We are hearing a lot about phishing and phishing attacks currently so, in this blog, we will take a step back to understand what phishing is, the types and how to recognise a phishing attack. Let’s start with the basic question – what is phishing?
Phishing is a fraudulent attempt to deceive an end-user into providing confidential information. Phishing emails are generally crafted to imitate a legitimate business, bank or email provider, by replicating the branding, design and pattern of their communications. The objective is to trick the recipient into freely providing sensitive data, such as passwords, username, network information etc. Reports suggest that a third of all data breaches root from a phishing attack and it is now the most proliferated vector of attack due to its simplicity, the high availability of tools and, that typically, it does not require specialist knowledge.
Forms of delivery
The phishing attack vector differs depending on the target, type of attack and information targeted. The most common forms of delivery are:
- Instant messaging (including SMS)
- Telephone
Email and instant messaging are the most prevalent forms of attack vectors. They are free, exposure is nominal and they do not require technical infrastructure or knowledge. The number of targets that can be attacked at the same time is, theoretically, unlimited.
Using phones as an attack vector is less common as it involves a degree of intricacy and it is more complex to obfuscate the attackers’ tracks. However, these ‘vishing’ attacks still exist and may be used in combination with one of the other vectors.
Evolution of phishing
Phishing has infamously evolved over the years. At the outset, it was a social engineering activity using a shotgun approach to target a large group of users. However, over the years, it has evolved and, instead of mass spam emails being sent out to all users, criminals have started to target specific groups or individuals. These types of attacks are commonly known as spear phishing, i.e., targeting specific individuals or whale phishing, targeting executives/executive management/high net worth individual etc.
Attack methods
One of the first discovered attacks was a phishing email purportedly originating from the World Health Organisation (WHO). The attack was delivered to the recipients via an email containing a link redirecting the ‘clicker’ to a WHO themed phishing site used to steal user credentials.
A phishing method with a less engaging appearance is an SMS message. These are limited by the number of characters and, typically, attackers take the usable space to relay a message requesting urgent and immediate compliance. In some ways, this method of attack is more difficult to orchestrate and requires more resources. In comparison to other methods mentioned in this blog, there is a lower chance of success for an SMS attack than for an email, yet they are still responded to.
Vulnerabilities being exploited
The anatomy of phishing is relatively straightforward. What makes it so dangerous is its simplicity and the vulnerabilities it is attempting to exploit. A phishing attack directly targets users and then plays on basic human behavioural traits:
- Desire to help
- Desire to cooperate
- Fear
- Greed
Defence mechanisms
Hopefully, your email provider/technical controls have already filtered spam at the entry point, before reaching your users’ inboxes. However, in many cases, suspicious emails still get through. When providing phishing training, users should be encouraged to consider the following key questions:
- Why did I receive this?
- Am I expecting it?
- What if I don’t comply?
- Is there anyone that can help?
How to identify phishing emails
Attackers are always one step ahead. They have more resources at their disposal and no ethical boundaries to observe. Users must be aware that there is no such thing as a free lunch – if it sounds too good to be true, then it definitely is. Vigilance is key and users must understand that it is their responsibility to observe organisational policies and report any suspicious email, phone call or other types of communication.
In order to help raise awareness of the issue, URM has produced a video with practical, real-world guidance on what to look for in differentiating between a phishing email and a genuine email.
How susceptible is your organisation to phishing?
The potential impact to any organisation of users clicking on unknown links and providing confidential information could be extremely damaging. In order to establish how susceptible users are to responding to such risks, URM is able to simulate a targeted social engineering attack.
URM has developed an effective methodology aimed at determining and measuring user awareness and vigilance to phishing attempts and processing of incoming third-party emails. For more information on URM’s social engineering penetration testing service click here.
URM is pleased to provide a FREE 30 minute consultation on penetration testing for any UK-based organisation.
If you are unsure, URM can perform CREST-accredited internal and external penetration testing against all IP addresses associated with your organisation, location, or service.
Designed to assess the architecture, design and configuration of web applications, our web application pen tests use industry standard methodologies to identify vulnerabilities.
We are hearing a lot about phishing and phishing attacks currently so, in this blog, we will take a step back....