What is Phishing?
Phishing is a type of attack, based in a set of techniques used by the attackers with social engineering in order to manipulate or trick their victims to download or execute malware, give sensitive information or access sites giving high privilege.
Typically, the attacker impersonates a legitimate person, entity or organization known by the victim and contacts him with an “official statement” such as an email, a call or a text message, in order to convince him that something serious has happened, and he needs to take action immediately.
In this article, we’ll dive deeply into phishing and social engineering, or the subtle art of getting the key to the fortress. At a high level, these approaches exploit the human weaknesses within your organization.
Phishing and Social Engineering
Attackers use social engineering to accomplish the phishing attack, but what does it mean?
Phishing and social engineering encompass activities that exploit people by convincing them to share personal and critical security information.
These kinds of attacks vary, and hackers may combine different approaches to further their nefarious objectives. Hackers have successfully exploited senior executives, developers, and even security personnel. Let’s define these attacks at a high level.
Phishing
Phishing, pronounced the same as “fishing,” shares many characteristics with that activity. A fisherman might use bait or a lure designed to mimic a food item that attracts fish, ultimately resulting in their being caught on a hook. The fish might be suspicious, but it’s too late once they take a bite.
Similarly, when phishing, malicious actors craft legitimate-looking messages that entice the recipient to click on a link or enter personal information. Phishing messages may contain malware links disguised as legitimate links or links that take the user to legitimate-looking websites that trick the user into entering their credentials.
Social Engineering
Social engineering goes beyond the methods in traditional phishing attacks and involves direct communication between the attacker and the victim. Attackers psychologically manipulate their victims into providing confidential information or performing malicious actions on their behalf.
An oft-used method that is unfortunately also very successful involves the hacker calling a corporate help desk and claiming that they, a legitimate user, have forgotten their password and have been locked out of their account. An unsuspecting help desk technician follows the usual steps in resetting the user’s password, helping the attacker gain immediate access to critical systems.
Phishing and Cloud Computing
The advent of cloud computing exponentially expanded opportunities for organizations to establish an online presence with a low cost of entry. Managed platforms and services further reduce an organization’s dependence on a highly-skilled technical workforce. However, these opportunities and expanded capabilities also increase the organization’s attack surface.
Organizations using the cloud often have many systems co-located in a single cloud account. Once an attacker gains access to part of the account, they can quickly access other systems or use the information they gather to conduct additional targeted attacks. The attack surface also extends to the cloud or platform provider. If a hacker compromises the cloud or platform provider, your systems and the provider’s other customers are instantly at risk.
Phishing Methods
Phishing attacks take many forms as hackers become more adept at their craft and gather more information about an organization. An elementary phishing campaign might involve spamming a collection of email addresses with a crudely-crafted message and a link to a malware site. This approach may yield some results, but most people know to avoid them. Let’s explore more effective phishing techniques that pose a greater risk to your organization.
Spear Phishing
A spear-phishing attack involves gathering information about the intended target, such as their name, location, job description, and position within the organization. These details are included in the phishing message to make it appear more legitimate.
Hi Steve, This is the Acme Co. corporate help desk. Your manager, Karen Smith, asked us to reach out and validate your credentials for the new payroll system. Please click the link below and enter your username and password to ensure it works after the upgrade. http://payroll.acme.com/login Acme Corp Help Desk
Whaling
Whaling involves a spear-phishing attack that targets high-level executives based on their responsibilities, access to information, and desires to protect their organization. These attacks are usually well-researched and may take the form of a request related to a legal action or customer complaint that urges the executive to take quick action to prevent damage to the company.
Vishing
With the prevalence of email-based phishing attempts, most users should be aware of and sufficiently wary of suspicious emails. Voice phishing (or vishing) attacks use call centers and automated phone messages to convince users that their computer or account is compromised and walk them through “removing” malware or protecting their account. Unfortunately, these actions have the opposite effect of compromising a secure account. Some examples of this might be a vishing call that claims to be from your bank, a credit card company, or a provider such as Microsoft.
Smishing
With the prevalence of high-performance smartphones, SMS phishing (or smishing) has proven very effective for hackers to elicit a response from their victims – a simple text message with a simple request and a link to target both the unsuspecting and the curious. You might receive a text about a delayed package, a recent prize, or a compromised bank account. Clicking the link validates your phone number and might install malware or take you to a site designed to gather your personal information or login credentials.
Phishing or Spam?
Before we continue, the differences between spam and phishing campaigns are worth mentioning. Spam email has been around since the dawn of the email age, and while it can be annoying, it doesn’t come with any inherent risk. Conversely, phishing emails aim to deceive users, steal personal information, or compromise digital resources. While neither is desirable, training your workforce to understand the difference between spam and phishing will empower them with the knowledge to protect themselves and reduce the burden on your security team, who need to mitigate threats from phishing attacks.
Protecting Your Company From Phishing Attacks
Unfortunately, there is no way to guarantee your organization is 100% protected from phishing and social engineering threats. However, you can significantly reduce the risk by regularly educating your users (so they know what to look for) and implementing a stringent auditing process.
Employee Education and Training
When your users understand the threat associated with phishing attacks and know what to look for, they’ll be more suspicious of unusual emails and more likely to report a potential attack than fall victim to it. Please set up a regular training plan for all of your users that engages and educates them about what to look for and how to report suspicious emails to your security team. Some of the warning signs and mitigation steps that this training should include are:
- Identifying a potential threat
- Did the user initiate the request?
- Does the email contain grammatical and spelling errors?
- Is the email trying to trigger an emotional response to encourage immediate action?
- Protecting yourself from a threat
- Don’t respond to an email with personal information or credentials.
- Don’t click on embedded links; visit the official website to validate claims.
- Don’t open emails from unknown senders.
- Report phishing attempts to your security team or the “Company” sending the email.
Security Auditing
A vital and proactive step your organization should implement is enabling security auditing on your email and communication platforms. A comprehensive security auditing solution should scan incoming emails to look for:
- Suspicious keywords and phrases
- Traditional exploit attempts like cross-site scripting and scripted attacks
- Mismatched links and links to known malware and exploitive sites
A sound security system also gives users an easy mechanism to report suspicious emails that can be quarantined or blocked at a company level. And as a bonus, many of these solutions also protect against spam and other unwanted emails, which both preserves the productivity of your workforce and protects the integrity of your critical systems.
Detection and Response
Suppose you educate your user base and have a dependable security audit system. In that case, you’ll mitigate most phishing attempts that target your organization – but no security system is 100% effective. Below are some additional steps to ensure that your systems remain current and preferably ahead of the game when it comes to protecting against phishing and social engineering.
Identifying Phishing Emails
When someone identifies a new phishing attempt, please review the contents and figure out why it was able to bypass your existing security infrastructure. You can use these attempts as opportunities to improve the education provided to your users and better tune and configure your security systems.
Reporting Phishing Attempts
When your users understand the potential impact of a phishing campaign and know what to look for, they’ll be more likely to identify and report an attempted attack. It’s essential to make the reporting process as easy as possible, especially if you can enable a button in your email application that automatically forwards the email to your security team and automatically identifies and quarantines similar emails within the system until the team can review and mitigate any threats.
Future Trends in Phishing
In the digital economy, information and access are of paramount importance. Given the value of the same, we should expect hackers to continue to evolve and identify new and innovative ways to exploit our users to gain access.
Just as machine learning and artificial intelligence empower us to unlock the power of data within our organizations, these same tools empower hackers to conduct highly dynamic and targeted phishing campaigns against our users.
Hackers will continue to refine their approaches and experiment with different communication protocols to manipulate and exploit our users. The systems we have in place today may be effective against current attacks, but we must continue to review and evolve these systems regularly. In the battle for system security and data protection, we share a common enemy – those who would exploit and attack our systems.
By collaborating and engaging with security professionals from across the technology spectrum, we can remain one step ahead of those with malicious intent.