Guide to Phishing
What is Phishing?
Phishing is a method of Social Engineering, whereby an attacker attempts to exfiltrate various types of confidential information such as usernames, passwords, credit card numbers etc by gaining a level of ‘trust’. Phishing attempts come in multiple forms such as phone calls (Vishing), SMS (Smishing) and quite possibly the most common form of phishing via email.
The attack method can be crafted to target high-ranking employees, known as whaling. Targets include all senior members of staff, including the managers and company directors. Even specific individuals, known as spear phishing, examples include the Chief Technical Officer or Chief Executive Officer who may be addressed by name to further cement that the email has come from a ‘trusted’ source.
Below we identify a few forms of phishing and highlight possible ways in which these threats can be mitigated.
Vishing is the combination of ‘voice’ and ‘phishing’, and you can expect these attacks to be made primarily over an internet telephone service (VoIP). A common tactic used over the phone would be to masquerade as a support technician requesting potential login details to ‘help’ the victim make alterations to their account or device. Commonly unsuspected users will provide details required by the attacker such as login information to have a fictitious issue resolved, leaving the attacker with potential access information into an organisation.
Mitigation of this type of attack can be achieved through End User Awareness, where employees are briefed through cyber awareness training on the dangers of vishing attempts and become more diligent when sharing information over the phone.
Phishing attempts over SMS are also known as smishing. This is when the attacker uses the identity of a well-known organisation such as the National Health-Care Service (NHS), that has some form of relevance to the victim. They may be likely to use this organisation, especially during a time of a healthcare pandemic like COVID-19. They are making the victim more likely to click the link on the SMS. Once the victim receives the SMS, if they click on the link, they may also be directed to a landing page that tricks them into revealing personal data such as their NHS number.
Mitigation of smishing can also be achieved through end-user awareness, by training users to ignore SMS messages from smishermen and show due care when receiving any requests for information via SMS.
Generally, cybercriminals will launch a mass email phishing campaign to a targeted group of people within an organisation, within this email will include a malicious link or attachment, an enticing email subject, and a credible sender email address. Consider this to be ‘casting the net’ and the emails to be the ‘bait’ for unsuspecting users to click through. This poses a significant risk on businesses as with the correct ‘bait’ confidential information can be exfiltrated through cooperation with the attacker. Other risks involved could be a potential DoS (denial of service) from a malware-ridden attachment, or even have data held at ransom by deploying some ransomware through said attachment. The level of damage from a phishing attack can vary depending upon the attackers’ incentive behind the attack.
As this form of attack pries on the vulnerability of human nature, it is quite difficult to mitigate. However, with adequate email controls to filter phishing attempts, it can certainly be controlled. A combination of End User Awareness and the implementation of technical tools can be used to mitigate this risk.
How can phishing impact businesses?
A successful phishing attack can impact businesses in many ways, such as:
- Identity Theft
- Reputational Damage
- Theft of Sensitive Data
- Installation of Malware and Ransomware
- Loss of Usernames and Passwords
- Data Sold on To Criminal Third Parties
- Theft of Funds from Business and Client Accounts
- Loss of Intellectual Property
- Access to Systems to Launch Future Attacks
- Theft of Client Information
It was reported by ‘The Guardian’ and ‘thesslstore.com’ blog that during 2015; “The Scoular Company, a commodities trading firm, was scammed out of more than $17 million in an elaborate spear phishing scam.
Phishers, pretending to be the company’s CEO, sent emails to the company’s controller, instructing them to wire funds while referencing the company’s real accounting firm. The contact information they provided was fake — the email address was from a Russian server, and the Skype phone number was registered using an IP address in Israel)”.
This is a clear-cut instance of the negative financial and reputable impact a successful phishing attack can cause to an organisation and its employees.
How can we prevent phishing?
As mentioned above, the most common way to defend against Smishing and Vishing is through end-user awareness. This also applies to standard email phishing campaigns. However, there are technical tools that further mitigate the risk of phishing through email.
It can often be challenging to understand how effective end-user awareness training is. So many institutions run fake phishing campaigns to know how vulnerable end users may be to these types of attacks. OmniCyber Security offers social engineering engagements, where our team will carefully craft a combination of phishing methods to penetrate your networks to help businesses gain an understanding of how ‘at risk’ they are regarding phishing.
Multi-Factor authentication can also be leveraged to prevent access to your network from phishing attempts. Commonly attackers will obtain credentials through phishing to access a targeted system. However, with the enablement of multi-factor authentication, access for the attacker is halted as they may not have the correct secondary authentication key to break in.
Most email phishing attempts tend to be caught at the mail gateways where security tools would rely on the knowledge of previously identified threats. However, as email campaigns grow more sophisticated, attackers are known to masquerade as ‘trusted’ sources such as suppliers. At this point, it can become incredibly difficult to tell friends from foe.
To find out more, contact OmniCyber Security.