What is phishing?
Phishing is the term given to cyberattacks that involve an attempt to trick users into transmitting sensitive data or to install malware. Phishing attacks generally occur through email and can appear to be from trusted senders, such as work colleagues. Once a vulnerability has been found, the attacker can install malware, steal intellectual property and sensitive personal information. This can endanger company security and make victims vulnerable to identity theft. Phishing is particularly topical as the risks posed are higher than ever, with 39% of businesses reporting cyberattacks to the Information Commissioner’s Office (ICO) in the last 12 months 1. The same risks are posed on mobile devices, a particularly lesser-known avenue for cybercriminals to exploit vulnerabilities. This is because mobiles have multiple attack vectors, i.e., the channels used, including SMS, social media, WhatsApp, and gaming apps. So, it is important to remain cautious and take care across all devices.
The most common phishing attacks
Phishing campaigns are made up of either a malicious attachment or an external link to a malicious website. The first uses seemingly unharmful attachment names, such as ‘invoice’, to encourage the user to open and at which point the malware is installed on the computer. Links to malicious sites are positioned in increasingly legitimate-appearing emails, directing the victim to a page that either downloads malware or runs scripts to harvest credentials.
1. Deceptive phishing – Attackers impersonate a company to gain trust so that victims unknowingly input personal data and login details. These attacks have been widely publicised recently, for example, the Royal Mail text scam2 which prompts users towards a copycat website and encourages payment for an ‘undelivered parcel’. Once the user enters their card details, the hacker can withdraw large sums of money. Deceptive phishing attacks can also include legitimate links and contact details to the organisation which they are spoofing, making it increasingly difficult to spot.
2. Spear phishing – A more personalised attack, spear phishing involves a customised ploy that includes details such as the user’s name, job title or phone number. As these targeted attacks are unique, users often fall into the belief that they have a connection with the sender and are more likely to unknowingly open harmful attachments or follow malicious links. You might be thinking that there’s not enough data on you on the internet for this to happen to you, but these attackers use clever methods of pulling information from social media sites, such as LinkedIn, and combining this with company data held on the public domain. From scanning social network pages, attackers can quickly find your email addresses, where you live, your friends list, interests, and hobbies. Due to the personalised nature of the attack, spear-phishing is the most successful method of acquiring sensitive and confidential information on the internet.
3. CEO fraud – Either acting on a compromised CEO email account or masquerading under a fake title, CEO fraud abuses the power that higher-level staff have over junior staff to make requests. These often include executing unauthorised money transfers or passing on confidential financial data.
How to protect yourself from phishing attacks
The National Cyber Security Centre recommends a multi-layered approach against phishing, to improve resilience and minimise the impacts of the damage caused.
Layer 1 – Make it difficult for attackers to reach users.
The first layer of defence acts as a barrier, to make it difficult for attackers to reach end-users in the first place. It involves setting up precautionary measures and anti-spoofing controls to filter out suspected emails and reduce the probability of incidents. Such controls can be provided from your cloud-based email provider, or a tailored solution directly from your email server.
Layer 2 – Help users identify and report suspected phishing emails.
The second layer requires collaboration with end-users, in the form of training and staff awareness. Although phishing simulation training is often solely used at this layer, it negates other weaknesses elsewhere. Thorough training that details how to spot, report, and understand the nature of the threat posed are particularly effective. Encouraging users to report phishing attempts will allow a better view of what sort of phishing emails are slipping through the filters and the impact this has on your company.
Phishing emails often come with a tell, mainly subtle differences from a genuine email. Users should remain cautious and before clicking any external links, double-check that the URL/domain name is spelt correctly. Likewise, by hovering over a URL with your mouse, you can view a preview of where it will take you. Be careful in this instance not to click on the URL.
Attackers often use similar letters, replace numbers, or add extra letters to appear genuine. Other targeted phishing attacks may be less so recognisable and often use language that encourages action from the end-user. For example, a forwarded email could easily be manipulated to look like a genuine email chain. Other situations involve impersonating directors or managers to gain the attention and trust of junior employees.
Things to be careful about include:
- Misspelt emails and domain names
- Poor grammar
- Urgent/persuasive language
- Suspicious links and attachments
A simple organisation-wide policy to implement would be one that requires two forms of confirmation before a financial transaction is to take place. For example, no financial action should be taken based on email communication alone. This simple method of verifying requests via verbal confirmation can work hugely to prevent attacks.
Layer 3 – Protect your organisation from the effects of undetected phishing emails.
As detailed earlier, phishing attempts can bypass filtering services and breach your organisation’s defences. In these instances, device-specific protection can prevent users from permitting access to attackers. It could be as simple as ensuring that your software is kept up-to-date and restricting access only to those who need it. To protect sensitive information further, Two Factor Authentication is always recommended so that attackers cannot breach systems using just a stolen password.
Layer 4 – Respond quickly to incidents.
Should you fall victim to a phishing attack, it is best to respond quickly to limit the potential for further damage. Therefore, it is essential to advocate for open communication as quickly as possible. Simple response plans such as forcing password changes when compromised and removing malware promptly can be greatly useful to mitigate potential losses.
Hopefully, this blog post has provided a more rounded understanding of the different types of phishing and how you can implement the best measures to safeguard your sensitive data. At Kick, we believe that you can never be too careful – so we would like to direct you to a couple of handy resources that you can use to test your phishing detection skills:
https://phishingquiz.withgoogle.com/
https://info.knowbe4.com/phishing-security-test
We’re here to help
At Kick, our team of experts is at hand to discuss all your business’s cybersecurity needs. From protection against phishing attacks to securing Cyber Essentials accreditation, we can help mitigate the potential for harm that enterprises are increasingly vulnerable to. We would like to hear from you - call us on 01698 844 600 or send us an email at info@kickict.co.uk to discuss your needs.