What is phishing?
Phishing is a cyberattack wherein disguised emails are used to deceive people into sharing sensitive information. Just like fishing, there are several baits a hacker can use to reel in the email recipient, but the most common one – imitating a person or organization they trust, like a coworker, government or a banking institution, to send malicious emails or texts. The goal is to trick the recipient by using enticing email subjects, like an important message or a request from their bank. The email message generally holds a link or attachment of some sort.
If the recipient takes the bait and clicks the link, they may be redirected to an imitation site where they are asked for details. If the recipient fills out information, the hacker can use the information to steal their identity, use their banking details or even sell personal information on the black market.
Sending phishing emails happens to be one of the oldest and most common type of cyberattacks, dating back to the 1990s, and it’s still used even though the phishing messages and techniques have become increasingly sophisticated.
“Phishing attacks are the most basic form of cyberattack and it can be tailored to the recipient.”
Common types of phishing attacks
- SPEAR PHISHING
Imagine a fisherman who is aiming for one specific fish, rather than just casting a bait to see how many fish bite. Spear phishing uses the same concept, the content of the email subject and message is tailor made for the individual or organization.
The goal is the same as clone/deceptive phishing, where the phisher lures the email recipient into clicking a malicious link or attachment, so they can get a hold of their personal data.
Spear phishing is commonly seen on social media like LinkedIn, where phishers can use various source of information to send out targeted emails, to attack a specific person or organization. The phishers need to look out for information related to the target victim to craft a believable email.
- CLONE PHISHING
Clone phishing is one of the most common form of phishing scam. It refers to an attack where hackers or phishers tend to impersonate a legitimate company or person and attempt to steal people’s personal information or banking credentials. Those emails frequently use threats, in the form of a link or attachment, to create a sense of urgency to scare the email recipients.
Unsuspecting users who click the link or open the attachment, are often leaving their systems vulnerable. Then the phisher can assume the victim’s identity to send malicious emails or texts to other victims in the same organization.
- WHALE PHISHING
Whale phishing or whaling is a form of spear phishing aimed at the top members of an organization. The goal here is that phishers attempt to steal personal data of high value targets or CEOs.
Many of the whaling scam campaigns are targeted towards company board members – while they hold a high position in the company, but they usually use personal email addresses which make them vulnerable to cyberattacks.
- PHONE PHISHING
Phone phishing or ‘vishing’ – also known as voice phishing entails the use of a phone where the phisher calling claims to be a representative of your local bank or government organization.
The phisher calling tried to scare you with some form of problem and insist on sharing personal information to help you solve it. For instance, they may ask your credit card number and pin or bank account information – which a bank would commonly never ask. They could even ask you to wire transfer or make a payment with prepaid card to pay fines, so they are hard to track.
How to identify a phishing attack
Phishers are getting savvier and only the highly savvy users can understand and avoid the potential damage such as credential theft and account compromise. However, a naive user may not think much before clicking on random links or attachment if the sender is known. They may wind up with spam advertisements and pop-ups.
Phishing attacks usually work due to human nature or curiosity. If you aren’t expecting an email from someone and end up with one anyway – check everything before clicking on any unidentified links or attachments in the email. The most successful phishing attacks target one person with a personalized e-mail, so it doesn’t even feel like an attack.
The best way to identify phishing attacks is to check examples on the internet. You can also keep a few things in mind that will help you from being prone to a phishing attack –
- Check the spelling of any URLs you receive before you click
- Check the website properly before entering any sensitive data
- Keep an eye out for URL redirects – where you are guided to a different website
- If you receive an email from someone you know or a known source, but it seems suspicious – recheck with them with a new email
- Do not post any personal information publicly on social media
Commonly used email subjects
Most common email subjects used for phishing attacks are either related to social media, personal or businesses. However, sometimes phishers use random email subjects to target users.
Some of the keywords in the email could be – requests, follow up, urgent/important, are you available? , payment status, purchases, invoice due, pending payments, reply to previous email chain, direct deposit, expenses or payroll.
Some of the commonly found email subjects are –
Top-Clicked Social Media Related Subjects in Q1 2019:
- LinkedIn: Join my network, Profile Views, Add me to your network, New InMail Message
- Facebook: Password Change, Primary email changed
- Login alert for Chrome on Motorola Moto X
- Your password was successfully reset
- New voice message at 1:23AM
- Your Friend Tagged a Photo of You
Top 10 Most-Clicked General Email Subjects in Q1 2019:
- De-activation of [[email]] in Process
- A Delivery Attempt was made
- You Have A New Voicemail
- Failed Delivery for Package #5357343
- Staff Review 2018
- Revised Vacation & Sick Time Policy
- APD Notification
- Your Order with Amazon.com
- Re: w-2
- Scanned image from MX2310U@[[domain]]
Most Common ‘In the Wild’ Attacks in this period were:
- Wells Fargo: You have a new secure mail
- Undelivered Mail
- Etrade: Action Required!
- Microsoft Teams: Rick sent a message
- Microsoft/Office 365: Action required: Update your payment information now
- Stripe: Just now someone logged in to your account
- HR: Your Action Required
- Amazon: Refund Notification
- OneDrive: Your OneDrive is out of storage space
- HR: Download your W2 now
How to protect yourself from phishing attacks
Think twice and question everything – trusting every email and URL is not a wise action. Use a two-step verification/authentication whenever possible.
Having trust issues when it comes to working on the internet might seem cold, but it is necessary. Security is not something you can compromise and especially in the business world where sensitive documents and financial matters are concerned.
To confirm the legibility of an email – don’t reply to the sender for confirmation. Either send a separate email, call them or try and see them face to face. Otherwise, you might just get a response from the criminal telling you everything’s okay.
How to protect your business from phishing attacks
As a business you must not only think about your company’s important information but also your employees. Taking all the steps to secure your business’ important and sensitive information is necessary but another necessary action to take is training your employees about prevention of cyberattacks.
A few things to keep in mind are –
- Make sure you choose your email provider wisely
- Enable two factor verification, if possible
- Make sure your employees are using different passwords for different accounts
- Ensure that passwords are changed at regular intervals
If something seems phishy – recheck your email logs to see if any suspicious logins can be detected. Ask for confirmation when you receive any emails requesting sensitive or confidential information. Do not hit reply but send a separate email to ask for confirmation or call to ask.
When it comes to businesses, big or small, cyberattacks are not a subject to take lightly. Cybersecurity is a necessary step for every type of business, and we are here to help you secure your business from any malicious attacks.
We’re here to help you with your organization’s cybersecurity needs. We can help you create a future- proof cybersecurity strategy to protect you and your organization any cyber risks, attacks and damages. Please get in touch with us either via email: hello@r2stech.co.uk or by secure onlineform.