How They Attack Us: Phishing
Phishing is the most prominent cyber attack method in use today. The term phishing is similar to regular fishing only derived from the hacker-speak from the old days called phreaking, using the ‘ph’ instead of the ‘f’.
Phishing is simply the method of using email to trick the recipient of the message to believe it’s real in order to have them carry out an action. That action could be clicking on a malicious link to deliver malware or take them to a real-looking login page and trick the victim to enter real credentials.
The phishing term is like throwing a fishing net out into the water. They cast out the net, sending tens of thousands of emails, hoping to catch a small number of keepers.
Even phishing has several variants of the same attack theme:
- Phishing – Using email.
- Spear Phishing (a.k.a. CEO Fraud) – Spear phishing is a targeted attack against one or a low number of pre-defined targets. These are intended to make the recipients believe an email sender is a real person they know, which in theory prompts a greater chance of action. These attacks are very profitable if they work and very easy to prevent.
- Smishing – These attacks use SMS text messages to have the recipient call or click a link.
All of the methods are tricky to spot sometimes but are preventable.
Detection
You can spend hours studying the detailed methods on how to detect a phishing email. The first defense is technology. Pick a good email provider that has some fraud detection blockers in their service, users cannot click on links in emails if the messages are never delivered.
Emails will fall through the technology detection cracks eventually. Here’s how to spot a fake email visually.
- Sender’s email address. Look at it closely. Is it the right domain, spelled right, from the right company. Keep in mind sender email addresses can be spoofed easily.
- Look at the content of the message. Grammar and spelling mistakes are big giveaways. Look at the language used, is it how the sender talks? The format of the message is important, does it look legit or professional?
- URL links. If there are links in the email don’t click on ones you are not expecting. An easy trick is to hover your mouse over the link and see the URL in the popup window. Is it taking you to a legit website, is it using URL shorteners?
- If a bank, government agency or other service you use is asking you to log in, don’t use the links in the email to do it if you are suspicious. Use your own bookmarks or manually type in the address and go there yourself. If there is a message or problem it will be in the account itself as well. Don’t trust links.
- Attachments are big red flags now. Scan the file with your anti-virus or use an external site like VirusTotal – https://www.virustotal.com/ to see if it’s legit. If you weren’t expecting a file, delete it.
Prevention
Aside from picking a good technological solution the best prevention against phishing is training. As a security professional, you need to rely on every single employee and user in your environment. That means they will need to be made aware.
You do this through regular education and conducting simulated phishing exercises. Simulated phishing campaigns are where you send controlled emails that you know about they simulate phishing emails to see how many fall for them. This can be a great method, done in moderation, to keep the mind fresh to add real-world experiences of phishing attacks.
Summary
Phishing is not and probably will never go away. Awareness programs with simulations is the best way to prepare and defend against these attacks. No matter how much you train there will be those that will fall for an email. Hackers can be wrong 99.99% of the time, we have to be aware 100% of the time.
It’s better to hesitate and ask than click and be wrong.
Be aware, be safe.
