What Is Phishing?
A phishing attack is a type of social engineering. Phishing attacks involve sending fraudulent communications that appear to come from a reputable or known source to the targeted end-user. It is often done through email. The goal is to steal sensitive data, such as private company information (client lists, bank account information, credit card and login information), or to install malware on the victim’s machine.
A phishing attack occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.
One of these attacks can have devastating results. Phishing is often used to gain a foothold in business as a part of a larger attack. In this scenario, employees become compromised in order to bypass security perimeters, distribute malware inside a closed environment or gain privileged access to secured data.
A business impacted by such an attack typically sustains severe financial losses in addition to experiencing an impact to their reputation. In some situations, a phishing attack can affect a business to the point where a business will have a difficult time recovering.
What Is a Phishing Scam?
Email phishing scams
Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam.
For one, they will go to great lengths in designing phishing messages to mimic actual emails from a spoofed organization. Using the same phrasing, typefaces, logos and signatures makes the messages appear legitimate.
From: HR, HR@internal.it.support.emailblox.com
Sent: Monday, December 14, 2020 3:02 PM
Subject: Missing Information
We are working on the 401K documentation and it seems like the social security number we have on file for you may be incorrect. We have 365- 26-8498 for you. Is it correct? Please let us know ASAP, we need to submit the paperwork by EOD.
In addition, attackers will usually try to push users into action by creating a sense of urgency. For example, as previously shown, an email could threaten expiration and place the recipient on a aggressive timeline. Applying such pressure causes the user to be less diligent and more prone to error.
Lastly, links inside messages resemble their legitimate counterparts, but typically have a misspelled domain name or extra subdomains. Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place.
Spear phishing targets a specific person or enterprise, as opposed to random application users. It’s a more comprehensive version of phishing that requires special knowledge about an organization, including its decision-making structure.
An attack might play out as follows:
- A perpetrator researches names of the general managers within an organization’s branch office network and in order to gain access to the latest accounts receivable totals for their clients.
- Posing as the CEO, the attacker emails the general managers asking for them to send their accounts receivable (AR) ledger for their branch’s clients, listed by client to him by end of day. The text, style, and included logo duplicate the organization’s standard email template.
- The perpetrator then researches each client from the AR ledger. They then send an email to each client on the ledger, posing as the CFO of the breached organization, stating they have switched banks, requesting the client to use the new, fake bank account information and asks them to submit payment on the outstanding balances within 24 hours.
In this scenario, not only is the breached organization impacted, but their clients are also impacted.
Phishing attack protection requires steps be taken by both users and businesses.
For users, security awareness and education is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names. Users should also stop and think about why they’re even receiving such an email.
For businesses, a number of steps can be taken to mitigate both phishing and spear phishing attacks:
- Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive business applications.
- We also recommend that businesses enforce strict password management policies. For example, employees should be required to frequently change their passwords and not be allowed to reuse passwords for multiple applications.
- Security training and threat awareness educational campaigns can also help diminish the threat of phishing attacks by re-enforcing secure behavior practices, such as not clicking on external email links.
Register for our webinar New Year — New Data Security Policy. With the increase in cybercrime threatening both the public and private sector, it’s important for organizations to have a data security policy in place.
61% of businesses reported a cyberattack in the last year — could your business survive an attack? Contact Verity IT to construct your cyber readiness plan today!