Many organizations face the threat of Phishing. Cybercriminals utilize Phishing attacks to obtain user credentials for whichever service they deem valuable – from internet service providers (the first recorded Phishing attacks targeted AOL users), to financial institutions and online services such as Netflix and Instagram. In order to protect their customers, organizations have no choice but to have an anti-Phishing program in place, designed to minimize the risk of this popular external threat. However, running an effective anti-Phishing program can be a challenge. An effective program must be based on three pillars, which address different aspects of Phishing. Each pillar requires a different set of abilities and presents opportunities to reduce risk if done correctly.

Before we dive into these three pillars, it’s important to note that the term “Phishing” refers to two similar yet different things – “Phishing” can refer to websites that impersonate the company’s brand to steal customers’ credentials, but can also refer to websites that impersonate a third party service while targeting the company’s employees. Even though both use the same technology and fraud method (social engineering), there are stark differences in how they can be mitigated. Phishing targeting employees, for example, can be stopped by the email security solution of an organization, while such an option doesn’t exist when customers are targeted. Phishing awareness is also a major factor when dealing with targeted employees and would be considered a separate pillar in this context, however the ability to influence awareness of customers to Phishing attacks is not as strong. As there are important differences in the anti-Phishing programs of each type, we’ve decided to focus in this article on the former type of Phishing – websites impersonating a company’s brand to target its customers and users.

Following are the three pillars to consider when developing such a program. Please note that we deliberately avoid going into specifics in order not to reveal techniques and methods used by organizations to remediate Phishing attacks, in order to prevent fraudsters from implementing this knowledge to better avoid detection and takedown. If you are interested in learning more about specifics, please feel free to contact us for a free consultation.

Detection

The first step of remediating a threat is identifying it. Detecting Phishing attacks can be challenging, as they are external threats that can be hosted anywhere on the web and fraudsters take active measures to avoid detection. Phishing detection can be based on both external and internal sources, with effective anti-Phishing programs covering both types.

External sources can include open source Phishing feeds, new domain registration, and more. Monitoring external sources for the purpose of Phishing detection is often done by using an intelligence vendor. As no vendor has 100% visibility into the web, some organizations utilize multiple vendors to detect external threats in order to maximize their coverage. In such a scenario, it is important to pick complementary vendors – overview the types of sources that they monitor and make sure each vendor brings a unique visibility into the ecosystem.

Despite Phishing attack being external threats, there are several internal sources that can be utilized by organizations to detect them. In this case, data from these internal sources would either need to be pushed to the anti-Phishing vendor or a SIEM for analysis. Some vendors may provide tools or agents to streamline the process of analyzing the internal data. As part of an organization’s anti-Phishing program, workflows need to be defined to determine which party analyzes the data. While there is more control over the results of an internal team, it is usually cheaper to outsource the data analysis to an external vendor.

Disruption and Takedown

For a Phishing attack to be considered completely remediated, its URL must be inaccessible at an infrastructure level. This usually means that either its domain (if one was registered for it) has been disabled by the registrar, or its webhosting company has removed the malicious files or blocked access to them. There are other entities that can help in taking down a Phishing attack – for example, if the attack uses a service such as a dynamic DNS service the service provider can delete its record and sever the link. Alternatively, if the Phishing attack is hosted on a hijacked website, its legitimate owner may be able to assist. Once access is no longer available, the attack is considered taken down.

Most organizations utilize an anti-Phishing vendor (shameless plug: like us!) to deal with taking down Phishing attacks. When considering an effective takedown provider, it is important to look into several aspects of the service:

How quickly does it take for the service to take down a Phishing attack

This metric is the most important, yet the most difficult to assess. Considering that legal methods of taking down Phishing attacks involve requesting the relevant entities (registrars, webhosting companies) to take down the site, the vendor is dependent on these entities’ interest and ability to take action. A Phishing site hosted on a server of a large web hosting company from Germany would most likely be taken down quicker than a server of a small web host in Pakistan. The time of day at the webhosting company/registrar can also have a huge difference, as most abuse teams do not operate 24×7. Additional factors include how “classic” the Phishing attack is (more complicated scams may be harder for the abuse team to recognize as malicious) and if the operators have implemented any features to prolong the lifespan of their attack.

How quickly does it take for the service start handling takedown once a request is made

If the service employs analysts, in peak hours they may be all preoccupied by other tasks. The time between a takedown request being made and the start of the takedown process is important, considering handling Phishing attacks is time-sensitive. Phishing attacks can inflict significant damage in a short period, so minimizing delays in initiating the takedown process is critical. A good takedown provider should have processes in place to ensure prompt handling of requests, even during peak hours. This may include features like automated workflows, well-distributed teams across time zones, or dedicated analysts for urgent cases. Ensuring the provider has a robust and scalable infrastructure to handle high volumes of requests is equally important to reduce delays caused by bottlenecks.

Victim Identification

In a perfect scenario where we can immediately identify any individual who fell prey and provided their details to a particular Phishing scam, the threat of the attack would be completely mitigated. Victim credentials can be immediately changed, or their account monitored for any malicious activity. Despite the fact that perfect scenarios are far and few between, it is evident that identifying the victims of Phishing attacks can dramatically reduce the risk associated with them.

As identifying victims in real-world scenarios is no easy task, organizations must invest in tools and processes to detect signs of compromise quickly as part of their anti-Phishing program. There are methodologies for detecting victims based on both internal and external resources. However, as we’ve noted, we aren’t interested in teaching fraudsters the tools of the trade to make it harder for the cybercriminals to circumvent them (as the WWII saying went, “loose lips sink ships”), so we will not elaborate on them in this article.

In conclusion, Phishing remains a significant threat to organizations worldwide, targeting customers through sophisticated social engineering tactics. Developing an effective anti-Phishing program requires a holistic approach built on the three pillars of detection, disruption and takedown, and victim identification. Each pillar addresses a critical aspect of mitigating this external threat, and their combined implementation ensures a more comprehensive defense. While the challenges of Phishing are considerable, organizations that invest in the right tools, processes, and partnerships can significantly reduce their risk and protect their stakeholders. By remaining vigilant and proactive, companies can stay ahead of cybercriminals and foster a safer digital ecosystem for their users.