What is Phishing?
In short, phishing is an attack targeted at stealing information, whether personal or commercial. Phishing is performed for a variety of reasons; to profit off the theft of banking details, the delivery of malware or ransomware, and espionage both governmental and industrial.
As a form of social engineering, phishing aims to psychologically manipulate the recipient to interact in some way. It is often designed to create a sense of urgency, such as, a call to action on account expiration, payment failures, and other emotional triggers. This urgency aims to lure the victim into responding without questioning the legitimacy of the communication.
There are generally three types of phishing attacks:
- General Phishing – a wide, randomly distributed, net is cast to as many recipients as possible. This ‘mass marketing’ may receive few hits compared to the numbers sent but the number of victims makes up for it. This is the easiest phishing to propagate, being generic and requiring little or no knowledge of the target.
- Spear Phishing – where specific people or companies are targeted. This approach requires knowledge of the target; such as programs or third parties being used, or the name of a legitimate sounding sender. Increased profits justify the time invested to set up the scam.
- Whaling – aimed at high-value targets, such as c-suite or board members. While set up and knowledge has again increased, the payout for reeling in ‘the BIG one’ and the loss to the targeted company is much more significant.
Crises and disasters such as the current pandemic give attackers a large opportunity to lure victims into taking the bait. During an emergency, people experience heightened emotional states and look for guidance, tending to place trust in authorities and employers. Attackers craft their phishing attempts to appear to be from these trusted sources. This sense of trust causes the communications to be less scrutinised than those from an unrecognised source.
What to do about Phishing?
Everyone with the ability to receive electronic messages should be educated on how to recognise a phishing attempt, including the dangers of clicking links or opening attachments from unknown or unrecognised senders.
How can I prevent spam and phishing?
At a personal level, it’s all about vigilance.
- Pay attention to misspelt words, strange looking URLs, and novel or unusual email addresses.
- Look out for URL redirects, which subtly send the victim to altered websites with a matching design.
- Received a suspicious email from a known source? Create a new email instead of hitting reply.
- Don’t post personal data, birth dates, holiday plans, home address, or phone numbers publicly on social media.
How to protect my email from phishing?
To prevent unauthorised access to email and other accounts requiring a log in, use Multi-factor Authentication (MFA) where possible. This makes it difficult for an attacker to compromise accounts.
At an organisation level, after educating personnel:
- Ensure password policies are up to date and follow industry best practices.
- For privileged accounts at a minimum, MFA should be compulsory.
How to protect against a phishing attack?
- Have the right tools in place, such as spam and web filters, and anti-virus solutions.
- Train employees on their role in information security.
- Maintain system and software update policy including tracking.
- Encrypt files at rest and in transit to latest industry best practices.
How is Phishing Done?
There are a number of forms of Phishing, dependant on the style or means of delivery. By far the most common delivery method are emails, often masquerading as from a trustworthy source, such as a real person or company. The availability of phishing ‘kits’, with premade web components, help proliferate phishing and reduce the effort required. These components often include authentic-looking websites and backend content.
Should users take the lure, they are likely to interact with the contents, such as through-clicking on a link which divulges sensitive data, or saving an attachment which downloads malware to their system. One single unwary click is all it takes to compromise a device or account.
No matter which avenue of attack they choose, the common steps attackers take to carry out a phishing attempt are set out below, with examples.
1. Mark the Goal – They attacker decides what they want to achieve. E.g. To get credit card numbers.
2. Choose the Target – Even the simplest of phishing emails need to know the email addresses for the intended recipients. More targeted attacks, such as spear phishing and whaling, specifically require an address list of employees for the target organisation or the addresses of specific individuals.E.g. The Vice President of Marketing.
3. Source Set Up (Background Check) – Once the target has been selected, then the fake email or website can be chosen. For mass target phishing, a widely used or common brand such as PayPal, Google, or eBay may be used. For spear phishing or whaling, these may be designed to look like an ‘in-house’ email, such as from tech support, or a known third party. E.g. The VP’s wedding anniversary approaches and they liked ‘flowers.com’ on Facebook.
4. Attack Distribution (Launch the Attack) – Whether mass or individually targeted, the distribution of phishing emails is often perpetrated through other compromised systems. For example, they may have been the victim of previous phishing activities that included the delivery of malware or stolen credentials, causing an unaware victim’s contact list to be available for the propagation of further emails. E.g. The attacker sends a congratulatory email from ‘flowers.com’.
5. Hook Victims – Dependant on the ‘Source Set Up’ taken above, the hook included within the phishing email can vary. Whether it’s an email from the IT department requesting the renewal or change of passwords, or from eBay asking to verify account details, the hook will always try manipulating the receiver into clicking on the embedded link. E.g. Follow this link to claim your ‘free gift’!
6. Expand and Monetise – Once the victim interacts with the link, following it, and through whichever method set up by the attacker (such as a convincing login portal), the user’s credentials are forfeit. The attacker can now use what they have gained to escalate the breach or gain access to data, and carry out their original plan. E.g. Credit Card details obtained. Time for a spending spree!
Phriendly Phishing has helped organizations of all sizes reduce their security risk and can help you transform your staff into phishing detection heroes you can be proud of. To learn more about Phriendly Phishing or to set up a free demo, please contact us today.