What is Phishing?
Phishing is a common social engineering attack that tries to manipulate you into sharing sensitive personal information or installing malicious software onto your computer. This is done by a cybercriminal fraudulently impersonating a known sender – hoping you will unknowingly supply personal information they can use for financial gain.
A cybercriminal’s ability to be exceptionally convincing is what makes this type of attack successful. Once they have the data, they need they can access online accounts, obtain personal data, or even compromise systems.
The most widely known form of phishing is done via email. It has been reported that 90% of cyber-attacks gained access to a company via phishing (CISA, n.d.). Understanding phishing, and how to avoid being phished, is a critical element in your organization’s cybersecurity plan.
A Brief History of Phishing
The origin of phishing started around 1995 and took hold during the popular days of America Online (AOL). Phishers began their attacks on AOL by stealing users’ passwords and employing algorithms designed to create randomized credit card numbers (Phishing, 2022), but this strategy wouldn’t last forever.
Once AOL caught on and implemented security measures to prevent this type of attack, these early hackers moved on to create techniques that continue to be a foundation for phishing attacks. The hackers began impersonating AOL employees, then messaged users via email and AOL Instant Messenger (AIM). During these interactions, they would fool their victims into giving them their account and billing information.
In 2001, phishers became more interested in online payment systems and employed more manipulative techniques to create a false sense of safety for their victims. This often looked like creating HTTPS sites where the cybercriminal would try to get their targets to supply credentials and personal information.
These days, attacks are even more ornate and include:
- Conversation hijacking
- Gift card phishing campaigns
- Vishing scams
- Business email compromise
- Vendor email compromise
- Spoofing company-specific Office 365 sign-in pages
- And more…
What’s the Difference Between Spam and Phishing?
Spam mail, also known as junk mail, is often unsolicited commercial advertising – where emails are sent out in bulk to a wholesale recipient list. However, spam can sometimes be a social engineered spoofing attack where the hacker hopes to gain access to your computer. This type of spam can be sent by botnets – which is a network of infected computers.
In essence, spam may contain phishing (e.g., like in a spoofing attack where someone disguises their identity to look like a trusted source). However, the spam you encounter in your email may simply be an innocuous – albeit annoying – unsolicited ad. It’s important to know how to safeguard yourself. Learn how to protect yourself from a malicious phishing attack in the section below called, Phishing Prevention Best Practices.
What Are the Different Types of Phishing?
To recap, phishing attacks are attempts by cybercriminals to obtain personal information about you that they can use for financial gain – such as banking information, login credentials, social security numbers, etc. These communications appear to come from reputable sources, are often very convincing, and use manipulation tactics.
Let’s look at some of the varieties of phishing you might encounter:
Imagine going actual spear fishing. What would it take to catch a big fish? It would take precision, patience, and practice. It’s the same for spear phishing attacks. Cybercriminals seek out individuals in a certain category but are lower in profile than victims of whaling (see section below for more details).
In spear phishing, attackers spend more time researching and crafting their plans than the traditional method because they need to be convincing for this higher tier target. They could be spending days or weeks creating emails that are so convincing that they appear to be from a known and trustworthy source.
You might be asking yourself, “Whaling? Whale phishing? What exactly is that?” As its name might suggest, whaling is a form of spear phishing that seeks out big targets – like those found in upper management. These targets have the potential to yield giant results when successfully executed – so cybercriminals plan these attacks well in advance and coordinate them with other attack methods to ensure the greatest success rate.
Cybercriminals have gotten more creative over time – looking to attack people where they spend a lot of time. Vishing, smishing and angler phishing (covered in the next sections) are examples of this type of approach.
Vishing, specifically, occurs when attackers try to gather valuable sensitive information in a phone call. This approach can often be quite convincing – particularly if they use the names of large known organizations victims have worked with – paired with urgency and fear tactics.
As previously noted, smishing attacks are a cybercriminals way of trying to gather your sensitive information through a channel other than email. In this case, they conduct their assault through a text message.
Angler phishing uses social media to make their strikes against their victims. They start by creating fake customer service accounts on platforms like Facebook and Twitter.
Attackers generally lay in wait for social media users to come to them when they go looking for help from a legitimate account – which makes this is a slow-moving attack. When their victims engage with them, thinking they’re a trusted organization, they unknowingly give away their sensitive information to a cybercriminal.
Phishing techniques are always growing and adapting. Barrel phishing, also known as double-barrel phishing, is growing in popularity.
In a barrel attack, phishers utilize two separate phishing emails to gain your trust. The first email is often used to lure you into that false sense of security that it’s coming from a trusted source by having a conversation with you. This email may not have any malicious intent beyond the deception.
The email that follows, though, is often an aggressive email that has persuasive messaging and malicious content (e.g., links) geared toward making you do what they ask. In eliciting an emotional response, they get you to do things you might not otherwise do – thereby putting your business at risk.
How to Identify a Phishing Email
Humans are the first line of defense against phishing. After all, these tactics have been curated specifically to elicit emotional reactions and/or to appear to be from a legitimate source. To protect yourself from the damages a phishing attack can cause, look for the following:
- Email contains grammatical errors or poor language
- You receive an email from someone you don’t know
- The sender tries to get you to send money to a strange account
- You receive an email that asks you to change your password or login information
- You suddenly notice new messages that you never sent or messages you didn’t receive
- You receive an unexpected email that asks you to click on a link that leads to a website you don’t own (FightCybercrime, n.d.).
Keep in mind that cybercriminals often deploy emotions to coerce you into an action – such as clicking on a link or opening an attachment. They try to elicit fear, urgency, greed, or curiosity. So, if a suspicious email is trying to evoke emotion, ask yourself why.
Receive more exclusive IT and cybersecurity tips and
insight by subscribing to our email list.
For easy-to-understand information on how to identify common scams visit Scam Spotter.
What to Do After a Phishing Attack
If you or your organization finds yourself in the vulnerable position of having been the victim of a phishing attack, there are some immediate actions you should take. Follow these five steps to help mitigate the damage that can happen to your business:
- Change your passwords on all email accounts.
- If someone sent money, contact your financial institution. Request a recall or reversal as well as a Hold Harmless Letter or Letter of Indemnity.
- Scan your computers for malware. If present, you will need to address that issue.
- Consider placing a fraud alert on your credit reports to help prevent the cybercriminals from opening new accounts in your business’ name.
- Report the business email compromise (BEC) with the FBI to prevent others from getting scammed (Federal Bureau of Investigation, n.d.).
Check out these other places you can file reports (Phishing, n.d.).
An MSP Look at Phishing Email Prevention
If you invest in cybersecurity services from an experienced Managed Service Provider (MSP), then you can rest assured that you have a team of experts on your side ready to help you mitigate phishing risks.
The most effective way to keep your business protected from the risks of phishing is…to be proactive. The measures the Aligned team implement include:
Training and simulated phishing campaigns
Simulated phishing campaigns are designed to improve employee’s response to these attacks. Training and testing are a crucial part of your organization’s cyber resilience – because people are your first line of defense.
Enabling MFA on your accounts
Multi-factor authentication (MFA) helps keep your organization safe by using a password and at least one more factor to allow access to systems and/or applications. That means, even if a cybercriminal has your password, they won’t be able to access your account because they can’t authenticate using your other factors. MFA can protect against:
- Spear phishing
- Credential stuffing
- Brute force and reverse brute force attacks
- Man-in-the-middle (MITM) attacks
Email identifier tags
Implementing the use of email tags (e.g., [External]) will provide you with insight into the messages source. Seeing this tag does not mean it is a scam, but rather affords you the opportunity to consider whether it is from a known sender.
IP address allowlist
An allowlist is a security list created by your MSP which gives access to pre-approved programs, IPs, or email addresses. That means that anything not on the list does not get access to system resources.
Implementing conditional access controls
According to Microsoft (2022), conditional access is the protection of regulated content in a system by requiring certain criteria to be met before granting access to the content. For instance, you can use conditional access policies to ensure that each system has the most updated version of antivirus and patches installed before the user can access Microsoft 365.
Identify suspicious file names
Threat actors try to lure their victims into downloading files from emails that can do tons of damage to an organization. They are often deceiving and hide the true intention of the file with long names or hidden file extensions.
Always be wary of any unsolicited attachments. Cybercriminals like to disguise executable files (.exe) as innocuous-looking files – like a .JPG or .PDF. Often, the .EXE part of the name is hidden from view. What that means is, once you click on a file you believe is safe, you find yourself running a malicious program and exposing your organization’s valuable assets.
If you click on a suspicious file, your cybersecurity team will receive an email that details the security concern so you can take proper action. Here’s an example of what that message might look like:
The Data Breach Risks to Your Organization
Once your organization has a data breach, everything must be managed very carefully – from cybersecurity actions to addressing your stakeholders’ concerns. Your team, or your MSP, will need to work diligently to restore your cybersecurity. Your productivity will be next to nil until that is complete. During this time, executives must ensure that proper reporting is being done as well as keeping stakeholders informed about the breach.
Not having a risk management plan in place before a breach happens will make this time very challenging – and it’s not the time you should be creating one. Your focus must be on managing your organization’s credibility and getting your team back to being fully operational again. Otherwise, your organization may collapse after the attack – and it happens more often than you might think.
According to Business to Community (2022), 1 in 8 businesses are destroyed by a data breach. Therefore, it is imperative that both large and small organizations have experts mitigating the cyber risks to be successful in today’s digital environment. The damages due to a successful phishing attack can be detrimental – whether it is a personal or business attack.
However, from a professional perspective, it is everyone’s responsibility to safeguard the system(s) using the most up-to-date best practices. Otherwise, you may find yourself dealing with:
Phishing Prevention Best Practices
Cybercriminals target small to medium-sized businesses because SMBs have less expertise, smaller budgets, and less time to defend themselves against cyberattacks. That makes SMBs an easy target. The best way to stay protected is to employ these best practices:
How to Protect Your Business from Phishing
- Never share personal information.
- Utilize firewalls and antivirus software.
- Utilize multi-factor authentication (MFA).
- Enforce mandatory password managers. There are great ones available and even some free ones – like LastPass.
- Be proactive and stay informed on the latest phishing techniques. This means regular training for all employees – from intern to CEO.
- Be cautious whenever you consider clicking on a link. Don’t click on links from random emails or instant messages. Hover over any links you’re unsure of to view the address to verify the site is legitimate before clicking. When in doubt, don’t click. Contact your cybersecurity expert for guidance.
- Keep your browser updated to ensure security patches are installed.
- Install an anti-phishing toolbar. The toolbar will check sites you are visiting against known phishing sites and alert you if you are heading toward a malicious site.
- Keep your systems current on security patches and updates. Learn why security patches are important.
You should also be sure to take advantage of email phishing filters – like Office 365 anti-phishing protection. Just keep in mind that even though phishing filters exist, they can’t stop all the attacks from getting into your inbox. Every person in an organization needs to have attention to detail when engaging with any email.
Another great way to stay protected is by utilizing Endpoint Detection and Response (EDR) – also known as Endpoint Detection and Threat Response (EDTR). This cybersecurity solution continuously watches end-user systems to detect and respond to cyberthreats quickly.
Do you have remote workers? Just because they are removed from your organization, doesn’t mean they’re safe from a malicious attack. Make sure they’re getting the cybersecurity training, antivirus protection, and are using MFA whenever possible. Also ensure that every remote worker’s system stays current with the latest updates and patches. Remote workers can also employ VPN, or virtual private network, for added protection since they are not working behind your robust company firewall on a secure network.
Knowledge is Key in Phishing Prevention
With phishing being one of the most common, and effective, cyber-attacks it is imperative that everyone within your organization has ongoing training. They need to:
- Know what phishing is
- Understand the risks involved
- Be able to identify phishing attempts
- Know how to report phishing attempts
- Know what actions to take after an attack
This training is crucial to the well-being of your organization. Not preparing for the inevitable attack can lead to devastating effects. Don’t become a statistic. Be proactive and develop a sound cybersecurity plan to protect your small business. If you’re interested in receiving a free cybersecurity consultation from Aligned, contact our representatives today!
Did you find this blog helpful? Get exclusive IT and cybersecurity tips and insight when you subscribe to our email list.