Fuse CS’ Guide to Phishing Attacks
Phishing attacks represent the most used tactic of social engineering. The goal of a malicious actor here is to manipulate the weakest link of the company’s security landscape – their employees. As computer systems and software became more advanced and secure, malicious actors turned their focus on exploiting human vulnerabilities. The attackers focus on basic human psychology and the need to trust others and be trusted, mixed with creating a sense of urgency.
What is a phishing attack?
According to the National Cyber Security Centre a phishing attack is an attack where attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware or direct them to a dodgy website.
Phishing attacks continue to be a significant threat in the digital landscape. Cybercriminals exploit human psychology, trust, and vulnerabilities to deceive individuals into revealing sensitive information or performing harmful actions. In this blog post, we’ll delve into key phishing trends, tactics, and how you can protect yourself and your business.
Different types of phishing attacks
There are several types of phishing attacks, the eight most popular are:
- Email phishing
- Spear phishing
- Whaling
- Vishing
- Smishing
- Pharming
Email phishing is the most common form of phishing, when an attacker sends fraudulent emails that appear to be from a trusted source, with the goal of stealing personal or company information.
Spear
Spear phishing is a more targeted approach to phishing and includes targeting only specific employees. Spear phishing is a more sophisticated attack than an average phishing scam, since it requires preparation and information gathering about the target.
Whaling
Whaling is a form of spear phishing that targets senior executives, with the aim to gain access to more information or finances than the average employee has access to.
Vishing
Vishing is similar to email phishing, with the difference of using phone calls to impersonate someone trustworthy and trick victims into revealing personal or company information.
Smishing
Smishing uses text and online messaging to pose as legitimate people and businesses, misleading victims into revealing information over messages.
Pharming
Pharming is a ‘casting a wide net’ phishing tactic that has the goal of redirecting as many users as possible to an attacker-controlled website in order to collect information. Casting a wide net refers to targeting a huge number of people in the hope that some of them get caught in the trap.
How does a phishing attack work?
As we mentioned earlier phishing continues to be relevant because people have a need to trust other people. The problem occurs when that trust is not verified. Hackers and social engineers use this lack of verification of trust to manipulate their victims into revealing more information than necessary.
- The first step of every phishing attack is to identify the target. In most cases the target encompasses a large group of people, meaning an entire department or even the entire company.
- Once the target has been acquired the attacker will then collect information on the target to make their approach more sophisticated and relevant to the target.
- The next step is the creation of fake emails, text messages or websites.
- Once the whole infrastructure is in place the attacker will send out malicious messages to their victims.
The messages themselves have an uncanny resemblance to the original messages that could be trusted, with some exceptions that we will discuss later in the section.
How to protect yourself from phishing?
Once the attack has commenced, malicious actors then collect all the information they were able to from their attack.
Phishing attacks that follow this methodology usually work because they create a sense of urgency, fear or even curiosity in some cases in the victim.
Based on everything we talked about so far it might seem hopeless to fight these phishing attacks. It is not. Even though attackers are being able to create more sophisticated messages and schemes, there are still some ways to fight back. Here the distinction needs to be made between how a company can protect itself, how an end-user can protect themselves and how Fuse CS can help companies protect themselves from phishing.
How can a company protect their users from phishing attacks?
The best way to protect your employees from phishing and from leaking sensitive information is by training. The important thing to remember here is that the chain is only as strong as its weakest link. It doesn’t matter if you have top-notch security protocols and systems if a single user can be manipulated into leaking company data.
The best way to protect company data from being leaked by employees without the intent to do so is to have scheduled phishing training including best practices for preventing it. In addition to training, regular mock phishing campaigns should be performed on the employees to test how effective the training has been.
How can the end-user protect themselves?
When it comes to end-users, the first step in avoiding being phished is removing trust from the equation. We, Fuse CS, strongly suggest following the Zero Trust approach when it comes to security. Zero Trust focuses on not trusting anyone other than yourself and verifying everything. This translates to emails by firstly checking the sender’s email address thoroughly. It is not enough to just look at the display name of the sender.
The first step when receiving an email should be to check the sender’s email address. It may look like the intended sender's email address, but it will have a slight difference. These differences can go as far as simply changing a letter in the domain name (instead of sender@company.com it could be sender@c0mpany.com). These small differences often lead to account compromise.
Additionally, in mass phishing campaigns, attackers do not have time nor resources to make the email as relevant for the receiver. They will try to make it look legitimate, the formatting will be in place, company banners and signatures will also seem correct, however slight grammatical errors will be present.
We have recently come across a massive phishing campaign that was targeting bank customers. The way to tell it was not a legitimate email was by the wording. The buttons, banners and whole formatting looked correct, but the attacker didn’t address the recipient by its name, which banks usually do, and instead, addressed them as dear buyer. No bank ever addresses their user as a buyer.
Another issue we found was that the email had a strange looking domain name where instead of info@bank.rs it was info@bank.ngqcpas.com which looks off.
How can Fuse CS help companies protect themselves from phishing?
As a Managed Security Service Provider, Fuse CS can offer its customers the whole package for fighting phishing:
- Training of employees with Microsoft Defender XDR
- Phishing campaigns to test the resilience of the users against phishing
- Secure by design by creating anti-phishing and anti-spam policies in Defender XDR to help prevent most of phishing attempts ever reaching employees.
The security landscape is rapidly changing, but human psychology isn’t keeping up with it. Companies need to have a plan in place when it comes to any attempts to compromise their business including phishing. One small mistake from an employee can have a huge impact on the business and enormous consequences. We should all work together to ensure that hackers have no place in the world by securing ourselves and our businesses.