Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What Are Phishing Attacks and How do They Happen?

What Are Phishing Attacks and How do They Happen?

Phishing is a social engineering technique commonly employed by cyber-criminals to trick unsuspecting victims into downloading a malicious application or visiting a malicious website.

Phishing attacks are typically carried out via email, although other mediums can be used, hence Vishing (Voice Phishing), and Smishing (SMS Phishing).

In most cases, the goal of phishing is to obtain sensitive information, in some form or another, through some means or another. According to a 2019 report by the FBI, phishing is the most common type of internet crime, with over 114,000 victims targeted in the US, costing them a total of around $57.8 million.

One of the main reasons why phishing is so popular is because it does not require any special tools or skills to launch a basic campaign.

What Do Phishing Attacks Look Like?

Attackers will typically try to masquerade as legitimate entities, such as banks or retailers, and in some cases they pretend to be people from within your organization, such as co-workers, the H.R. department, or the CEO.

During the ongoing the coronavirus pandemic, we have seen an increase in phishing emails pretending to be from government entities, expert organizations, and insurance companies. This is unsurprising, as cyber-criminals will always try to prey on people’s fears to convince them to click on a link or download an attachment.

As an example, some COVID-related phishing emails come with an attachment which masquerades as a guide on how to stay safe during the pandemic.

How Do Phishing Attacks Happen?

Initially, attackers will try to gain access to any account they can, such as the user account of a sales representative, and then use the compromised account to move laterally throughout the network.

Likewise, it is common for attackers to compromise accounts in smaller companies, and then leverage the trust they have with larger companies in order to make their campaigns more effective.

We’re also seeing a resurgence of a technique called typosquatting, also referred to as URL hijacking, which is where the attackers buy domains that are similar to well known, trusted domains, for use in the phishing emails.

For example, attackers will look for domains like goggle.com, which, at first glance, could easily be mistaken for google.com. Likewise, the spoof website which the user is sent to will be designed to look exactly like the website they are trying to imitate, and thus the victim is more likely to hand over their credentials when asked.

Phishing Attack Methods

Until recent years, most phishing attacks used a simple “spray and pray” approach, which is where the attackers send out as many emails as possible in the hope that someone will bite. However, as people began to wise up, the attackers had to shift towards a more targeted approach.

Broadly speaking, there are three main techniques that are used in targeted phishing attacks, which include spear phishing, clone phishing and whaling. In some cases, the attacker will use more than one of these techniques in a single campaign. However, once the attacker has successfully convinced the victim to engage, there are number of options available to them.

As mentioned above, they may simply redirect the victim to a spoof website which asks them to enter their credentials, or they might convince them to download a malicious file. The malicious file could be a form of Spyware, which runs in the background of their operating system, harvesting credentials or other types of sensitive information, such as Social Security numbers or bank details.

Alternatively, they might convince them to download a ransomware application, which will encrypt their files, and request a ransom payment (usually in Bitcoin), in order for them to get their files back.

Spear phishing, as the name would suggest, is where the attacker targets a specific individual within an organization. In Spear phishing attacks, attackers will typically target whoever they believe will be the most likely to fall for the trap. Once they have obtained their credentials, they can use their account to target other individuals within the organization.

Whaling, a technique that often follows a successful spear phishing attack, is where the attacker goes after the bigger fish within an organization, such as managers, executives, or any personnel who employees are likely to trust and not question when prompted to disclose sensitive information. As you would expect, both spear phishing and whaling require extensive knowledge of the target organization. Attackers will often use social media platforms such as LinkedIn and Facebook to carry out research about the company and their employees. When attempting to convince employees that they are the CEO, they will need to ensure that they are able to accurately impersonate them, which includes using the same kind of language that the CEO would typically use.

Cloning is where the attacker obtains a copy of a legitimate email that was sent to a particular recipient. The attacker will change the link in the email to one that redirects the victim to a malicious website, or if the email contains an attachment, they replace it with some form of malware. When the email is resent, the recipient is less likely to question its legitimacy, as it looks exactly like the one they received before.

How to Protect Your Company from Phishing Attacks

With the exception of spam filters and Antivirus software, which can help to identify and block emails that come from untrusted sources, your employees are your first line of defense. As such, the most obvious approach to protecting your business from phishing attacks is to ensure that your employees are sufficiently trained.

It might be a good idea to create a checklist, which employees can follow to ensure that they are able to identify suspicious emails. The checklist will need to be placed somewhere that is visible to all employees, such as a wall in the hallway or canteen, or perhaps on the back of a toilet door. Below are some of the points that will need to be considered when creating a checklist:

  1. Firstly, employees will need to check for any mismatching URLs used in the email by hovering over the link and checking it against the anchor text.
  2. They will need to look out for emails that are sent from public email providers, such as Hotmail, Yahoo! or Google, as it’s less likely that any legitimate company would use a public email address to send business emails.
  3. Given that we are still in the midst of a pandemic, employees should be extra cautious of any emails that use scare tactics or urgent language to convince them to download an attachment or click on a link.
  4. Employees will need to check the email subject and body for any spelling and grammar mistakes, and they should also be cautious of emails that claim to know who they are but fail to provide any evidence (such as their name) that would confirm the legitimacy of their acquaintance.
  5. Employees should never share any credentials via email, even with trusted executives. Finally, any suspicious activity whatsoever should reported to the IT department.

For a more detailed list of other ways to protect your business from phishing attacks, check out this blog we wrote earlier.

When this fails, the only course of action is to be sure that you are able to quickly detect and respond to security threats initiated through phishing attacks. To see how the Lepide Data Security Platform helps you do this, schedule a demo with one of our engineers.