Phishing attacks are attempts to acquire sensitive information like usernames, passwords, and credit card details by masquerading as a trustworthy entity in an email or other communication.
Often, a phishing attack aims to install malware on the victim's computer. Anybody can be a victim of a phishing attack, but they're widespread among users who don't know much about information security. Phishers often use spoofed email addresses, authentic-looking websites, and convincing social media profiles to try and fool their victims.
There are several ways to protect yourself from phishing attacks, but education is your best defence. Know what to look for in an email or web page that might be trying to scam you, and always be suspicious. Let's take a closer look into how you can safeguard yourself from a Phishing attack.
How is a phishing attack commonly carried out?
Let's use the example of a company in this instance.
• A spoofed email seemingly from mycompany.com is mass-distributed to as many users as possible. Often companies make use of general distribution lists making this easier for the attacker. Lists such as SALES@COMPANY.COM or ACCOUNTS@COMPANY.COM are easily targeted.
• The email claims that the user's password is about to expire. Instructions are then given to urgently go to mycompany.com/renewal to renew their password within 24 hours.
If you click this link, several things can happen:
• The user is redirected to mycompany.renewal.com, a fake page appearing precisely like the actual renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to the user's mailbox.
• The user is sent then to the genuine password renewal page. However, while being redirected, a malicious script triggers in the background to hijack the user's session cookie. This results in a reflected XSS (Cross-Site Scripting) attack, giving the attacker privileged access to the end-user mailbox.
The latest phishing emails are much more advanced than the simple schemes of yesteryear. Today, you could receive an email from someone claiming that they need your help or else there will be consequences- this is called "phoney bait." You might also come across competitions that seem tempting but shouldn't necessarily draw attention away from the real intention - think about how many times we've all fallen victim because our curiosity got us into trouble.
Phishing is getting more sophisticated.
The more complex attacks include well-thought-out elements not generally found in mass-market simple phishing emails. A typical example of this type will be the threatening email promising video evidence if you do not send them Bitcoin or similar cryptocurrency, along with your name being released to all contacts on their phone book. These types also rely heavily upon document-based scams such as Google Docs links which look legitimate but conceal any malicious code inside documents sent via email attachment. For example, Dropbox files contain hyperlinks leading straight back to the attacker's website.
1. Phishing is a numbers game
Hackers are constantly looking for new ways to get their hands on your information. One such technique is email phishing, where they send out thousands of fraudulent messages in order to net significant sums from only a small percentage who fall victim.
2. Emails may appear genuine.
These scammers are clever and will go to great lengths for their phishing messages to appear legitimate. They make use of similar typefaces, logos or signatures that mimic those from real organizations as well, which makes them seem even more trustworthy.
3. Attackers create a sense of urgency.
In order to force users into taking action, hackers will often try their best to create a sense of urgency. For example, sending an email out threatening account expiration and placing you on a deadline for how much longer until something terrible will happen if you don't do something about it now.
4. Watch out for suspicious links.
Links inside messages resemble their legitimate counterparts but often have a misspelt domain name or extra subdomains. In the above example, mycompany.com/renewal was changed to my company's official web address of renewal.com, giving off an illusion that these websites are indeed secure while they're not.
What is Spear Phishing?
Spear phishing is an advanced type of email scam where the targeted person or company's information and often their sensitive data such as passwords. It can be done by someone who has access to personal details about them, like intimate photos taken with another person's cell phone camera without permission. However, it often involves using fake emails that seem relevant to your work environment and duties.
These targeted phishing attacks are typically against a specific person or group of people. The attacker does research on LinkedIn and knows the victim's name and email address as well as that of their boss or colleague. They will then send out emails appearing to come from trustworthy sources that request something related to what this individual functioned within company policy- for example, if you were CFO, you might get an urgent message about a "secret project" needing funds deposited into a particular account immediately.
What is Whaling?
Whaling is a targeted and surgical campaign against key members of an organization. The messages are usually carefully crafted to cause maximum damage, often with impeccably researched evidence that can take down even the most powerful person in any company - including CEO or Chairman board member. Unfortunately, too many of these Whaling attacks have been successful, resulting in firings, data breaches, and all too often taking an organization to the point of catastrophe.
How do Phishing attackers acquire my details?
Often users will use one email address and one password. A user will use their company email address to register with multiple websites and systems.
Any of these systems may be compromised.
Compromised systems allow for the leak of usernames (in most cases an email address) and the password that the user created. If a user repeatedly makes use of the same password, this can easily be used to scare the user.
You will find x2 common scenarios taking place with these phishing methods.
Scare attack - The perpetrator would send an email to the users stating the following
With this information, they then demand some form of payment from the user, or the information will be sent to the user's entire contact list.
The alternative attack might happen the following way:
1. A perpetrator investigates the names of employees within a specific department of an organization and gains access to the latest project invoices. Let's use the marketing department for this example.
2. Posing as the marketing director, the attacker emails a departmental Project Manager (PM) using a subject line that reads, Updated invoice for Q3 campaigns. The text, style, and logo imitate the organization's typical email template.
3. A link in the email redirects to a password-protected internal document, which is in actuality a spoofed version of a stolen invoice.
4. The PM is requested to log in to view the document. The attacker then steals his credentials, gaining full access to confidential areas within the organization's network.
By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of an APT (Advanced Persistent Threat).
How to prevent a Phishing Attack
Phishing attack protection requires that both users and businesses take steps.
How can users prevent Phishing?
Users should be on their toes for this one. A message may seem convincing, but there might be some subtle mistakes letting you know it's not the real deal - like misspellings or changed URLs (even though it may appear legitimate at first glance). So before clicking any links in these emails, stop and think: Why am I receiving such an email?
If you receive this email, do not click on any of the links or respond in any way. Instead, report it to your IT department or delete it immediately. Phishing emails can be very convincing, but it's important to remember that legitimate organizations will never ask you for sensitive information like passwords or credit card numbers via email. If you're ever unsure about an email, err on caution and delete it. Don't risk becoming a victim of identity theft or fraud.
How can Businesses prevent Phishing?
For companies, several steps can be taken to mitigate both Phishing and spear-phishing attacks:
Phishing attacks are becoming more and more sophisticated, but there are steps you can take to protect yourself. While many types of Phishing have a common element, such as social engineering to extract confidential or personal information for fraudulent purposes - Microsoft Office 365 has proven itself an excellent defence against these schemes. We have experts who can assist you in safeguarding your business against these types of cybercrime. Contact us if you're unsure how to spot a phishing email or need help implementing security measures to protect your company from phishing attacks.
© Copyright 2022. All Rights Reserved