Phishing attacks have become sophisticated and targeted. The majority of recent successful phishing attacks have been limited to a small subset of employees (spear-phishing) and not spammed across the entire company. The phishing emails may appear to come from HR or an email address from within the company. Due to the highly customized phishing emails from attackers employees have a hard time detecting when an email if fake. URL mangling can trick even well trained employees into clicking on malicious links by making them appear to be legitimate. The address www.lbm.com, notice the lowercase ‘L’, in place of www.ibm.com is an example of URL mangling.
For email that originates from an outside the company, employees need to drop the mentality of trusting emails unless it looks “fishy” and transition to not trusting any email unless they are expecting them. For internal email, employees can use Digital Certificates to sign all emails. This way an employee can disregard all non-signed internal email as spam. This drastically reduces the ability for attackers to use a spoofed email address that appears to be from inside company.
Companies can help employees by having a communication policy that is easy and clear. Part of that policy should be to match specific employees to tasks, for example, all issues affecting employees’ paychecks will handled by a specific person. Also, periodic phishing training should be in place and regularly updated. Phishing is a rapidly changing threat vector and the organizations training material and policies need to evolve with the threat.