Although phishing is nothing new, it is still a huge threat. Data from around the world shows:
In the total number of reported security incidents, fishing accounts for more than 80%, and victims lose as much as 17,700 yuan per minute due to the threat.
The target company opens nearly 30% of phishing emails.
In 2019, approximately 33% of data breaches involved phishing or some form of social engineering.
As many as 65% of targeted attack groups use spear phishing emails to achieve their goals.
About 56% of decision makers believe that phishing is the biggest security threat.
About 1.5 million phishing websites are created every month.
Each user can receive up to 16 phishing emails per month.
A medium-sized company may lose up to $1.6 million due to a successful phishing attack.
The above data is just why companies, large and small, need to protect themselves from the threat of phishing, which may be one of the oldest but still active threats. Here is the method that network security teams often use to effectively prevent phishing threats—IP geolocation.
4 ways for cybersecurity teams to use IP geolocation API data to prevent phishing threats.
The IP Geolocation API identifies the geographic location of any user with a given IP address. Although many cybersecurity teams may not use it often to stop phishing threats, it may be helpful to integrate this API into existing security solutions. Methods as below:
1. Prevent phishing emails from entering employees' inboxes
It is well known that phishers use the latest bait to allow potential victims to reveal personally identifiable information (PII), including their online account credentials. Once they have these on hand, they are only one step away from stealing the victim’s deposits or accessing their company accounts. Of course, the latter will bring greater returns to anglers.
This is why it is a good security practice to pay close attention to the IP addresses of all entities that do business with your company. Integrating the IP Geolocation API into your email security solution can alert you to unknown IP addresses, which can quickly become threat sources.
For example, one of your employees received an email from the bank about a loan from the company. The message comes from an IP address. Check your authorized IP address or whitelist to confirm whether it is trustworthy. The enhanced email security solution of the IP Geolocation API can at least alert the recipient of the message.
2. Avoid doing business with fraudsters
A good company must not only protect its assets, but also its customers. After all, if a phisher can easily use your website to steal information from your customers, you will not be able to maintain customer loyalty.
Take e-commerce as an example. We have seen phishers who try to obtain credit card information from victims use this information for cardless fraud. Companies that perform IP geolocation checks before completing online transactions can avoid this threat.
A simple comparison of the cardholder’s geographic location during shopping with the recorded location can end an event. In this way, the e-commerce platform not only allows customers not to pay for the goods ordered by scammers, but also wins the trust of customers.
3. Prevent your company from becoming a victim of invoice fraud
There are many types of phishing, one of which is commercial email intrusion. BEC attackers often use fake invoices to steal funds from target companies. They usually appear as vendors and even hijack ongoing email threads to provide the illusion of legitimacy for their scams.
Suppose that all your manufacturing companies obtain many raw materials through a large online supplier called AmazingSupplies. But since you are a return customer, AmazingSupplies is not billed by order, but billed monthly. In other words, your finance department will receive an invoice every month.
While processing invoices for the past month, a financial officer received a suspicious invoice email. The sender’s IP address 185[.]120[.]221[.] does not match any one owned by the supplier.
The correct way is to confirm his suspicion. A quick way is to run an IP Geolocation API query on the IP address.
The results show that 185[.]120[.]221[.][28] is headquartered in Tehran, Iran. On the other hand, AmazingSupplies usually use US-based IP addresses. As a mature entity, online providers may not use IP addresses shared with other domain names. A web search of the IP address (enclosed in quotation marks so that you do not accidentally visit a suspicious website) also revealed that the IP address has been reported as a malicious website more than 1,300 times. Therefore, it is safe to assume that the address does not belong to AmazingSupplies and is malicious, so it should be blocked.
4. Create a Phisher's Profile
IP addresses can reveal more information about users, not just their geographic location. When querying via the IP Geolocation API, you can also get a list of connected domains, their registrars and connection types. This information may prove useful when investigating phishing attempts or attacks.
Suppose you were the target of the most recent phishing attack and your security team was lucky to avoid the attack. But the IP address obtained by all analysts is 50[.]63[.]202[.]55. Of course, you don't want to suffer the same fate in the future, so you decide to find out more about the attacker.
You can start by querying the IP address on the IP Geolocation API. It turns out that it is related to the quickstartmagento domain. You can create user profiles to identify other potential threat sources. You can look up and get the owner information of the domain through WHOIS. If any domain name or its owner proves to be malicious, also add it to your blacklist.