What Employers, Employees Need to Know about Phishing

Jennifer Dukarski and Claudia Rast

Phishing attacks are one of the most common—and effective—forms of social engineering. These attacks attempt to convince a person to do something by impersonating a known party, such as friends, colleagues, or a company.

These seemingly legitimate requests ask the user to take some type of action, such as clicking on a link or opening a document. Phishing campaigns focus on sending out high volumes of generalized emails with the expectation that only a few people will respond.

Identifying phishing email
Phishing attacks work because they focus on simple human curiosity as opposed to other types of cyber-attacks that are bot driven and target software vulnerabilities.  In the basic phishing attack, a social “engineer” may say or claim that:

  • They’ve noticed suspicious activity or log-in attempts (which they will fix if you click here…)
  • There’s a problem with your online account or payment information (just enter your credential here…)
  • You have to confirm some personal information (just enter it here…)
  • The attached invoice needs confirmation (open it to confirm your order)
  • You need to make a payment (just go to this link)
  • You’re eligible to register for a government refund (click here to find out how much)
  • You’re eligible for a free product (click here to see what that is)

In all instances, these emails will include a link or attach a document that will carry a malicious payload. Once clicked or opened, the malware will take over.

What do you do if you inadvertently click on the link or open the document? Time is of the essence here.  Shut down your computer completely and call your IT Department. 

What should the IT Department do?
The IT Department should have a cyber incident response plan that will:

  • Isolate the compromised device from the company network
  • Contact a forensic expert, if necessary, to:
    • collect and preserve the mailbox from compromised account
    • collect and preserve audit logs associated with the known compromised account
    • Review available audit log data to attempt to identify scope of compromise, including any evidence of data exfiltration
    • Assess security settings and configurations for the company’s Office 365 (the typical target) account for:
      • Known and potential vulnerabilities
      • Audit logs and associated settings
      • Forwarding and mailbox configurations / rules
      • Accounts and policies
      • Authentication practices

How to protect your company from phishing attacks?
Training, training, training. It’s all about being wary of the suspicious email and training tends to sharpen the user’s senses to emails that smell like phish. 

Implement a company-wide mail filter system that will block spam, viruses, and malware.  Keep in mind that these products will not filter out all phishing email.

Implement multifactor authentication across the company platform.  If a user’s credentials are stolen, it’s not likely the user’s cell phone or YubiKey (a hardware authentication device) was also stolen.  MFA serves as a potent speed-bump in the hacker’s plan.  It won’t keep the phishing attack from spreading if the hacker successfully exfiltrates the target’s mailbox, but it does minimize internal havoc. Research shows that once in, the malware can spread throughout a network in less than two hours.

Clean up those mailboxes. One thing we’ve learned over 15 years of data breach work is that users’ mailboxes contain far more damaging information than they should for normal business purposes.  We see social security numbers, medical/health information, driver’s license numbers, credit card numbers (complete with expiration dates, and CVV codes), tax returns —everything imaginable that a hacker can sell on the dark web. Such personal data should only be transmitted securely and should not be stored unencrypted in a mailbox.

Encrypt your data (and keep the decryption key off the network).  Encrypted data would be useless to the hacker and firm-wide encryption is not a heavy lift to accomplish these days.

Back up your data (and confirm that you can restore your data from the backup).

Carry cyber insurance.  When all else fails, make sure your cyber insurance coverage includes losses from phishing attacks.  Some policies characterize the clicking on a phishing email as a “volitional act” that could have been avoided and won’t cover it.

What impact does a remote workforce have on the likelihood of a successful phishing attack?
Simply stated, a remote workforce adds tremendous vulnerability to any company’s IT network.  We’ve seen this many times in the years before the pandemic shutdown in companies that are staffed by in-home contract workers.  These workers will use personal devices that may lack the necessary security measures, and they may be less guarded in their home setting. The risks have increased with more people working at home due to COVID-19.  ZDnet reported Dec. 1 that “research suggests that remote workers have become the source of up to 20% of cybersecurity incidents.”

Has the COVID-19 pandemic impacted phishing attacks?
During the pandemic, many attackers pivoted to capitalize on the crisis.  With more email flooding mailboxes and an “always connected” attitude, users are more vulnerable than ever to attacks.  Studies suggest that one out of every four Americans received a phishing email related to the pandemic.  Many of these relate directly to the pandemic and include fake job termination meeting alerts, access to federal funds, or links to health information.

How can experienced cyber counsel help with phishing attacks?
First, experienced cyber counsel knows the drill, is used to the 24/7 nature of the response, and has a ready list of additional cyber responders, such as forensic and public relations experts.  Cyber counsel will protect the early—and largely chaotic—communications with attorney client privilege and knows the proper order in contacting the insurance carrier, enforcement agencies, and any necessary public response.

Claudia Rast is Practice Department Chair for the Intellectual Property, Cybersecurity and Emerging Technology Group at Butzel Long. Jennifer Dukarski is a Butzel Long attorney, shareholder and leader of the firm’s Connected and Autonomous Vehicle Specialty Team.