WASHINGTON, D.C. - The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC) today published "Phishing Guidance, Stopping the Attack Cycle at Phase One" to help organizations reduce likelihood and impact of successful phishing attacks. It provides detailed insight into malicious actor techniques, as well as technical mitigations and best practices to help prevent successful phishing attempts.
A form of social engineering, malicious actors commonly use phishing with the intent to get their targeted victims to visit an illegitimate website or to download malware. To help organizations better understand this activity, this guide categorizes phishing into two common tactics: phishing to obtain login credentials and phishing to deploy malware. It expands upon the two tactics by detailing the techniques frequently used by these actors, such as impersonating supervisors/trusted colleagues, using voice over internet protocol to spoof caller identification, and using publicly available tools to facilitate spear phishing campaigns.
"For too long, the prevailing guidance to prevent phishing attacks has been for users to avoid clicking on malicious emails. We know that this advice is not sufficient. Organizations must implement necessary controls to reduce the likelihood of a damaging intrusion if a user interacts with a phishing campaign – which we know many users do, in every organization," said Sandy Radesky, Associate Director for Vulnerability Management, CISA. "With our NSA, FBI, and MS-ISAC partners, this guide provides practical, actionable steps to reduce the effectiveness of phishing as an initial access vector. We also know that many of the controls described in this guide can be implemented by technology vendors, reducing burden and increasing security at scale. We strongly encourage all organizations and software manufacturers to review this guide and implement recommendations to prevent successful phishing attempts – by design wherever possible."