Phishing is a form of social engineering cyber attack that attempts to steal sensitive/ valuable information from the victim. Phishing attacks are quite effective as the attacker masquerades as a trusted entity via emails or SMSes, the content of which is designed to trick the victim. These text messages and mails will most definitely be embedded with malicious links that redirect the receiver to malicious sites, which then automatically installs malware, ransomware, or reveals their sensitive data.
Essentially, the primary objective of phishing scams is to gain sensitive, confidential information like login credentials, financial information, etc.
Phishing attacks give attackers a foothold in corporate or government networks to help them advance large-scale attacks. For instance, when hackers target large corporations and organizations, their employees are deceived and compromised. This allows them to bypass the security measures of the organization and distribute malware inside the whole network. Such organizations experience a data breach, which may then lead to financial, reputation loss.
Here’s an instance of a phishing email:
Types of Phishing Attacks
The most common form of phishing attacks are email scams. The attacker disguises themself as a trusted authority and goes the extra mile to even register a fake domain that resembles a genuine organization. They then send hundreds or even thousands of generic requests.
Domain names are usually spoofed with the help of look alike characters or words/ alphabets. For example, the letters ‘r’ and ‘n’ are put together (‘rn’) resembles an ‘m’, and ‘0’ (zero) can be used instead of ‘o’.
To avoid falling for such phishing attacks, one should be wary of the emails they receive. They should carefully analyse the sender’s email address before clicking on any suspicious link embedded in the email or opening an attachment.
Spear phishing attacks are similar to email phishing, in that the actor, disguised as a trusted entity, attempts to trick the user into clicking on a malicious link or an attachment to steal sensitive information. However, spear phishing emails are highly targeted at certain individuals or organizations. The actors pose as a senior employee, a colleague or a business partner to send personalized emails with malicious intent
The attacker who sends spear phishing mails will possess some or all of the following information about the target:
- Place of employment
- Job title
- Personal/ Official email address
- Specific information related to their job role
One of the most famous data breaches in recent history, the hacking of the Democratic National Committee was the result of a successful spear phishing attack.
A whaling attack is very similar to spear phishing attacks, albeit the targets are high ranking officials or CXOs. As such attacks are well researched and highly targeted, detecting and preventing them becomes more difficult. These emails use subject lines that prompts immediate action from the receiver. Whaling attacks, thus, usually resort to email subject lines related to income tax return, tax form, etc.
A phishing kit is a set of materials/ tools that allows the attacker, who may even lack the technical know-how, to create and launch a seemingly genuine phishing campaign. A phishing kit bundles phishing website resources and tools, allowing the attacker to simply install it on the server and send emails to the targets, without any delay.
Anatomy of a phishing kit
The following image depicts how a phishing kit is made and how it works:
How to Prevent Phishing Attacks
Threat actors usually target corporations and organizations, rather than specific individuals. So, it is in the interest of both the organization and its employees to thwart any attempts to steal their confidential data. To achieve that, they have to consider the following steps:
Awareness campaigns help resolve this issue to a great extent and minimize the risk arising from this attack vector. It enforces good cyber hygiene practices. Since phishing attacks may target any employee without exceptions, everyone including high ranking officials/ executives must be trained to identify the threat and tackle it.
All requests for access or transfer of confidential or sensitive data should pass through several levels of verification before they are permitted. Two-factor Authentication (2FA) is the most effective way to prevent phishing attacks that target sensitive applications. 2FA relies on two factors to gain access to a file or a resource. This includes PINs/ passwords, OTPs, badges, biometrics, etc. Even if employees are compromised, multi-factor authentication measures reduce the chance of a successful cyber attack.
Social media education
This is an extension of employee awareness. It has often been found that the information posted by employees over social media were used by the attackers to craft phishing attacks. This necessitates awareness programs that educate them about social media best practices.
Social engineering attacks such as phishing or whaling exploit human errors, unlike other forms of cyber attacks. Vendors who offer anti-phishing software and managed security services help prevent whaling and other forms of phishing attacks.
The Anti-Phishing Working Group (APWG) is an organization dedicated to cybersecurity and phishing research and prevention. It provides resources for companies affected by phishing and conducts research to provide information on the latest threats. Companies may choose to report a suspected threat to APWG for analysis.
Most Expensive Phishing Attacks
1. Facebook and Google
Facebook and Google, together, were scammed out of over $100 million, between 2013 and 2015. The actors carried out the campaign through an elaborate fake invoice scam. A Lithuanian hacker masqueraded as a large Asian-based manufacturer and sent each company a series of fake invoices.
2. Sony Pictures
In another instance, Sony employees were targeted through a series of spear phishing emails. Linkedin was a part of the adversary’s tactics. They obtained names and titles of Sony employees from this professional networking website. The actors posed as their colleagues and sent malicious emails laced with malware, to unsuspecting targets. This led to a major data breach involving over 100TB of company data, which cost Sony more than $100 million.
3. Crelan Bank
Crelan Bank in Belgium lost $75.8 million in a CEO fraud attack. The company was notified about this attack only during an internal audit. Although the attackers responsible have not been identified, the Crelan Bank implemented new security measures to prevent another similar attack.
For more details and insights about phishing email subjects refer to: https://blog.knowbe4.com/topic/top-clicked-phishing-email-subjects