Any organization or individual anywhere in the world can fall victim to a phishing attack. Phishing is a type of cyber crime that aims to steal information, breach security, or maliciously damage reputation. But how exactly does it happen? And is there anything we can do to stop it?
You receive an urgent message, perhaps from a friend on social media, your bank, or a healthcare organization. It seems to be a genuine message from a trusted source so you click and do what the message asks. Just like that, you’re the victim of a crime, a phishing attack which is a kind of weaponized email.
‘Phishing’ - pronounced ‘fishing’ - is one of the oldest forms of cyber attack; it’s been around since the 90s when email as a form of business communication became widespread.
Since then, phishing campaigns have grown in sophistication, prevalence, and ease. You don’t need to be a tech-savvy cyber criminal to set up a phishing scam. All you need is the right kit.
Phishing requires minimal resources and is easy to implement. In fact there are even kits that can be used specifically to carry out such an attack.
Phishing kits consist of a bundle of tools that an attacker can simply install on a server. The kit makes it easy for the scammer to throw a line out to potential prey via emails. They can target as many individuals or companies as they like; the email addresses are easy to get from sources on the dark web.
Phishing kits make life easy for attackers. Some can even help to mimic brands and organizations that might be well known and trusted by victims. A familiar name, like a friendly face, is far more likely to succeed in gaining your trust than a stranger.
Private individuals can be victims, but so can companies and organizations with legitimate telephone system office numbers. There is also an attack called smishing for sms phishing.
When it comes to confidentiality and privilege, it’s an act of trust when a customer allows a company to hold their personal information, but scammers will try every trick in the book to gain access to it.
Reeling You in
So how does a phishing scam work? Generally, it goes like this. You receive a phishing email that looks and feels genuine, and you click a link which takes you to a fake page that looks exactly the same as (or close enough to) the genuine page.
The email asks you to renew a subscription, update personal details, or change a password. The scammer monitors the fake page, and when you respond, they harvest your data and store it in a database set up for the phished information.
We’re deep into the maritime metaphors now! Yes, trawling, spear phishing and whaling are techniques cyber attackers use, each designed to hook a different size prey.
Here are some tactics scammers use for phishing:
Trawling is the act of trying to catch as many victims as possible, think quantity over quality. Attackers cast their nets wide assuming that somewhere amongst the vast numbers they catch there will be a few more valuable victims.
Attackers may send thousands of fraudulent emails in an attempt to increase their ‘catch’. They go to great lengths to make the email look legitimate and often include a time pressure to give a sense of urgency to the message. By doing this they hope to persuade as many people as they can to click on a link or send the information they want.
With this type of phishing everyone is at risk. Whether you are an individual, a small business or a large corporation, your data is a target.
Some attacks have a particular fish in mind! They are personalized messages designed to target an individual, small business or specific type of organization. It targets a specific domain, unlike trawling which targets anyone and everyone. This is spear phishing. Think of a fisherman staring down into the water with a spear in their hand, focused on that one vulnerable looking fish.
Attackers using this tactic might have done their homework. Most of us put out terrifying amounts of personal and professional information on social media and other platforms without a second thought. But to a cyber attacker on a spear phishing trip, this is a gift. It’s much easier to fake an email from a colleague or friend, when you know where your victim works, and even who they work with.
Whale phishing is an attack on the very biggest fish in the sea (and yes, whales are mammals! But let’s stick with the fishing imagery). The attackers here are going for high status and valuable prey, such as CEOs and senior executives, board members. Although these individuals are powerful within companies, they have certain vulnerabilities. They have access to a lot of interesting accounts such as their internet phone service providers and access to every area of their company’s infrastructure.
Although some sectors like finance are juicier prey, phishing attacks can cost any type of business time and money. For downtime other requirements should be done and worst of all, they can erode customers’ and clients’ trust in a business.
Another consequence of a breach in a firm’s security caused by a phishing attack is that it can undermine the staff’s sense of security. A feeling of being vulnerable to crime can affect the quality of the company’s culture in terms of the workforce. It’s good to ask occasionally what is quality culture? And what is security culture? Undoubtedly, feeling that the company data is safe and well protected is part of this.
What Are They Trying to Catch?
So what kind of data are attackers after? Basically, they want you to hand over sensitive information, like usernames or passwords, and through these, access to accounts and finances.
Their other aim is to get you to download malware. The idea is to get you to infect your own computer or your company’s network. This could come in the form of an attachment to download or to open a file containing malicious code.
Don’t Take the Bait
Apart from the security aspects, getting caught by a phishing attack has a financial cost. Business costs are rising constantly, ranging from domain name registration costs to staffing and premises expenses. It might seem that defending your business from phishing attacks will be yet more outlay, but there are things you can do that might not cost the Earth.
It can be a case of staff education; making sure everyone knows what to look out for, and providing workers with step-by-step guides for spotting and checking anything suspicious. We also run phishing campaign/simulators. Things you could encourage, include:
Always check the spelling and general format of links and addresses. Make sure you aren’t redirected to a suspicious website that mimics the genuine one. You can hover with the mouse to see where the link is redirected to.
Contact the Source
This goes for phone numbers as well as email addresses. When in doubt, call or email to check, but make sure you look up either the number or address from scratch. Don’t be tempted to reply to the email you received or call the person back on the number they supply. If they say they are your bank, contact your bank to check.
As an individual, don’t post personal information for the whole world to see. This includes your date of birth, address, phone number, and other details. Check your privacy settings, do you need to have a public account?
In the Workplace
Look for weak points in your communications. Encourage staff to be vigilant, reward staff members who spot scam emails, and encourage a security culture of awareness. Circulate lists of the most common subject lines in scam emails such as: urgent, request, important, payment, and attention. Make staff aware of the most targeted industries and most impersonated brands.
Phones Are Targets Too
Don’t neglect phone calls in making your staff alert to phishing attacks. There are also phishing scams known as smishing, which target mobile phones through text messages. Although most phishing scams are via email, some do come via phone. It’s not always possible to know where your caller is from, thanks to the use of VoIP. In short, there are many low cost, common sense ways to increase security for your business. Some other basic ones are shown below.
Cyber crime like phishing attacks is, of course, a result of our connected and largely remote, online world and workplaces; life at home and at work is more virtual than ever before.
There are huge benefits to business of this shift. Most companies work across continents and time zones, and many have seen the cost-saving bonus of moving interactions that used to be face-to-face to the virtual space. Trends such as hybrid work patterns mean that, with employees based at home for at least some of the working week, far less office space is required.
But for criminals engaged in phishing attacks, the virtual workspace has multiplied the number of fish in the sea, ready to be reeled in. In some ways, having employees based partly in their home environments, outside of office culture and security, adds to a company’s vulnerability when it comes to those trying to trick and catch us.
Swimming Against the Tide
One thing is for certain, as we navigate our way through the ever changing technology-based world we live and work in, phishing attacks and other cyber crimes will constantly evolve and change. Knowing what the future holds precisely, may not be possible. But it’s clear human beings, as well as systems, are fallible when it comes to phishing attacks. Therefore, companies will need technology that goes beyond spam filters and antivirus software.
One interesting trend is the use of AI, artificial intelligence, and its ability to predict and anticipate behavior and strategies. AI could become a vital tool in the fight against cyber crime.
Of course, scammers are also aware of AI’s potential, and will be working on ways to make use of it in ever more sophisticated versions of phishing attacks. It seems clear that the future will involve a kind of technological arms race between the criminals and their prey. The only question is, who can swim faster?