What is Phishing?

What is Phishing?

Phishing is an attack whereby the attacker impersonates a reputable entity or person in email or other forms of communication, such as SMS or instant messaging. Most commonly attackers will use phishing emails to distribute malicious links or attachments that can perform a variety of malicious functions.

Phishing Attacks

A phishing attack can have devastating results. For individuals, this includes unauthorised purchases, electronic theft of money, or identity theft.

Phishing attacks can often be used to gain a foothold into an organisation’s network, as a part of a larger attack, such as ransomware or Business Email Compromise. This happens when employees are compromised in order to bypass security controls and distribute malware or fraudulent messaging inside the victim organisation.

A successful attack on an organisation can have severe implications such as financial losses and extended outages, in addition to a reduction of market share, damaged reputation, and loss of customer trust.

Types Of Phishing Attacks

Email Phishing Scams

In the most common version of email-based phishing, the attacker sends out thousands of fraudulent messages with the intent of gathering personal information, account credentials or for financial gain. This type of attack is very much a numbers game, even if 1% of several thousand recipients fall for the scam, then the attack can be considered successful.

As with legitimate marketing campaigns, to improve success rates fraudsters will also take the time and effort to maximise their effort by trialling different messaging and tactics and studying their relative success rates.  They will clone emails from a spoofed organisation, by using the same phrasing, typefaces, logos, and signatures to make the messages appear legitimate.

Additionally, attackers will commonly try to push users into action by creating a sense of urgency. For example, an email could threaten account expiration and place the recipient on a deadline. By applying a time-sensitive cue, users are more likely to act sooner rather than later, without much thought.

These scams can be hard to spot, typically having a misspelt website address or extra subdomain, so for example www.commbank.com.au/login could be www.combank.com.au/login. The similarities between the two website addresses give the impression of a legitimate link, making it more difficult to discover an attack is taking place.

Spear Phishing

This is a more precisely focused attack as spear phishing targets a specific person or organisation, as opposed to thousands of people as described above. It’s a more specific type of phishing that often incorporates special knowledge about an organisation, such as its staff members’ names and titles, organisational structure and clients.

A common spear phishing attack scenario is where the attackers will research names of employees within an organisation’s marketing department in order to gain access to the latest project invoices.

Posing as a marketing director, the attacker emails a departmental project manager (PM) using a subject line that reads something like: “Updated invoice for Q3 campaigns”. This email will be a clone of the organisation’s standard email template.

A link in the email redirects to a password-protected internal document, which is simply a spoofed version of a stolen invoice. The PM is requested to log in to view the document. The attacker steals the login credentials, gaining full access to sensitive areas within the organisation’s network.

By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of further attacks, such as ransomware or Business Email Compromise.

How To Prevent Phishing

To protect against phishing attacks some steps should be taken by both employees and enterprises.

For employees, simple vigilance is vital. A spoofed message will almost always contain subtle differences that expose their fraudulent purpose. These frequently include spelling errors such as website names. Users should also stop and think about why they’re even receiving the email and if it seems unusual or out of character for the alleged sender.

At an enterprise level, a number of steps can be taken to mitigate both phishing and spear phishing attacks:

• Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to applications. 2FA relies on users having two things: something they know, such as a password and username, and something they have, such as a mobile phone running an authentication app.
• Organisations should enforce a strict password management policy that takes into account how people actually behave. For example, staff should be required to use passwords that are difficult for an attacker to guess but not so complex they can’t be remembered by people. Passphrases are often a better strategy than complex passwords. Password managers combine convenience and strong passwords and their use should be encouraged. Staff should be educated not to reuse the same password for multiple accounts, as this makes password spraying attacks much easier.
• Empowering employees through engaging and informative cyber security awareness training will help reduce the threat of most cyber security attacks, including phishing.
• Enable SPF and DMARC to make it more difficult for attackers to send email faking an organisation’s identity.

Early Warning SMS

Early warning notifications assist in managing critical security threats to your network. AusCERT monitors malicious activity online and the Early Warning Service provides SMS notifications of any immediate and serious threats relevant to your industry.

To find out more about this service click here.