Everything you need to know about phishing

What is phishing?

Phishing is a form of social engineering designed to dupe targets into revealing sensitive information or to deploy malware. Threat actors do this by tricking users into opening a malicious attachment or clicking on a suspicious link, typically in an email, by posing as a trusted source, such as a CEO or a supplier.

Anyone can be a target of phishing, and cybercriminals understand that the path to least resistance is through people. Therefore, using social engineering techniques, such as phishing, is the simplest and most effective way of eliciting sensitive information from a target.

The motive of threat actors ranges from stealing and exposing sensitive data for monetary gain to dropping malware. The latter is where cybercriminals can assume control of your computer and begin to deploy further attacks, or access unauthorized data.

If your business is unprepared for a phishing attack, it can bring your entire operation to a standstill. The consequences of an attack can last much longer, such as recovering lost data or facing litigation as the result of a breach.

Types of phishing attack

There are several different approaches to a phishing attack. However, the aim of the game remains the same - to deceive users into giving up sensitive information. The various forms of phishing attacks you can expect, include:

• Email phishing:

  The most common form of phishing is via email. Threat actors will pose as an authority figure, like a senior-level employee, and trick their targets into revealing sensitive information by clicking on a suspicious link or downloading a malicious attachment.

• Spear phishing:

  A more targeted attack where malicious emails are sent to specific people and use personalized language. Spear phishing requires threat actors to research their intended targets, such as finding out names, email addresses and job titles. With this information, threat actors can create personalized phishing emails that are convincing and have a greater chance of success.

• Smishing/Vishing:

  Both describe phishing attacks that utilise a phone. Smishing involves sending fraudulent SMS messages, while vishing involves making voice calls to deceive victims into handing over their credentials and other sensitive information.

• Whaling:

  Authoritative individuals, such as a CEO or senior-level employee, are targeted with personalized messages based on data gathered from Facebook, LinkedIn, or other public websites. The purpose of whaling is to elicit sensitive information, such as credentials or personal information, that may give threat actors access to business accounts or access to unauthorized data.

• Cloning:

  Clone phishing is a copy of a legitimate, previously delivered email, that is sent from a fake address, which appears to be from the original user. It will contain typos and other slight variations which give it away as being fake.

• Barrel phishing:

  Usually involves two emails where the first email is sent to gain the user’s trust and trick them into believing the email is from a reliable source. The second email contains a malicious link or attachment, with the goal of tricking the user into clicking the link or downloading the attachment as a result of trust gained from the initial email.

• Trapping:

  By impersonating an organization’s branding to make phishing emails look genuine, trapping capitalises on human error to extract personal or financial information.

• Baiting:

  Like email phishing, baiting is where cybercriminals will attempt to entice their target with an incentive, such as a free download, in exchange for sensitive information.

• Angler phishing:

  This is where fake social media accounts are set up which act under the pretence of customer support to extract personal information. Victims are lured in by being prompted to click a suspicious link that installs malware to your device.

• Pretexting:

  A form of social engineering where bad actors stage a false scenario using a disguise to extract personal information. For example, impersonating someone in HR.

• Pharming/DNS cache poisoning:

  Legitimate website traffic is redirected to a fake website by exploiting vulnerabilities in the system that matches the domain names. As a result, cybercriminals can steal information from their targets, such as usernames and passwords.

• Typosquatting/URL hijacking:

  Threat actors will register domains with deliberately misspelt URLs to exploit unsuspecting users who type in URLs into their browser incorrectly.

• Tabnabbing:

  This is a form of phishing that exploits inactive web pages left open in your browser. Sites that are left open on a browser’s tab are manipulated into unsafe web pages that aims to trick users into submitting sensitive information, such as login credentials.

How to recognize a phishing attack?

It’s crucial that employees know how to identify a phishing attack. While phishing attacks can vary in nature and sophistication, unless you know what to look out for, cybercriminals will continue to be successful in achieving their goals. By providing your employees with security awareness training, you increase your chances of preventing your business from being exposed to an attack.

To recognize a phishing attack, look out for the following signs:

• Email domains: Legitimate companies will usually have email domains of their own, so be wary of any emails received via a public domain, like @gmail.com

• Bad grammar and spelling: A misspelt domain name is a clear sign of a phishing email that a less observant user will likely fall victim to

• Suspicious attachments: Legitimate companies will rarely send unsolicited email attachments, so always check file extensions, or if in doubt, contact the sender to verify whether an attachment is genuine

• Sense of urgency: Don’t trust links that expire within a certain timeframe, as these are designed to put pressure on you to act without full consideration

How to prevent phishing?

Phishing attacks rely on human error. So, one of the most effective tactics to prevent a phishing attack is by training your workforce. However, you can’t rely exclusively on users being able to spot a phishing email, which is why you need a multi-layered approach:

• Culture:

  Create an environment that encourages your employees to ask questions and report suspicious emails. By establishing policies and procedures around phishing emails, you can begin to develop a robust security culture that can stop a cyberattack in its tracks.

• Passwords:

  Follow security best practices by encouraging users to create stronger passwords. Passwords should be changed regularly, consist of a minimum character length and a combination of letters, numbers and symbols, and users should be discouraged from using the same password across multiple accounts.

• Multi-factor authentication (MFA) and two-factor authentication (2FA):

  Use two-factor or multi-factor authentication to provide an extra layer of security to password protected accounts. MFA is also a requirement of Cyber Essentials and ISO 27001, so it is essential to implement should your business seek to acquire certification to these security standards and schemes.

• Phishing simulators:

  Create and regularly send tailored phishing emails to your staff to test their vigilance against fake emails. With a phishing simulator, you will be able to understand which employees are susceptible to phishing emails and provide additional training to reinforce their cybersecurity awareness.

• Domain-based Message Authentication, Reporting and Conformance (DMARC):

  DMARC is an email security protocol, designed to prevent threat actors from impersonating employees after they’ve duplicated your domain. Furthermore, DMARC will prevent outbound email traffic from your organization’s domain, reducing the risk of phishing in the event that your domain is spoofed.

• Filter or block incoming phishing emails:

  Filtering services usually send emails to spam/junk folders, while blocking services ensure that they never reach the user.