or vendor your organization works with, but the domain has been spoofed by a cleverly disguised character change in the email address.
• An email that appears to be from a customer or vendor your organization works with, looks valid and has not been spoofed, but the customer’s or vendor’s mailbox has been compromised.
• A Windows Error Report email indicating unusual sign-in activity.
• An email from Microsoft Outlook regarding an expired password that links to a lookalike domain.
• Account-related or order-related emails that appear to be from Amazon, Netflix or other popular organizations.

Unfortunately, many employees, customers and vendors continue to fall victim to these emails because the bad actors have improved their skills in making these phishing emails appear to be legitimate. When someone falls victim to a phishing email, they can typically be categorized into the following classes:

• Those who don’t know they are a victim.
• Those who believe they may be a victim, but don’t report the event for a variety of reasons, including a lack of understanding of the potential impacts, fear of embarrassment or other negative consequences.
• Those who believe or know they are a victim and do report the event to the organization’s management, IT department or provider.

The Importance of a Proactive Cybersecurity Awareness Plan

In a perfect world, organizations would provide ongoing security awareness training, and employees would never fall victim to these phishing attacks. However, we all know how people can sometimes click before they think. Education on an ongoing basis is a great way to help employees know what to be on the lookout for and to say something if they see something. In addition, organizations need to be ready with a plan to properly respond to an employee’s call for help when they believe they may be a victim.

What do we mean by having a plan in place? An organization and its IT department or provider need to realize that the compromise of an employee’s email account could be a serious incident that triggers the need for a more thorough response approach. And the last time you want to be planning your incident response is while an incident is actively occurring.

Many IT departments and providers respond to phishing attacks by simply freeing the email account from compromise through the Microsoft Office 365 instructions and calling it a closed case. This approach is good for remediation, but it fails to address concerns of what happened after the phishing attack was successfully carried out, including:

• Examining the employee’s position, job responsibilities and access to data
• Accounting for whether the employee has global administrative rights
• Tracking whether the employee maintains passwords for other technologies within their email
• Reviewing whether the employee’s mailbox contains any sensitive data (e.g., PII, PHI or proprietary data)
• Investigating what happened when the employee clicked on the malicious link or opened the malicious document

By remediating email mailbox accounts without addressing these considerations, organizations may be left exposed to an ongoing or future cyberattack, such as ransomware. Worse yet, there are potential legal liability implications if the compromised mailbox account contains sensitive data. It is imperative for organizations to consider these factors when responding to a compromised email account to determine the proper response. Oftentimes, this is where the handling of the incident should shift from IT remediation to forensic incident response.

Incident Response Next Steps After a Phishing Attack

The next steps following an incident are typically determined by what type of attack it is. It’s important to examine the details to see what information can be determined regarding the why. Was it a business email compromise so that the bad actor can use reconnaissance between you and your customer or vendor until the timing is right for an attempt to divert funds through an ACH change? Or were the attackers looking to use an initial entry point to drop malware on an organization’s system with the intended purpose of encrypting data and demanding ransom payment?

At worst, the initial phishing email could be used for a combination of nefarious activity including, but not limited to, data exfiltration, harvesting of authorized credentials, sending mass spam emails to contacts, public posting of sensitive data and data encryption.

Without a proper response in place to identify the type of attack and its effect, organizations may remain exposed or unprepared to address other potential fallouts from the attack, such as needing to potentially address business operations, public relations and legal liability issues. Therefore, it is extremely important to have the proper response plan in place when addressing compromised email mailboxes.

Protecting against common phishing attacks involves people, processes and technology. As such, organizations need to have ongoing employee awareness training to raise the perception of cyberattack detection as well as implement cybersecurity controls and technology solutions to mitigate risks. This multi-layered security approach, coupled with an incident response plan, will greatly assist organizations in preventing and detecting future cyberattacks.

If you believe you’ve experienced a cybersecurity breach or been the victim of a phishing scam, it’s time to take action.

REACH OUT