This way of hacking is becoming increasingly popular with cybercriminals, as it is far easier to infiltrate a person’s private information with a seemingly legitimate email, than break through robust security systems protecting such information.
Why phishing attacks are successful
Social engineering is one of the main ways businesses succumb to breach, usually through e-mail phishing attacks. Tactics are employed to gather Personally Identifiable Information (PII) such as bank details, phone numbers, addresses, occupation details, job titles and names of fellow colleagues. Once the attacker has this information, they can craft a believable message containing a malicious link or attachment which the victim is lured into interacting with. Because the email appears to be from a credible source, or known person, the attack is often a success – a link is clicked, a pdf opened, or bank details entered into a request form. Just like that your information has been captured and you have opened the gateway into your business – you are now under attack and you probably won’t even know about it until it’s too late!
Types of Phishing
Spear Phishing is when scam messages appear to be from a credible known sender, like someone from within your organisation, and you believe the mail to be genuine so act upon their requests.
Whaling attacks are a type of spear phishing and so are similar in approach. The main difference being that they target more senior members of a business. Their objective here is to steal large sums of money, usually by deceiving an executive to authorise a payment. Similar to spearing, the victim’s PII is gathered to make the message seem authentic.
Pharming is another type of phishing that relies on DNS cache poisoning (this is the corruption of an Internet server’s domain name system) to redirect users to a fraudulent site that has the appearance of a legitimate one, in order to obtain personal information such as passwords, account numbers, etc.
Spotting a Phishing Attack
Many phishing emails will often be poorly written – look out for incorrect spelling and poor grammar. They may also use promotional hooks to generate high click-through rates, like too good to be true offers and giveaways. It is common for phishing emails to be centered around major events, holidays and anniversaries or take advantage of breaking news.
How to Identify a Phishing attack
- Check the senders address – be suspicious if it is unknown, misspelt or has a ‘no reply’ address i.e. firstname.lastname@example.org. Also, ‘q’ is often used instead of ‘g’ in email addresses, or an underscore is present, both of which are easily overlooked at a first glance.
- Mouse over a hyperlink or attachment to reveal the actual address. You should be able to tell if this is an imitation address, i.e. drive-google.com, or it may have an unusual suffix i.e. ‘mailru382.co.’
- The message will contain a Call To Action (CTA) element i.e. a button or a link to click, which will probably take you to a fraudulent site asking you to verify personal and or financial information such as passwords, user IDs or bank account information. Be aware and check the credibility of the source, even if they seem legitimate i.e. your bank, Dropbox, Microsoft, Google Drive etc. Maybe even call the alleged sender to check if it really is them that have sent the message, before you click a link.
- Be suspicious of any email message declaring you have won something then encourages you to click a link to claim your prize.
- Look out for misspelled words and special characters inserted in inappropriate places.
You also need to maintain vigilance when using the internet. Be wary of pop ups as they can direct you straight to fraudulent websites. Always make sure there is a small padlock icon at the beginning of the address bar to show the page is secure. This is particularly important when you are using a payment portal where you are submitting bank details.
We highly recommend that you have data protection and Antivirus software installed for that added security. However, it’s all good and well protecting your perimeters but if a legitimate looking phishing email finds it’s way inside your organisation, it’s your army of people that need to be prepared so they can identify it before falling foul to the attempted attack. This is why we suggest your team undergo social engineering and phishing training to get their defences ready.
How We Can Help
This is just a brief overview of phishing and how to identify malicious emails and links. If you have any concerns you would like to talk through, or want to find out more about our data protection and security services, please give our experts a call on: 01282 500770.
We offer social engineering training and data protection solutions, so please get in touch to see how we can help protect your business.