What is a phishing attack?
Phishing is a type of social engineering attack, often used to steal user data, including login credentials and credit card numbers. Despite extensive user education and deployment of numerous security tools this form of attack continues to be surprisingly effective. Phishing remains the method of choice for threat actors to compromise networks.
Attackers masquerade as a trusted/known entity in order to trick victims into opening an email, instant message or text message. Once opened, the recipient is fooled into clicking on a malicious link, which can initiate the installation of the malware, freezing of the system as part of a ransomware attack or the revealing of sensitive information.
This form of malware is often used to gain a foothold in governmental or corporate networks, usually as part of a larger attack such as an advanced persistent threat (APT) event. In this scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secure data.
Any organisation suffering such an attack, will typically suffer from severe financial losses, reputation damage, customer trust and decline in market share. Depending on the scope of the attack, this may even escalate into a security incident, from which the affected business will suffer a difficult time recuperating.
Email phishing scams
This form of phishing is more of a numbers game. The attacker sends out thousands of fraudulent messages in order to gain significant information and sums of money, even if only a small percentage of the thousands of recipients fall for the scam.
There are many techniques an attacker can use in order to increase the success rates of an attack. For example, they will go to great lengths in designing phishing messages to mimic actual emails from a spoofed organisation. Using the same phrasing, typefaces, logos, and signatures makes the messages appear legitimate.
An attacker will also try and create a sense of urgency, coercing the victim into taking action. For example, an email could threaten account expiration and place the recipient on a timer; this tactic causes the user to be less diligent and more prone to error. Furthermore, links within a phishing email will more than often resemble their legitimate counterparts, but there tends to be a misspelled domain name. Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place.
- Legitimate: myuniversity.edu/renewal
- Resembling: myuniversity.edurenewal.com
This method of phishing targets specific people or organisations, rather than targeting random applications users. This is a more in-depth variation of phishing that requires special knowledge of the targeted organisation, including its power structure.
An attack might play out as follows:
- Attacker conducts research on the organisation for example, names of employee within a certain department and gains access to the latest project invoices.
- Masquerading as an employee, the attacker emails a departmental project manager using a subject line that reads similarly to previous sent emails; maintaining authenticity.
- A link in the email redirects to a password-protected internal document, which is, in reality, a spoofed version of a stolen invoice.
- The Project Manager is requested to log in to view the document, after which the attacker steals their credentials, enabling them to gain full access to sensitive areas within the organisations network.
By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of an APT.
How to prevent phishing
Being vigilant is key. A spoofed message often contains miniscule mistakes that expose its true nature and as discussed previously, these can include spelling mistakes or changes to domain names.
Several steps can be taken by organisations in order to mitigate both phishing and spear phishing attacks:
- Two-factor authentication (2FA), is the most effective method to counteract a phishing attack. It prevents the use of compromised credentials, since these alone are insufficient to gain entry, even when employees are compromised.
- Using appropriate password management policies as advocated by the National Cyber Security Centre. Current thinking is to use longer more difficult to guess pass phrases and to actively check for reused passwords. There are a number of tools which will check if a user has re-used a password that has previously been revealed in a data breach like LinkedIn or Facebook to name just two. .
- Educating employees, so that they are aware of what to look out for can also help diminish the threat of phishing attacks. Enforcing secure practices provides an additional layer of protection.
- Not naming and shaming victims of phishing attacks thereby encouraging people to come forward if they suspect they may be the victim of an attack. It is always preferable to know about potential attacks as quickly as possible.
Phishing is not going away; it’s evolving and so are cyber criminals. With the overload of emails, the chances of getting every employee to become a phishing detective, is very low. Therefore, users and organisations should assume that often a phishing email makes it into their inbox.