Sophos Anti Phishing



The most advanced anti-ransomware technology available. Sophos email security uses behavioral analysis to stop never-before-seen ransomware and boot-record attacks. Phishing attacks are a primary vector of attack and organizations have realized that the end user is the weakest link in their IT security. Only vendor that can offer you a complete anti-phishing strategy, combining technology and training. You can manage all your phishing protection – user education, email, web. Anti-Phishing Toolkit Try Sophos Phish Threat 41% of IT Pros report AT LEAST DAILY phishing attacks. Phishing is big business for the cyber crooks. With 89% of phishing attacks orchestrated by professional cyber crime organizations, it’s essential to stay ahead of the game, not just for IT professionals but for anyone working with email.

Thanks to the Sophos Security Team for their help with this article.

Sadly, cybercrooks love a crisis, because it gives them a believable reason to contact you with a phishing scam.

Here’s a tasteless and exploitative example, reported to us by the Sophos Security Team, of a current scam that uses the coronavirus as its lure:

The email, which carries the logo of the World Health Organization states:

Go through the attached document on safety measures regarding the spreading of corona virus.

Click on the button below to download

Symptoms common symptoms include fever,coughcshortness of breath and breathing difficulties.

Fortunately, at least for fluent speakers of English, the criminals have made numerous spelling and grammatical mistakes that act as warning signs that this is not what it seems.

The link you’re asked to click on is similarly, and fortunately, dubious.

Firstly, it seems to be a compromised music site with a weird name that doesn’t have any obvious connection to any well-known health organisation; secondly, it is an HTTP site, not an HTTPS site, which is sufficiently unusual these days to be suspicious in its own right.

Nevertheless, the scam page itself is incredibly simple – it can’t have taken the crooks more than a few minutes to put together – and visually effective.

The fake page consists of the official, current home page of the World Health Organisation (WHO) , with an unassuming popup form on top of it.

It doesn’t just look like the WHO’s page in the background, it is the WHO’s page, rendered in a frame that’s embedded in the fake site:

You can see why someone who’s nervous about the coronavirus issue, or who has friends and family in the main areas of infection, or who wants to do the right thing by learning more about preventing the spread of the disease…

…might fill in the form, perhaps because they are feeling pressurised by (or not thinking clearly because of) the subject matter.

Indeed, many companies have already sent emails to their staff to offer advice, so reading additional information that is allegedly from the WHO sounds like a sensible and responsible thing to do.

Of course, if you put in your email address or your password and click through, you’ll be submitting the filled-in web form to the crooks.

Worse still, you’ll be submitting it over an unencrypted connection.

So anyone else on the same network as you, for example in your hotel lobby or the coffee shop, could potentially capture your network traffic and see the username and password you just put in.

Once you’ve clicked the [Verify] button, the crooks simply redirect you to the real WHO site at who DOT int, which looks just like the previous page you were on, minus the popup form…

…with the rather obvious exception that the address bar now looks (and is) correct, displaying the genuine WHO website name, showing a padlock and – if you click through and view the web certificate – a certificate that shows up as issued to the WHO itself.

What to do?

  • Never let yourself feel pressured into clicking a link in an email. Most importantly, don’t act on advice you didn’t ask for and weren’t expecting. If you are genuinely seeking advice about the coronavirus, do your own research and make your own choice about where to look.
  • Don’t be taken in by the sender’s name. This scam says it’s from “World Health Organization”, but the sender can put any name they like in the From: field.
  • Look out for spelling and grammatical errors. Not all crooks make mistakes, but many do. Take the extra time to review messages for telltale signs that they’re fraudulent – it’s bad enough to get scammed at all without realising afterwards that you could have spotted the fraud up front.
  • Check the URL before you type it in or click a link. If the website you’re being sent to doesn’t look right, stay clear. Do your own research and make your own choice about where to look.
  • Never enter data that a website shouldn’t be asking for. There is no reason for a health awareness web page to ask for your email address, let alone your password. If in doubt, don’t give it out.
  • If you realise you just revealed your password to imposters, change it as soon as you can. The crooks who run phishing sites typically try out stolen passwords immediately (this process can often be done automatically), so the sooner you react, the more likely you will beat them to it.
  • Never use the same password on more than one site. Once crooks have a password, they will usually try it on every website where you might have an account, to see if they can get lucky.
  • Turn on two-factor authentication (2FA) if you can. Those six-digit codes that you receive on your phone or generate via an app are a minor inconvenience to you, but are usually a huge barrier for the crooks, because just knowing your password alone is not enough.
  • Educate your users. Products like Sophos Phish Threat can demonstrate the sort of tricks that phishers use, but in safety so that if anyone does fall for it, no real harm is done. Sophos also has a free anti-phishing toolkit which includes posters, examples of phishing emails, top tips to spot a phish, and more.

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Advanced, targeted phishing scams that impersonate well-known brands or VIPs within an organization are a big problem for security teams to deal with.

One common feature of these impersonation attacks, also known as Business Email Compromise, are that there are generally no malicious payloads or links to scan for. This makes such attacks extremely dangerous because they are notoriously difficult to detect and block.

Warning from the FBI

The FBI is warning organizations to be on the lookout for an increase in these BEC scams. Such scams abuse auto-forwarding rules in web-based email clients, allowing attackers to insert themselves into conversations by leveraging email addresses using domains with similar spelling to their victims’ real addresses.

Sophos Anti Phishing Toolkit

A recent incident in August 2020 following this pattern of deception allowed attackers to obtain $175,000 from their victim. The FBI’s Internet Crime Complaint Center (IC3) reported BEC schemes resulted in more than $1.7 billion in worldwide losses in 2019.

Who can you trust?

Often making urgent requests for funds or sensitive data, 86% of impersonation emails assume the identity of a specific individual rather than a brand, according to SophosLabs.

They do this to make the communication feel personal and to take advantage of previously established trust relationships to put the target in a stressful situation so that they are more likely to give up sensitive data or release funds.

Attackers know who you’re mostly likely to trust. Analysis of mailboxes protected by Sophos* revealed the roles most likely to be impersonated:

  • 75% of emails impersonate the CEO or president (the highest-ranking individuals)
  • 10% IT leadership (Director, VP of IT, or CIO)
  • 5% financial leadership (the CFO or finance exec)

Sophos Anti Spam Engine

The remainder is made up of executive roles and C-suite leaders. What’s interesting is the uptick in medical professionals being impersonated: medical doctors and board-certified pediatricians now make up ~1-3% of individuals impersonated whereas previously they weren’t even on the radar.

People expect email scams, right?

When most people think of malicious emails they picture blatant requests for money, and excessive punctuation!!!

After analyzing thousands of messages we can see that, in reality, attackers are constantly evolving their approaches.

Sophos Anti Spam Engine Check

Their initial goal, of course, is simply to get the target to engage. Once the target’s on the hook, the attackers ramp up the pressure. Below are a couple examples of impersonation phishing messages blocked by Sophos Email.

Trust your inbox with Sophos’ latest email protection update

Can you remember what it’s like to work in an office? Where you could easily talk to real people? You could quickly pop your head into the Finance office and double check that they really wanted $250,000 wired to a supplier at 5pm on a Friday. With us all working from home lately, that’s not so easy.

That’s why Sophos mailbox protection through Sophos Email Advanced is so valuable. Earlier this year, we launch our first impersonation protection feature set, providing a setup assistant that integrates with AD Sync to automatically identify the individuals within an organization who are most likely to be impersonated.

Once set up, Sophos Email scans all inbound mail for display name variations associated with those users. Secondly, by analyzing header information, Sophos Email can identify brand spoofing and impersonation attempts.

The latest advancement for Sophos Email now uses advanced machine learning to detect targeted impersonation (or Business Email Compromise) attacks. Utilizing the Sophos-built deep learning neural network, our advanced ML capabilities analyze the message body content and subject lines of email messages to identify those conversations with suspicious content – specifically in relation to tone and wording used to identify unusual requests from a sender.

Superior phishing protection with Sophos Email Advanced

The level of phishing protection added to Sophos Email in this latest release offers incredible value, with simple controls that helping ensure protection is in place quickly.

Social engineering

Suspicious messages can be blocked, quarantined, tagged with a subject line, or have a warning banner added. Sophos scans all inbound email in real time, searching for key phishing indicators with SPF, DKIM, and DMARC authentication techniques and email header anomaly analysis. We also provide impersonation protection using content, display name, and lookalike domain analysis to identify impersonation attempts of a brand or VIP of an organization.

Malicious URLs and attachments

To protect against malicious URLs or attachments that may contain malware, Sophos provides real-time URL scanning and Time-of-Click URL rewriting to analyze any URL before it’s clicked. Then Sophos Sandstorm, our AI-powered cloud sandbox, detonates suspicious files to ensure malware never reaches the inbox.

User education

Finally, a great line of defense against email impersonation is intelligent cybersecurity awareness training. Sophos Email works with Sophos Phish Threat, our phishing simulation and training platform. Identifying users who have been warned or blocked from visiting a website due to its risk profile or replying to a spear phishing email, Sophos Email and Sophos Phish Threat can work hand in hand to seamlessly enroll risky users into targeted phishing simulations and training to improve awareness.

Sophos Anti-malware

Sophos anti spam engine

Start a no-obligation free trial of Sophos Email and Sophos Phish Threat from our website. Sophos customers who are already managing products through the Sophos Central platform can activate a free trial directly from their console: visit the More Products section in the main navigation to get started.

Sophos Anti Spam Engine Blacklist

*Analysis of Sophos Email platform from January – April 2020.