Phishing: what it is, how it works, and how to prevent it.
Cyber criminals never rest when it comes to attacks on individuals and businesses. It’s why we offer relentless cyber security for our clients – especially when in so many cases, all it takes for a bad actor to gain leverage is something topical.
Elon Musk’s recent Twitter takeover is a testament to exactly this. After the media reported last month that users with a verified ‘blue tick’ would need to pay a $20 monthly subscription, bad actors attempted to phish members by sending emails warning them that they would lose their tick – unless they provided some personal information. Because phishing is such a common and easy way for hackers to attack businesses – and comes in so many different forms – it’s essential to be aware of what it looks like and how to protect against it.
What is phishing?
It’s a type of cyber attack that’s used across email, SMS, social media websites and even phone calls where the sender poses as a legitimate person, company or coworker. In a survey by The Office of National Statistics, half of respondents had been targeted by a phishing message, and according to IT cloud management company Mimecast, almost half (47%) of phishing attacks are successful, with 49% resulting in malware (e.g. virus) infection. In most cases of phishing, the bad actor references something topical (such as the cost of living crisis, or Twitter’s new subscription model) to target the recipient’s fears and anxieties.
How is phishing done?
Here’s a quick guide to the most common types of phishing.
Email: These include phoney hyperlinks that entice people to click and give away information. The email address can look legitimate, for instance using a real or similar domain name (the ‘@somewhere’ part of the email address).
Malware: Typically taking the form of an attachment, when downloaded these grant the hacker access to a server, computer or network – or allow hackers to damage it.
Spear phishing and whaling: These are more customised attacks that gather intel on an individual (‘whaling’ particularly referring to ‘big fish’ executives), then attempt to steal logins or sensitive information.
Smishing: Playing on the word ‘SMS’, these are fake texts, with delivery messages among the most used tactics.
Vishing: Relating to ‘voice phishing’, these are used by nefarious call centres or ‘spoofed’ (mimicked) phone numbers. Sometimes, the call can appear to be from a number you recognise.
“We recently worked with a business with a mature cyber security stance that was doing everything right on paper, but lacked that continuous approach. Our Swarm managed to find a way in – a compromised company email address, followed by MFA, and finally a vished (spoof) call to the helpdesk from an employee number – for a network takeover. Our activities weren’t flagged because the means were legitimate, and it all stemmed from a single phishing email targeted at a single individual.” – Luke Potter, COO at CovertSwarm
What are some phishing traits?
Phishing attacks – in any form – appear safe and unassuming, impersonating trusted people or companies to establish a false sense of security. They also have a sense of urgency which forces the receiver to make snap decisions, for instance by threatening legal action or loss of resources, citing a deadline or countdown, or including an incentive. Finally, they contain a link or point of contact that asks for personal information, downloads malware, or attempts to gain unauthorised access.
What are the impacts of a phishing attack?
For a business, immeasurable. Not only is there the potential to lose money, custom and proprietary information, but companies’ reputations can be shattered – and some never truly recover. Once a bad actor has found a way in through a phishing attack, it can also leave you open to future attacks.
What do I do if I’m phished?
If you suspect a phishing breach, notify everyone in the company immediately and change any passwords, logins or account details. If customers’ money and data has been compromised, you’ll legally need to report the hack to the ICO. Any scam communications can also be reported to the NCSC. Because you’re more at risk of future phishing attacks, your staff will need to be vigilant, and know how to report anything suspicious. We’d also recommend using our CovertSwarm Incident Response service to plan your next steps.
How can I tell if I’m being phished?
Phishing works because it appears to be legitimate, and often only needs one person to act on it in order to be successful. If you receive a call, email, text or other communication that’s asking for important information and wants you to take urgent action, check the following first.
Contact information. Is the person who they say they are? Is the person in your contact list? Email addresses, web links and phone numbers from hackers can often appear similar to the real thing, but have different domain names (for example, using ‘.io’ instead of ‘.com’). Be aware that these can be spoofed in some cases.
Tone, phrasing and spellings. Are there any typos? Unfamiliar turns of phrase? Some phishing attacks come from abroad and wording can be badly translated. Reputable companies will invest in professionally-written communications and aren’t generally caught out by these.
Personalisation. Though some bad actors will gather intel before a phishing attempt and may know some of your personal information, this can be a good marker for trust. On the flip side, has the sender personalised their own email – such as through using a signature or company template?
Links. Hover your mouse over any hyperlinks before you click. Your browser may show the URL in the footer. Be wary of any shortened URLs that don’t show the full web address, for example ‘bit.ly’ or ‘tinyURL’.
Finally, be aware that in isolation, none of these things guarantee that the communication is safe or the person is trustworthy. They are parts of a whole – the more you have, the more likely it is legitimate.
How can I protect against phishing?
General protection could include things like spam filters on company email accounts and multi-factor authentication (MFA) for logging into areas like Microsoft Teams, Dropbox or Slack. But investing in your training is paramount – ensuring every member of staff understands their role in the overall security of your business, as well as how to identify and flag threats. It’s also important to be careful of what’s available in the public domain, especially social media pages. Bad actors can use this information to appear more legitimate to others.
“In one ethical hack I carried out for a fintech client, I found some information about the building from an estate agent, who was selling the adjacent office. Then I called the target company posing as the estate agent – spoofing the estate agent’s number – and using the pretext that a surveyor would be visiting their premises to carry out an energy performance assessment.
When I turned up on the day of the fake assessment – kitted out with a laser measurer, hard hat and clipboard – the company didn’t even ask for any ID and I was given unaccompanied access to the main office, where I managed to gain access to the company’s internal systems. I later followed up with a call to another office belonging to the target organisation, where I reserved a desk with network access under the pretence of being a member of the internal IT networking team.
Once I arrived at the second location, I was able to obtain access to sensitive information and internal systems. The client couldn’t believe how I’d managed to infiltrate their systems and was much better equipped to deal with vishing attacks in the future.” - Matt, Hive Member at CovertSwarm
How can CovertSwarm protect against phishing?
We protect organisations through round-the-clock penetration testing, red teaming and ethical hacking. This powerful combination helps detect vulnerabilities and thwart threats before they become your reality. It’s all managed through our subscription service and Offensive Operations Centre – the OOC – where you control how deep our Swarm dives. To give it a go, get in touch with our team today. And while you’re training your teams on phishing, be sure to check staff passwords are secure at the same time.
Send in the Swarm
Our Swarm works round-the-clock to find and exploit your vulnerabilities. We start by mapping out your attack surface – from digital assets to physical ones – and use any angle we can to gain entry, detect weaknesses and attack systems.
Because of this multi-dimensional approach, we go further, deeper and wider than anyone else – and will break out from behind our desks to carry out undercover missions at your organisation’s address. But just like a bad actor, we’re always learning new things, having to adapt to new situations and overcome obstacles, and3 most importantly, thinking on our feet. Because a real hacker won’t just stop at a phishing or DDoS attack. They’ll use any means necessary to find a way in.
To find out more about our Swarm, what we do and how we can help your business, get in touch today.