6 Phishing
Basics
Phishing occurs when an attacker contacts someone in your organization and tries to get them to take a harmful action, like clicking on a link that can install malware or sharing confidential information. These actions can result in harm to a device, your network, and your users. This “someone” not only includes the adults on your staff but can include your youngest users--students who may still be developing literacy skills not to mention learning how to act as an appropriate digital citizen. Phishing is usually attempted through email but phishing attempts can also be sent through text messages, social media, by phone, as pop-up ads, and even as calendar invitations. Combating phishing, ransomware, and other malicious attacks requires both human solutions and technical solutions.
Terms to Know
You should know the following terms:
- Anti-spoofing controls
- Blocking: blacklists
- Blocking: whitelists
- Filtering
- Incident Response Plan
- Phishing
- Spoofing
Information
Education
Many victims of phishing attacks do not intentionally intend to act inappropriately. Some phishing attempts appear very legitimate and can confuse even very savvy users. Ongoing education is an important component of your district’s cybersecurity practice. Because malware attacks like phishing and ransomware can evolve over time, cybersecurity training is not a “one and done” experience. Determine the best strategies to leverage ongoing professional learning and information sharing practices in your district to keep all staff, students and their families informed about phishing and other malware attacks.
While you can educate your users, sometimes they might fall victim to a phishing appeal and follow through with an action they shouldn’t. Is your district’s culture supportive of your users or are they likely to be blamed for taking that action? Spotting phishing emails can be difficult. Even administrators, board members, and senior staff have been taken in. If you promote a culture of blame, people will be reluctant to report their mistakes to you. ALL of the users on your network should understand that spotting phishing attacks can be difficult and that they can turn to you for help when they have questions or have taken an inappropriate action.
Some companies, including school districts, engage in the practice of sending “fake” phishing emails to “test” staff about their ability to spot phishing emails. Your district may want to exercise caution if they do or plan to incorporate this practice. At the least it can appear as a lack of trust between IT and staff members, and if they don’t trust you, they will be reluctant to report issues when they do occur. Because spotting phishing emails can be so difficult, some organizations consider the use of these fake phishing attempts as an act that approaches upon entrapment (National Cyber Security Centre). Instead, consider how you are routinely communicating to and educating all staff about these attacks and ensure they know the appropriate routines for contacting you for support.
Spotting Phishing Messages
Many phishing messages can look authentic, especially emails that include branding such as corporate logos, colors, and signature elements. Messages may include language that makes it sound like the sender knows who you are or there is some form of urgency for you to complete an action immediately, like following that bad URL.
One of the easiest methods anyone can use to troubleshoot a suspicious email is to thoroughly investigate the header information, especially the address from which the message was sent. Very often these appear as names or organizations, but a quick click of the mouse can reveal the full email address. Some email programs can “Show All Headers” to view detailed information about where the message came from and how it arrived on your computers. Any inappropriate domains, like foreign countries or organization names with extra characters that don’t match the intended sender, should be flagged. Your users should know whether they should flag, delete, or forward the message to IT for further investigation.
Users should also investigate any links (website URLs) in messages, including those that may appear legitimate. If presented as a URL, the link may include identifiers to organizations different from the sender. Some email clients allow users to see the actual URLs hidden behind text-based links or to preview them before opening them.
Other classic signs of phishing attacks include poor spelling and grammar; although, these are not always solid proof. Messages from people you know or work with would also likely contain a personal greeting, not a general one. And while sometimes we receive legitimate emails for the first time from a person or an organization, caution should be used when receiving unsolicited messages, especially when they contain attachments. Users should recognize common file extensions that may indicate something hidden within an attachment, extensions like .exe or .jsp.
Combating Phishing Attempts
Many of the network safeguards within this module can help protect your network and your users from malicious attacks. Using only approved applications and resources and keeping operating systems up-to-date are important strategies for combating phishing. Internet filters and blocking software or services are routine on networks. Filtering refers to sending a message to some type of quarantine, usually a spam or junk folder. Your users can be taught how to do this on their own accounts, as well, but your network filter is the first line of defense. Messages can also be blocked through the use of blacklists and whitelists or when certain types of attachments or known malware are detected.
As attackers become more sophisticated, phishing emails can look like they have been sent from trusted organizations, including your own district! Your district may use anti-spoofing controls to make it harder for attackers to pretend they are a legitimate user from your domain. There are different types of spoofing that may include a personal appeal (see Attacks on Multi-factor Authorization) or mechanical means to disguise a device or the IP address from which it’s sending attacks. Software can be used to combat some of these attempts on individual devices and on your network.
Another strategy to combat phishing attempts is to review district websites and social media sites and be sure the type of information that is publicly available about employees and students is nondescript and limited. Attackers can review a website or social media account to find information to look more legitimate. Your district may have or may want to establish guidelines for acceptable use of websites and social media by staff and students. It may be helpful for parents to have access to a directory of staff, but their emails don’t necessarily have to be publicly listed if they can be obtained by a link instead.
Handling Phishing Reports
When you establish a culture of trust, your staff and students are more likely to report incidents related to their actions more quickly. Every user should know whom to contact and how, with multiple options available in case their device becomes inoperable. Key personnel and appropriate actions may be identified in your district’s Incident Response Plan.
Don’t wait for an incident to be prepared. Every IT Department should have an Incident Response Plan and should practice the steps identified in the plan. As noted previously, your plan may involve staff from multiple departments, including legal counsel, Human Relations, Public Relations/Outreach, and even key vendors.
Staff should be designated for routine monitoring of event logs to catch events that may not have been reported automatically. These staff may also monitor threats published by vendors or cybersecurity organizations, including local, state, and national government organizations. If malware gets through, specific staff should be designated as responsible for removing malware from a device and the procedures they should take. Is this you? If so, know your responsibilities. If account information is compromised, know how to and when to reset passwords. Practice restoring files and data from secure backups in case you need to start over again with a clean slate.
Communicating the impact of an attack can be nerve wracking. In the case of a major attack, such as a ransomware attack mitigated through phishing, your team might need to gather and seek additional information before anyone comments on the issue. When your team has clear information, it should be communicated clearly with everyone involved, which may include parents and other members of the community. Some issues require designated spokespersons, such as the IT Director or someone from the Superintendent’s office or Public Relations. As your team works through issues, keep careful records of the conditions for the attack, actions taken and their impact, reasons for decisions, and the loss of any data that resulted. That documentation can strengthen your district’s infrastructure, policies, and practices going forward--including educating staff, students and families. In severe cases, some of the documentation may have to be shared with some outside agencies, perhaps even the FBI or other investigators.
Additional Resources
Here are additional resources you may find useful:
- Phishing from NIST
- Phishing attacks: Defending your organisation from the National Cyber Security Centre in the U.K.
- Phishing Infographic from CISA
- Cybersecurity Education opportunities:
Task/Self-Assessment
Complete the following task or self-assessment:
What is the procedure your users should follow when they suspect they are being phished?
- How are you involved?
- Will they be reporting these messages to you?
- Will you have to follow up if they have, unfortunately, succumbed to an attack?
One thing you can do to be better prepared to combat phishing is to learn more about it yourself. Be sure you know how to show and read headers in your email system and how to track the delivery of messages. Take steps to investigate suspicious URLs and determine whether they are legitimate or not.