How does it work?
Phishing attacks are scams that attempt to trick the recipient into providing confidential information such as account credentials to an attacker. Or unintentionally installing malware through the use of links or attachments as ruses. A victim receives an email with either an URL link or attachment purporting to be from a known sender or entity he/she does business with, such as a bank or other service provider.
For URL phishing attacks, the email message may ask the recipient to log into their service provider account in order to complete a security update. If the recipient clicks the URL link, they are taken to a fake webpage or login page which looks very similar to the site of the organization the attacker is imitating. When the user puts in their login information, the information is actually sent to the attacker, and the user is redirected to the actual site, thinking they mistyped credentials the first time.
For attachment phishing attacks, the attachment may be embedded with malicious macros or software that runs when the user opens the document or enables its contents. This then installs malware on the user’s machine that can let the attacker steal information or take control of the system.
For more information on attachment threats, see malicious email attachments.
How can I protect against it?
User education around signs to look for when an email looks or feels suspicious definitely helps to reduce successful user machine compromises. However, since user behavior is not predictable, typically security solution-driven phishing detection is critical.
Some email gateway reputation-based solutions do have the ability to catch and classify phish based on the known bad reputation of the embedded URLs. What gets missed by these solutions are often well-crafted phishing messages with URLs from compromised legitimate websites that don’t have a bad reputation at the time of delivery of email.
Opt instead for a system that identifies suspicious email based on anomalytics, which looks for unusual patterns in traffic to identify suspicious emails, then rewrites the embedded URL and maintains a constant watch on the URL for in-page exploits and downloads.