Police cells in Mumbai received emails from the Mumbai police’s cyber division speaking about intelligence inputs, with an attachment about a terrorist attack. Nothing out of the ordinary for law enforcement, except that the email was from a hacked ID and the attachment was laced with malware.
This is a phishing attack, where social engineering is used to gain the trust of the message recipient and induce the recipient to perform an action prejudicial to their interests – such as opening the malicious attachment, in this example.
Phishing attacks are very common – 91% of cyber attacks begin with a phishing email. Phishing attacks can also impose significant costs on the victim: an attacker stole $98 million from Facebook and $23 million from Google (subsequently recovered) by impersonating employees of a vendor to send fake invoices.
How Does Phishing Work?
Phishing is the old-fashioned confidence trick that has graduated to the digital world. An analysis of a phishing campaign will typically reveal:
- Fish – A gullible victim who doesn’t verify the authenticity of messages
- Lure – A hoax message that appears to be from a trusted individual or organisation
- Bite – The victim opens a malicious attachment, accesses a malicious link, reveals confidential information, or performs an action (such as transferring funds)
- Catch – The attacker achieves their objective, which could range from launching a ransomware attack to stealing intellectual property
Phishing attacks against businesses often use email but any channel of communication can be used, such as phone, SMS, WhatsApp, and social media.
Types of Phishing Attacks
Cyberattackers can use phishing in different types of campaigns that target different types of users with different objectives:
- Phishing – This is the umbrella term used to describe social engineering that targets any user, through messages that claim to be about topics that could be of interest to anyone or could be addressed to anyone, such as Updated COVID-19 Guidelines or Income Tax Notice
- Spear Phishing – Spear Phishing is a type of phishing that is customised to the user or category of users e.g., Accounts Payable Managers, who are targeted using information that is specific to their job to give credibility to the hoax message
- Whaling – This is similar to spear phishing but is focused on high value targets (called whales because they are very big fish) such as CEOs or CFOs as those with high levels of responsibility also wield great power and a successful attack against them can be very lucrative for the attacker
There is a common thread across the various methods and types of phishing: they all target the user and not a device or network, and depend on human fallibility on the part of the victim rather than the technical prowess of the attacker. This is also why phishing attacks are preferred by attackers as a user may be persuaded to ignore or override warnings from security software and perform the action required by the attacker.
Now that we have understood how phishing works, we can examine how phishing can be stopped.
Measures to Avoid Phishing Attacks
A business can protect its operations from being disrupted by phishing attacks by following these steps:
- Provide Cybersecurity Training – The best defence against phishing is a well informed user. Cybersecurity training programmes should educate users on the tactics that threat actors use and how a phishing attack can be detected. Users should be suspicious if a message
- Requires urgent action on their part but they cannot independently verify why such urgent action is required e.g., the message asks for an urgent transfer of funds for a confidential purpose that cannot be revealed to other employees
- Is from an email ID that closely resembles a corporate email ID but is not an exact match e.g., the email is supposed to be from a bank but there is a slight alteration in the domain name of the email ID compared to other emails from the same bank
- Is unexpected or the sender doesn’t usually communicate about the topic discussed in the email
- Has spelling or grammatical errors, or odd use of phrases that may indicate software-based translation from the attacker’s native language
- Includes a link that leads to a domain that is different from where it is supposed to go e.g., the message is from a vendor but the link leads to a website that isn’t the vendor’s website
- Has an attachment that requires macros to be enabled or has more than one extension e.g., a file with extension ‘.pdf.exe’ is an executable masquerading as a PDF
- Implement a Maker-Checker-Approver Process – A cyberattacker may be able to convince one employee to perform an action but it is far more difficult to convince two or even three employees to perform that action; the attack can be avoided if any one of them notices a red flag
- Deploy Endpoint Security – Many phishing attacks include malware or malicious links which can be detected and blocked by enterprise cybersecurity solutions such as K7 Endpoint Security. It is critical to ensure that all endpoints that connect to the corporate network are protected as even a single unprotected endpoint can be used by a threat actor to launch an attack
- Deploy Network Security – Gateway security solutions, like K7 Unified Threat Management appliances, stop cyberattacks at the network perimeter and prevent intrusion attempts
- Encourage Vigilance in Life Away from Work – Threat actors may target employees in their personal lives, e.g., by interacting with them on social media, to launch an attack against a business. Enterprise cybersecurity cannot protect an employee in such away-from-work situations, but an employee who is aware that they are vulnerable in their personal life can spot and stop a phishing attempt. Employees can also protect themselves by using cybersecurity solutions such as K7’s antivirus for consumers on their personal devices
K7 Security provides international award-winning cybersecurity solutions for businesses of any size; our solutions protect against a wide variety of cyberthreats including phishing. Contact Us to learn more about how we can help your organisation and your employees avoid phishing attacks.