Phishing Attacks and Protecting Against Them

RegoPhishing

phishing attacks credit card hook

What is Phishing?

Phishing is a form of social engineering attack that makes use of electronic communication which aims to exploit the human element by taking advantage of un-suspecting users. The aim of these types of attack is to obtain sensitive information that can be used to achieve an end goal. This goal for example could be to gain a foothold on an organisations internal network ultimately leading to a full network compromise, or quite simply to obtain credit card information for fraudulent purposes.

Phishing Mechanics

Phishing attacks leverage the use of e-mail, with the attacker sending legitimate looking messages to deceive the user. There are two typical forms of phishing methods employed, one method used will contain a malicious attachment in the e-mail, which when clicked will install malware in its various forms on the victims’ machine. The second method is providing links within the e-mail to the attackers spoofed or cloned website.

Types of Phishing

When it comes to phishing attacks they all have a similar aim which is to obtain useful informaton to benefit the attacker or to provide the attacker with some form of advantage, be it financially motivated or otherwise.

Spear Phishing

Some phishing campaigns leverage more focused methods rather than a spam of emails across an organisation waiting for an employee to bite. With this approach the attacker will tailor the e-mail with the details of the target such as their name, position and company so that the recipient is more likely to believe they have had previous contact with the sender. Currently this type of phishing attack has been highly successful and subsequently accounts for over 90% of phishing attacks carried out.

Clone Phishing

Clone phishing is a type of attack that duplicates a legitimate e-mail which is then sent from an identical address so that it resembles the original sender. The attacker will then tamper with the e-mail by replacing attachments with their own malicious attachments. The success of clone phishing is also quite high as the e-mail will contain identical content and known company logos, that the recipient is familiar with and hence, they would be more likely to trust the source.

Whaling  

Whaling is another variant whereby the attacker will target high profile executives with the aim of a greater reward. Some attackers will craft e-mails of a legal or authoritative nature to grab the attention of the board level or executive member. Like clone phishing these e-mails are very difficult to distinguish from real ones as they are clones of legitmate e-mails.

Phishing Prevention

There are multiple ways to reduce the chances of a successful phishing attack, some of these can be by using visual markers to identify scam e-mails and others by creating the right culture.

Lookout for the following when identifying a legitimate e-mail from a fraudulent one:

  • Poor use of spelling and grammar.
  • Suspicious attachments and/or extensions such as .bat or .exe
  • ‘Scare tactics’ to instil a sense of fear or emergency to entice action from the victim.
  • Unusual links embedded within the email.

Work towards establishing a strong security culture within an organisation to prevent social engineering attacks by:  

  • Encouraging staff to report phishing incidents and re-enforce that they will not be punished for falling victim to a phishing attack. If a blame or ‘point the finger’ culture is adopted this will only increase the risk to the business.
  • Providing regular staff training by educating them on the threats posed by phishing, this alone will get them thinking and employees will likely be more wary when opening emails.
  • Social engineering attacks like phishing exploit the human psychology, understanding these triggers and highlighting these as part of training will also help. Common ploys used are attackers posing as senior or authoritative figures to scare the victim. 

Once a training program has been implemented simulated phishing campaigns can be carried out to measure the effectiveness of the staff training and provide further education for those employees who may require it.

It is also worth acknowledging that there are technical controls in the form of software that can sit on each client or endpoint which will provide another layer of protection against the threats discussed.