Phishing is a type of social engineering attack often used to steal user data, including login information and credit card numbers. This happens when an attacker, posing as a trusted person, tricks the victim into opening an email, instant message, or SMS. The recipient then clicks on a malicious link that could lead to the installation of malware, the system freezing as a result of a ransomware attack, or the disclosure of confidential information.
An attack can have devastating results. For individuals, this includes unauthorized purchases, theft of funds, or theft of personal data.
Also, phishing is often used to anchor in corporate or government networks as part of a larger attack, such as an extended persistent threat (APT) event. In the latter scenario, employees are forced to circumvent security perimeters, distribute malware in a closed environment, or gain privileged access to protected data.
An organization that succumbs to such an attack typically suffers from severe financial losses in addition to lowering its market share, reputation, and consumer confidence. Depending on the extent, a phishing attempt can develop into a security incident that will make it difficult for a business to recover.
Examples of phishing attacks
The following is a common phishing scam attempt:
- A noticeably forged email from [email protected] is sent to as many customers as possible.
- The letter states that it detected unusual activity on Bank of America Debit Card. Instructions are provided to go to their phishing link and sign in to review the activity so that you can review your account.
Several things can happen by clicking on the link. For example:
- The user is redirected to http://bit.do/ghsdfhgsd, a dummy page that looks exactly like a real update page, where new and existing passwords are requested. An attacker, by tracking the page, steals the original password to access protected areas of the university network.
- The user is directed to the password update page. However, during the redirect, a malicious script is activated in the background to capture the user’s session cookie. This leads to a thoughtful XSS attack, giving the attacker privileged access to the university network.
Email Phishing Frauds
Email Phishing is a numbers game. An attacker sending thousands of fraudulent messages can report important information and money, even if only a small percentage of recipients fall into the trap. As can be seen from the above, attackers use certain tricks to increase their success.
On the one hand, they will do their best to develop phishing emails to mimic real emails from a fake organization. The use of the same terms, fonts, logos, and signatures makes messages legitimate.
Also, attackers usually try to push users to action, creating a sense of urgency. For example, as noted earlier, an email could threaten account expiration and put the recipient on a timer. Applying such pressure makes the user less diligent and more error-prone.
Finally, links within messages resemble their legitimate counterparts but usually have a spelled domain name or additional subdomains. In the above example, the URL myuniversity.edu/renewal has been replaced by myuniversity.edurenewal.com. The similarity between the two addresses gives the impression of a secure connection, making the recipient less aware that an attack is taking place.
Spear Phishing attack
Spear phishing targets a specific person or business, not users of random applications. This is a deeper version of phishing that requires some knowledge of the organization, including its power structure.
An attack can take place as follows:
- An attacker searches for the names of employees in the organization’s marketing department and gains access to the latest project accounts.
- Acting as a marketing manager, an attacker sends an email to the project manager (PM) using a subject line that reads: Account updated for third quarter campaigns. The included text, style, and logo reproduce the organization’s standard email template.
- The link in the email redirects to an internal password-protected document, which is a fake version of the stolen account.
- The Project Manager is invited to log in to view the document. An attacker steals their credentials and gains full access to sensitive areas of the organization’s network.
By providing the attacker with valid login credentials, phishing is an effective way to complete the first step of APT.
How to prevent a phishing attack
Protection against phishing attacks requires the actions of both users and enterprises.
For users, vigilance is the key. A fake message often contains subtle errors that reveal its true identity. These can be spelling errors or domain name changes, as shown in the example URL above. Users should also stop and think about why they even receive such an email.
For enterprises, there are several steps you can take to mitigate phishing attacks:
- Phish Protection offers enterprise-class email protection at small business prices. A complete set of email protection solutions used by more than 1000 small and medium enterprises around the world.
- Two-factor authentication (2FA) is the most effective method of countering phishing attacks because it adds a level of verification when entering sensitive applications. 2FA relies on users to have two things: something that they know, such as a password and username, and something that they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, as some of them are not enough to enter.
- In addition to using 2FA, organizations must apply strong password management policies. For example, employees must frequently change their passwords and should not reuse the password for multiple applications.
- Educational campaigns can also help reduce the threat of phishing attacks by using secure methods, such as not clicking on external email links.
Why phishing attacks increase during a crisis
Criminals rely on deception and create a sense of urgency to succeed in their phishing campaigns. Crises, such as the coronavirus pandemic, give these criminals an excellent opportunity to trap victims from phishing.
During a crisis, people get nervous. They want information and seek guidance from their employers, government, and other relevant authorities. An email that appears to come from one of these entities and promises new information or asks recipients to quickly complete a task is likely to be less thoroughly studied than before the crisis. One impulsive click later and the victim’s device is infected or the account is hacked.