Advanced, targeted phishing scams that impersonate well-known brands or VIPs within an organization are a big problem for security teams to deal with.

• Sophos Phishing
• Sophos Phish Test
• Sophos Phishing Training
• Sophos Phish Threat Datasheet
• Sophos Phishing Whitelist

One common feature of these impersonation attacks, also known as Business Email Compromise, are that there are generally no malicious payloads or links to scan for. This makes such attacks extremely dangerous because they are notoriously difficult to detect and block.

Sophos Central is the unified console for managing all your Sophos products. Sign into your account, take a tour, or start a trial from here. Sophos Synchronized Security connects Sophos Email and Phish Threat to identify those who have been warned or blocked from visiting a website due to its risk profile. You can then seamlessly enroll them into targeted phishing simulations and training to improve awareness and cut your risk of attack. Why You Need Connected Email Security.

Sophos Phishing

Warning from the FBI

The FBI is warning organizations to be on the lookout for an increase in these BEC scams. Such scams abuse auto-forwarding rules in web-based email clients, allowing attackers to insert themselves into conversations by leveraging email addresses using domains with similar spelling to their victims’ real addresses.

A recent incident in August 2020 following this pattern of deception allowed attackers to obtain $175,000 from their victim. The FBI’s Internet Crime Complaint Center (IC3) reported BEC schemes resulted in more than $1.7 billion in worldwide losses in 2019.

Who can you trust?

Often making urgent requests for funds or sensitive data, 86% of impersonation emails assume the identity of a specific individual rather than a brand, according to SophosLabs.

They do this to make the communication feel personal and to take advantage of previously established trust relationships to put the target in a stressful situation so that they are more likely to give up sensitive data or release funds.

Attackers know who you’re mostly likely to trust. Analysis of mailboxes protected by Sophos* revealed the roles most likely to be impersonated:

• 75% of emails impersonate the CEO or president (the highest-ranking individuals)
• 10% IT leadership (Director, VP of IT, or CIO)
• 5% financial leadership (the CFO or finance exec)

The remainder is made up of executive roles and C-suite leaders. What’s interesting is the uptick in medical professionals being impersonated: medical doctors and board-certified pediatricians now make up ~1-3% of individuals impersonated whereas previously they weren’t even on the radar.

People expect email scams, right?

When most people think of malicious emails they picture blatant requests for money, and excessive punctuation!!!

After analyzing thousands of messages we can see that, in reality, attackers are constantly evolving their approaches.

Their initial goal, of course, is simply to get the target to engage. Once the target’s on the hook, the attackers ramp up the pressure. Below are a couple examples of impersonation phishing messages blocked by Sophos Email.

Trust your inbox with Sophos’ latest email protection update

Can you remember what it’s like to work in an office? Where you could easily talk to real people? You could quickly pop your head into the Finance office and double check that they really wanted $250,000 wired to a supplier at 5pm on a Friday. With us all working from home lately, that’s not so easy.

That’s why Sophos mailbox protection through Sophos Email Advanced is so valuable. Earlier this year, we launch our first impersonation protection feature set, providing a setup assistant that integrates with AD Sync to automatically identify the individuals within an organization who are most likely to be impersonated.

Once set up, Sophos Email scans all inbound mail for display name variations associated with those users. Secondly, by analyzing header information, Sophos Email can identify brand spoofing and impersonation attempts.

The latest advancement for Sophos Email now uses advanced machine learning to detect targeted impersonation (or Business Email Compromise) attacks. Utilizing the Sophos-built deep learning neural network, our advanced ML capabilities analyze the message body content and subject lines of email messages to identify those conversations with suspicious content – specifically in relation to tone and wording used to identify unusual requests from a sender.

Superior phishing protection with Sophos Email Advanced

The level of phishing protection added to Sophos Email in this latest release offers incredible value, with simple controls that helping ensure protection is in place quickly.

Social engineering

Suspicious messages can be blocked, quarantined, tagged with a subject line, or have a warning banner added. Sophos scans all inbound email in real time, searching for key phishing indicators with SPF, DKIM, and DMARC authentication techniques and email header anomaly analysis. We also provide impersonation protection using content, display name, and lookalike domain analysis to identify impersonation attempts of a brand or VIP of an organization.

Malicious URLs and attachments

To protect against malicious URLs or attachments that may contain malware, Sophos provides real-time URL scanning and Time-of-Click URL rewriting to analyze any URL before it’s clicked. Then Sophos Sandstorm, our AI-powered cloud sandbox, detonates suspicious files to ensure malware never reaches the inbox.

User education

Finally, a great line of defense against email impersonation is intelligent cybersecurity awareness training. Sophos Email works with Sophos Phish Threat, our phishing simulation and training platform. Identifying users who have been warned or blocked from visiting a website due to its risk profile or replying to a spear phishing email, Sophos Email and Sophos Phish Threat can work hand in hand to seamlessly enroll risky users into targeted phishing simulations and training to improve awareness.

Start a no-obligation free trial of Sophos Email and Sophos Phish Threat from our website. Sophos customers who are already managing products through the Sophos Central platform can activate a free trial directly from their console: visit the More Products section in the main navigation to get started.

*Analysis of Sophos Email platform from January – April 2020.

As two people for whom creating phishing emails constitutes legitimate employment (we are on the product team behind the Sophos Phish Threat phishing simulation service) we know we’re in the minority.

Like our not-so-lawful counterparts, we spend our days using social engineering techniques to trick people into opening malicious messages and clicking on links they ought to leave alone.

Understanding the attackers’ approach helps you spot a phishing email when it hits your inbox.

Having written and tracked the performance of hundreds of simulated phishing emails, we’d like to share our approach so you can raise the red flag quickly.

In general, there are four main steps phishers go through when creating convincing phishing emails, and understanding these steps helps you to spot and stop them.

Step 1: Pick your target

Different people fall for different tricks, so the more information you have about your target the easier it is to craft a convincing phishing lure.

The audience may be broad, for example users of a particular bank or people who need to do a tax return, or it may be very specific – such as a particular role within an organization or even a specific individual.

Either way, we – like our adversaries – always have an audience in mind for each attack.

Step 2: Choose emotional triggers (select your bait)

Attackers play on our emotions in order to get us to fall for their scams. Here are three emotional triggers that phishers commonly exploit to trap you – sometimes using them in combination to boost their chance of success:

• Curiosity. Humans are naturally inquisitive and phishers abuse this by making you want to know more. “Do you want to know what happened next?” All you need to do is to click the link or open the attachment…

Sophos Phish Test

• Hope. The abuse of hope by phishers can range from general messages about unexpected prize wins and dating opportunities to specific emails referring to job offers, pay increases and more.

• Necessity. Phishers often use a cybersecurity lure – pretending that you’ve suffered a security breach – to make it sounds as though you simply must act now.

Step 3: Build the email (bait the hook)

Next up, we need to build the email. Like our criminal counterparts, we will often attempt to cloud your judgement by using one or more of the the emotional triggers we listed above to get you to perform a specific action without thinking about it first.

That action may be as simple as clicking a link or as complicated as initiating a wire transfer.

One clever trick to writing an effective phishing email is to make the action you wish the target to take inevitable, but not necessarily obvious.

For example, an attacker might send you an email that appears to contain clickable links to weight loss products. At the bottom of that same email, the attacker also includes a clickable “unsubscribe” link. Here’s the catch though: clicking on the “unsubscribe” link takes you the exact same place as clicking any other link in the email.

This way, the attacker presents you with the illusion of a choice while ensuring they get you to click the link they wanted, regardless of where in the email you do it.

Step 4: Send the email (cast the line)

Finally, the phishing email needs to be delivered to the targets. There are a variety of ways for an attacker to do this. They may simply create a new email account on a generic service like Gmail and send the message using that email address, or they could be a bit trickier about it.

Sophos Phishing Training

Attackers sometimes purchase unregistered domain names that look similar to a legitimate domain, changing the spelling slightly in a way that isn’t obvious, such as writing c0mpany for company (letter O changed to digit zero) or vvebsite for website (two adjacent Vs used for a W).

They will then send the phishing email using this lookalike domain in the hope that users who are in a hurry won’t spot the subtle difference.

It’s also possible for attackers to compromise an email account that belongs to a legitimate source and use it to send a scam message. This is commonly referred to as Business Email Compromise (BEC), and means that even the email address of a co-worker could potentially be used by an attacker to phish you.

How to stop phishing attacks

Even if a phishing email does reach your inbox, it still requires you to take some specific action – clicking a link or opening an attachment – befores it succeeds.

Sophos Phish Threat Datasheet

So, knowing what to look out for, and what to do if you see something suspicious, has a huge impact.

Sophos Phishing Whitelist

Here are some steps to help reduce your phishing risk. While they are mostly written with organizations in mind, many are also equally relevant in our personal lives:

• Educate through safe exposure. In the workplace, periodically exposing users to simulated phishing attacks offers them an opportunity to interact with a realistic but harmless version of what could have been a real attack. This allows people to make mistakes and learn from them while the stakes are low, thus preparing them to handle real threats when the stakes are high. Variety is important here and we strongly recommend the messages vary in detail such as length, topic, tone, style and the time they were sent.
• Analyze your security culture. If you run phishing simulations in your workplace, collect as much data as you can, including how many samples of each message were opened, whether the recipient clicked on a link or opened an attachment, and what kind of device they were using at the time (computer or mobile). This will give you a powerful picture of overall employee awareness and where you might be particularly vulnerable to real attacks. Armed with this data you can focus your resources on supporting the areas and employees at greatest risk.
• Target your training efforts. Direct your training efforts to departments that are at the greatest risk. Staff in finance, IT and management, and those with access to customer records, are high-value targets for attackers. Don’t overlook the basics, such as reminding staff to question why an email is asking them to do something, who the email is from, and so on. Distracted, tired and busy employees can easily be caught out.
• Provide clear guidance on how to respond. Make sure not only that your staff know how to report potential phishing emails, but also that they receive a timely response when they do. Remember, if one person in your organization has received a phish there is a high chance that others have too. The earlier you can investigate and act, the better.
• Enable cultural change. Fostering a company-wide culture of awareness and support is one of the most important things you can do. Give employees the opportunity to fail safely and offer them a clear route for reporting suspicious emails. Recognize and reward people who report phishing emails (praise is important) and support employees who inadvertently fall for a scam.

Remember, the goal of phishing training is to make people more aware of potential threats, and more likely to report them.

Be supportive and understanding if you test someone and they do fall for your trick and do click through, and make it clear you are not trying to catch people out in order to get them into trouble.

One more suggestion

Sophos Phish Threat, the product we work on, makes it easy for you to run simulated phishing programs, measure results, and target training where it’s needed. You can try it for free for 30 days.