You are certainly familiar with phishing: either because you have heard about it from the media, or maybe because you receive yourself, now and then, questionable e-mails. The word “phishing” is made from “password” and “fishing”, and designs the attempt to obtain valuable information illegally – for instance access data – or to make someone do something specific. It is one form of social engineering, in which the attacker comes as a reliable company or person. Often phishing attacks make use of falsified e-mails and/or fraudulent web sites. Does this sound familiar? Then read on! In this blog post we explain the behaviour of the attacker, the different forms of attack, the reason why phishing is so successful, and most important, how you can protect yourself.
The main principles of phishing
Now you know what a phishing attack is; or maybe you do not really know enough yet. Attackers are very ingenious; the cyber world is extremely dynamic, and every day there is a new form of attack. Here are the most relevant ones.
The classic: mass phishing
The best-known form is the so-called “mass phishing”, which does not aim at a specific target. Falsified e-mails are sent indiscriminately to a huge number of recipients, in the hope of luring potential victims to specially crafted web sites, and leading them to disclose sensitive information, such as for instance credit card numbers or passwords. These e-mails do not contain any information related to the recipient. Often the e-mail reproduces well-known brands and company logos. In the last few months, many of these attacks were brought to the attention of the public – most of which, unfortunately, were successful…
The accurate: spear phishing
Spear phishing can be considered an advanced form of classic phishing. The attacker introduces him-self as a business partner, provider, or anyway an acquaintance of the victim, thus winning the latter’s trust. The target of the attack is the same: the recipient is asked to disclose confidential information, or to run some infected attachment (e.g. a Word macro). The target recipients are not chosen indiscriminately; the attack is directed specifically to one person or company. The attacker prepares by collecting information on the victim, for instance from his company’s web site or on social networks, and uses this information in a targeted manner. This is why everyone keeps reminding you, not to give away too much personal information on the net!
For the large fish: whaling
Whaling is a subset of spear phishing, in which the targets are top executives, politicians, or other prominent people. The targets are chosen very accurately; to deceive them, the fake e-mails and web sites are customised in great detail. Again, the objective is to steal personal or sensitive information from the victim. When the attacker introduces himself as a top executive in his own company, and tries to con-vince his victim to transfer an amount of money to a foreign bank account, the attack is also called “CEO fraud”.
With a soft (phishing) tread…
Not only are hackers ingenious; they are also creative. Although e-mails are always in high regard (and unfortunately also successful), attackers have found that there is more potential for phishing. In particular, they have developed several further attack channels beyond e-mails.
Business as usual: e-mail
Most attacks come through the e-mail. Attackers make use of many different techniques to cheat the targets. For instance, the sender’s address can be concealed, or shown as a false name, or sometimes they register a domain which looks closely like another (so-called “typo squatting”). To deceive the victim, false links can also be used.
On a personal level: smishing
The name “smishing” is made by joining SMS and phishing. The attack consists of a false text message, which attempts to convince the recipient to deliver personal information, or to infect the smartphone with some malware. As a sender’s ID, sometimes the attacker will use a telephone number known to the victim, or belonging to his environment.
Yet more personal: vishing
Vishing stands for “voice phishing”. In a telephone call, the unsuspecting target will be asked to give sensitive information, or to perform some action against his will.
The unconventional: QR phishing
In a so-called QR phishing, existing QR codes are modified, or fake codes are sent, to lead the victim to the wrong URL, where for instance a download can be initiated towards a mobile device, a script can be run, or a falsified web site can be displayed.
Pharming: trawl phishing
A developed form of classic phishing is the so-called pharming. It consists of manipulating the DNS requests of web browsers, e.g. by an intermediate attack known as “DNS spoofing”, to lead visitors to a fake web site. Or sometimes, the local host file can be altered. In this way, with the help of a Trojan horse or a virus, the target system is modified; the effect being, that in the case of specific web sites, although the user gives the correct address, the browser is misdirected to a false web site.
Why is phishing so successful
Maybe you think that others may be deceived by a phishing mail, but of course YOU would not! Our experience of several phishing audits proves ever again, that a well-prepared e-mail is always effective – often even more effective than marketing mailings!
As mentioned above, phishing is a kind of social engineering: a spy attack at social level. The attacker uses psychological tricks or human interactions to manipulate the victim, to induce the latter to an undesired action, such as for instance the disclosure of sensitive information. At the core of any successful attack, there is the establishment of trust: the attacker makes himself trustworthy to the victim. This is easier when the attacker can put together as much information as possible on the target person or company, and then exploit such information to refine the attack. Even just exploiting human “weaknesses”, such as curiosity or helpfulness, can be enough to make the attack successful: both these factors belong to the human nature, and are difficult to change. Likewise, many attacks exploit the pressure of some consequence, promised or threatened, as for example a financial incentive or losing some function if the requested action is delayed. Pretending some authority is also another trick that is often played; in this case, the victim is required, by some alleged superior person, to perform an action.
The challenge for the hacker is to craft the context and content to make it appear legitimate; and thank to the development of online searches, this is much easier than before… Our knowledge, and our experience of many years, prove that (almost) everyone can be induced to click on a link or to give away sensitive information, if the attacker puts enough effort into getting at the victim.
The correct recipe for a successful phishing attack joins psychological tricks and the use of targeted information. Technical protections are effective only in part; people are the weakest link in the security chain, and this cannot be changed. In fact, the least technically-oriented employees are the greatest risk factor. Raising awareness is ever more the most important and effective way to protect your enterprise against phishing attacks.
Test your employees’ security awareness
InfoGuard can check your staff’s security awareness, by a targeted single audit or as a continual service. This consists of simulations of phishing and malware attacks, based on predefined scenarios; the behaviour of your personnel is checked, and evaluated in detail. But assessing the level of awareness is only one side of the coin; what is even more important, is to fill up any knowledge lacks found by the assessment. The target must be to detect wrong behaviours and correct them immediately.
If they must be able to fight off phishing attacks effectively, your employees need to be aware of the threat; this means that they must know how to tell an attack when they see it, and understand the social engineering tricks that may be used against them, to cheat them. Enterprises must raise their employees’ specific awareness, and also consider carefully what information they publish on the Internet. In a previous post in this blog, we made available to our public the most important rules in dealing with e-mails and social media; we also put at your disposal a free checklist with 15 practical tips for the defence against social engineering. You can download the list from here:
Information protection stands or falls with the active support of your employees, including management. To deliver the required basic knowledge, raise the staff’s awareness of information security, and achieve lasting changes in behaviour, you need adequate security awareness actions.
We are happy to support you in this – contact us now!