Phishing attacks involved tricking a victim into taking some action that benefits the attacker. These attacks range from simple to complex and can be spotted with the right awareness.
What is a Phishing attack?
A phishing attack is a cyber security attack during which malicious actors send messages pretending to be a trusted person or entity. Phishing messages manipulate users, causing them to perform actions like installing a malicious file, clicking a malicious link, or divulging sensitive information such as access credentials. Phishing is the most common type of social engineering, a general term describing attempts to manipulate or trick computer users. Social engineering is an increasingly common threat vector used in almost all security incidents. Social engineering attacks, like phishing, are often combined with other threats, such as malware, code injection, and network attacks.
How does phishing work?
Phishing starts with a fraudulent email or other communication designed to lure a victim. The message is made to look as though it comes from a trusted sender. If it fools the victim, he or she is coaxed into providing confidential information – often on a scam website. Sometimes malware is also downloaded onto the target’s computer.
Cybercriminals start by identifying a group of individuals they want to target. Then they create email and text messages that appear to be legitimate but contain dangerous links, attachments, or lures that trick their targets into taking an unknown, risky action. In brief:
- Phishers frequently use emotions like fear, curiosity, urgency, and greed to compel recipients to open attachments or click on links.
- Phishing attacks are designed to appear to come from legitimate companies and individuals.
- Cybercriminals are continuously innovating and becoming more and more sophisticated.
- It only takes one successful phishing attack to compromise your network and steal your data, which is why it is always important to “Think before you click”.
What damage can phishing cause to an organization?
Phishing bypasses technical security factors by exploiting the human component. This attack method has the potential to render technical security controls useless. Spear phishing attacks may allow attackers to gain a foothold into the organization’s systems – all while the organization remains unaware.
These attacks deliver malware that allows attackers to control a victim’s machine. This allows an otherwise external adversary remote access to the internal network.
Attacks also often provide attackers with users’ credentials. These credentials can provide access to restricted systems or data. Privileged access from compromised computers, or credentials to an organization’s systems, allows attackers to bypass many technical security controls. This may also allow attackers to pivot and escalate their access to other systems and data. Ultimately, this can result in the complete compromise of an organization. This could include customer and employee data theft, source code leaks, website defacing, etc.
Types of phishing attacks
- Spear phishing: Spear phishing targets specific individuals instead of a wide group of people. That way, the attackers can customize their communications and appear more authentic. Spear phishing is often the first step used to penetrate a company’s defenses and carry out a targeted attack. According to the SANS Institute, 95 percent of all attacks on enterprise networks are the result of successful spear phishing.
- Email phishing: Email phishing is one of the most common types of phishing. It has been widespread since the early days of e-mail. The attacker sends an email purporting to be someone trustworthy and familiar (online retailer, bank, social media company, etc.), and asks you to click a link to take an important action, or perhaps download an attachment.
- Whaling: Whaling is a sub-type of Spear Phishing and is typically even more targeted. The difference is that Whaling is targeted at specific individuals such as business executives, celebrities, and high-net-worth individuals. The account credentials of these high-value targets typically provide a gateway to more information and potentially money.
- Vishing (voice call phishing): With phone-based phishing attempts, sometimes called voice phishing or “vishing,” the phisher calls claiming to represent your local bank, the police, or even the IRS. Next, they scare you with some sort of problem and insist you clear it up immediately by sharing your account information or paying a fine. They usually ask that you pay with a wire transfer or with prepaid cards, so they are impossible to track.
- Smishing: Smishing, or SMS Phishing, uses text messages to your mobile phone to conduct a phishing attack. Partlow said this may be the most dangerous form of phishing right now because smartphones are often used for two-factor authentication.
How to prevent phishing attacks
Phishing attack protection requires steps to be taken by both users and enterprises.
For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.
For enterprises, several steps can be taken to mitigate both phishing and spear-phishing attacks:
- Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, since these alone are insufficient to gain entry.
- In addition to using 2FA, organizations should enforce strict password management policies. For example, employees should be required to frequently change their passwords and not be allowed to reuse a password for multiple applications.
- Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links.
Phishing attacks are constantly evolving to adopt new forms and techniques. With that in mind, organizations must conduct security awareness training on an ongoing basis so that their employees and executives can stay on top of phishing’s evolution.