Phishing refers to any attempt to obtain sensitive information such as usernames, passwords, or banking details, often for malicious reasons, by impersonating a trustworthy entity in an electronic communication.
Phishing is typically carried out by direct digital communication. An attack will often direct users to enter sensitive information at a fake website, the look and feel of which match the legitimate site. Correspondence, claiming to have originated from social media, auction or retail sites, financial institutions, or network and IT administrators, are used to trap users. Phishing emails may even contain links to distributed malware, further damaging a victim’s system.
Phishing Types
Spear phishing: An email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. Attackers usually gather personal information about the intended target to increase their chance of success.
Clone phishing: Where an authentic, previously valid email has its content and recipient address stolen, reverse engineered to create an identical or cloned email. Any real attachments or links in the original email are replaced with malicious software, and then sent from a spoofed email address to trick the victim into believing its authenticity.
Whaling: A phishing attack crafted to target an upper manager based on the person's role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority.
Common Features of Phishing Emails
Dramatic Statements: Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that a target won a phone, a lottery, or some other lavish prize.
Urgency: A common tactic among cybercriminals is to ask the victim to act quickly before an opportunity ends. Most reliable organizations give ample time before they terminate an account and they never informally ask their users to update personal details over the Internet.
Hyperlinks: A link may not be all it appears to be. Hovering over a link shows the actual URL, and it could be totally unrelated to the link text. Sometimes it might appear to be a safe website, but with slightly altered spelling – for example, with the number “1” replacing a lowercase “L”.
Attachments: Unexpected attachments in emails should be treated with suspicion. They often contain payloads like ransomware or other viruses.
Unusual Sender: Low level spam will often be sent by unknown or suspect sounding users. When receiving an email from someone unknown, who seems to be acting suspiciously, practice control in responding too quickly, if at all.
How Criminals Lure You In
The following messages from the Federal Trade Commission’s OnGuardOnline are examples of what attackers may email or text when phishing for sensitive information:
“We suspect an unauthorized transaction on your account. To ensure that your account is not compromised, please click the link below, and confirm your identity.”
“During our regular verification of accounts, we couldn’t verify your information. Please click here to update and verify your information.”
“Our records indicate that your account was overcharged. You must call us within 7 days to receive your refund.”
Avoiding Phishing Attacks
Social Responses: Training to recognize phishing attempts, and deal with them. Education can be effective, especially where training emphasizes conceptual knowledge.
Protect your Personal Information: If people contacting you have key details from your life—your job title, multiple email addresses, full name, and more that you may have published online somewhere—they can attempt a direct spear-phishing attack on you. Cyber criminals can also use social engineering with these details to try to manipulate you into skipping normal security protocols.
Password Protocol: According to NIST guidance, you should consider using the longest password or passphrase permissible. Get creative and customize your standard password for different sites, which can prevent cyber criminals from gaining access to these accounts and protect you in the event of a breach. Use a secure password manager if you cannot remember them. Read this for more information.
Install and Update Anti-Virus Software: Make sure all of your computers, Internet of Things devices, phones, and tablets are equipped with regularly updated antivirus software, firewalls, email filters, and anti-spyware.
Eliminating Phishing Mail: Specialized spam filters that reduce the number of phishing emails that reach addressees' inboxes, or provide post-delivery remediation, analyzing and removing phishing attacks upon delivery through email provider-level integration.
Monitoring and Takedown: Round-the-clock services to monitor, analyze and assist in shutting down phishing websites.
Transaction Verification and Signing: Using a mobile phone (smartphone) or alternate email address as a backup channel for authentication and authorization of sensitive interactions (like financial transactions).
Phishing is one of the largest threats to companies today. A successful phishing attack can not only cost money, it can open a company up to much greater security and data breaches. That is why training and education are so important, as they can greatly reduce the rate of successful phishing attacks.
The first step in blocking phishing emails is to install an email filter. Barracuda provides a comprehensive email filter that blocks spam. It then scans all inbound emails for malicious attachments and URLs against Barracuda’s database of known malicious file types and servers. It also uses advanced analysis to spot signs of phishing such as typo-squatting, link protection, and suspicious language used in the email subject or body.
It’s important to train users to spot potential phishing emails and delete them. Users should err on the side of caution and confirm the authenticity of any unexpected email. GFI Digital can provide software and engineers that use advanced training and simulation to measure your vulnerability to phishing emails and keep users from becoming victims of data theft, malware, and ransomware.
Sources: Barracuda, Cybersecurity & Infrastructure Security Agency