Phishing is pretty awful, whether you fall for a phishing attempt or have phishers pose as you. But how does phishing really happen and, even more importantly, how do you protect yourself?
The first 48 hours – phishing edition
Phishing starts with well… the phishing. Someone sends out the attempt, sometimes posing as us, sometimes as a long-lost relative who just got a massive sum of money from an inheritance. Hopefully it lands in your spam folder, and you can happily delete it and move on with your day. Unfortunately the days of bad phishing email attempts are gone. Many phishing attempts can look surprisingly legitimate.
So, people start falling for the phishing attempt, then what? If you fall for a phishing attempt, and the phisher gets your credentials, the phisher at that point might start sending emails posing as you.
The first 48 hours after the initial phishing attempt are the most important. If a threat actor is not stopped within that time window, they probably never will be.
Luckily, organizations who utilize email service vendors to conduct email marketing campaigns have a weapon on their side. When email services find out that a customer has been compromised, they can get to work right away.
Discovering phishing attempts
Email service vendors have security measures in place to notice unusual activity, and once someone tips the vendor off, they can move forward with disabling the account to keep the threat actor from causing more damage.
Email service vendors tend to hear about phishing attacks on customers fairly quickly via Twitter, abuse emails, or support tickets. While vendors have safeguards in place to protect accounts, the second they hear that an account has had unauthorized access or suspicious behavior, they can start to crack down.
The process of intercepting phishing threats
Typically, email service vendors take two routes to stop adversaries. First, they want to connect with hosting providers to help lessen the impact of the attack. The vendor will request that the website that’s posing as someone else is taken offline to keep future potential victims from also being phished. At the same time, the vendor will also keep an eye on all of the organization’s accounts for suspicious behavior and then flag them for review or disable them.
It’s important to note here that while phishers might have unauthorized access to an email service vendor’s accounts due to a phishing scam, the databases from the vendor have not been compromised in any way.
Still, vendors want to protect accounts from these bad actors. If the email service vendor didn’t take down and disable those accounts, adversaries could still be using your account for phishing. That leads into a whole other can of worms like blacklisting, your deliverability taking a hit, massive credit card charges from phishers running up your bill, and your mailing list distrusting you.
That is why, when given the two options of leaving the account as-is or disabling it, the right email service provider will pick disabling every time. It protects accounts from further damage, and threat actors get locked out before they can spread their scammer wings.
Not all hope is lost though. If you or another user have found that they’ve lost access to their account, you can still get it back. Contacting the email service vendor’s support team is the first step, and they can work with you to update your credentials from what they were when the phisher got a hold of them.
At this point, if you haven’t already set up two factor authentication (2FA) for extra security, then now is the perfect time to do it. Extra security means fewer chances of getting locked out of your account.
Clues to spot phishers before damage is done
Phishing can happen to anyone at any time. Threat actors can send from anywhere and look like organizations you trust. While some phishing attempts are obvious, others are scarily convincing. For example, take a look at the email below:
Although it was pretty good, a few things gave it away. To start, the sender is bogus. The phisher wanted you to zero in on the “Mailgun” name and forget about the actual email address following it. But in case you don’t catch that, the body of the email also had a few dead giveaways. Grammatical errors, weird content, old logos, and other slip-ups give away a phisher.
That’s a quick look at what email service vendors do when they find out about a phishing attempt sent through one of their customers and what to look for if you get one in your inbox. Remember to be alert, and always verify when asked to perform an action.