Phishing attacks are on the rise, and they’re getting more convincing and sophisticated.
What are phishing attacks?
A phishing attack or scam is a fraudulent attempt to obtain sensitive information. These are typically carried out by a phishing email that appears to be legitimate and convincing, but in fact, it aims to get you to act such as click a link or download and open an attachment.
Types of phishing attacks
There are four types of phishing attacks. These range from minimal effort to highly sophisticated attacks that require a great level of research from a cyber-criminal.
|Type of phishing attack||Credential Harvesting||Extortion||Malware||Spear Phishing|
|How it is carried out||Emails impersonate a well-known brand or organisation and usually contains a link to a spoofed login page.||Targets the victim by requesting money in exchange for keeping secrets.||Malware is hidden in an innocuous link that triggers a file to download.||Targets high-level employees influencing them to complete a manual task.|
|The aim||Lures victims into exposing their usernames, passwords and payment information.||Establishes authority by including a password or spoofed email address.||Bypasses standard scans that only examine the email body.||Difficult to detect as email doesn’t contain malicious links or attachments.|
|Cybercriminal effort level||Minimal. Bulk emails sent and email addresses can be bought relatively cheaply on the black market.||Medium. Cybercriminal needs to identify the potential person and some of their contacts to cause ultimate reputational damage.||Minimal. Bulk emails sent and email addresses can be bought relatively cheaply on the black market.||High. A level of research is required to obtain names and authoritative people so that instructions in the email are not out of the ordinary from the person they are impersonating and manipulating.|
Why are they used to target businesses?
The purpose of the attack is dependent on the goals of the cybercriminal. It could be to install malware which is triggered when someone downloads an attachment, for example, or it could be to harvest credentials such as usernames and passwords.
If the attack is to harvest credentials, they could send a general phishing email that’s sent in bulk to many recipients. Their aim is to get just one recipient to perform the actions outlined in the email, and that’s a pretty good success rate from their perspective for very minimal effort.
On the other hand, if the cybercriminal has a specific person or organisation as the target, they may carry out a spear-phishing attack. This usually takes much longer as a level of research is required beforehand. For example, a personalised email is sent to the finance team made to appear to come from a director within the business.
Leading provider of next-generation cloud security and risk management services for businesses, Mimecast have carried out research and surveyed 1,025 global IT security decision-makers about their email security challenges. They found that employees are directly contributing to the spread of threats. You can view the infographic below.
How successful are phishing attacks?
More than 90% of successful hacks and data breaches start with a phishing scam, according to KnowBe4. The scale of phishing scams varies, but they are often the process of an attacker attempting to acquire sensitive information from you.
Once you reveal the information or carry out a specific action, you won’t always know straight away that it was a scam until it’s too late and the consequences can be severe.
Here’s some recent examples of successful phishing attacks in 2019.
- British Gas customers emailed they’re eligible for a refund. Many British Gas customers received emails impersonating British Gas that they’re eligible for a refund.
- Lancaster students’ personal data was stolen earlier this year through a phishing attack which started as a member of staff opening an attachment in an email.
- Discord users receive messages with a fraudulent link. Once clicked they are taken to a fictitious login page where they enter their details. Once doing so, a bot takes over their account and locks them out. The bot then accesses their friend lists and sends out further messages allowing the attack to propagate.
How to spot a phishing email
Most phishing emails have typical characteristics that a trained eye could easily spot. These include: –
- Non-personalisation so, for example, Dear Customer, Dear Client. Note: spear-phishing emails will be personalised.
- Forged links which may look like you recognise them, but there are additional characters or numbers in the link. For example http://www.domaain.com
- Requesting personal information whereby they trick you into revealing further information about you. For example: update your login details.
- Sense of urgency. The email manipulates you into taking immediate action such as “review these latest transactions on your account to avoid account suspension”, “pay now to avoid disruption to services”.
- Hover over hyperlinks. If you see a hyperlink hover your cursor over the hyperlink to reveal the actual address. This gives you a sense of where it is taking you to without clicking the actual hyperlink.
What’s the worse a phishing attack can do?
As phishing attacks are usually used to obtain sensitive information, it could be anything from your bank details to finance systems, HR and payroll systems, and your corporate network.
Once an attacker has the credentials to gain access to systems they can begin downloading data to sell on the black market or if it’s your own corporate network they could begin the process of installing more malicious cyber threats such as ransomware.
How can I stay safe from a phishing attack?
Besides your technology, you are typically the first sign of vulnerability. Not only do you need to have a secure network and systems, but you also need to ensure that you and your employees are trained in cyber security best practice. This usually begins with on the job training designed to give everyone a basic understanding of cyber security, the risks they are likely to encounter, and how to take appropriate action.
At MMRIT we offer a range of cyber security services from training your employees to identify a potential phishing attack right the way through to deploying our cyber security suite of antivirus, email protection, firewalls, two-factor authentication, security audits and gap analysis. To find out more about how we can help you, contact MMRIT.