What is phishing and how can you prevent it?

Phishing is one of the most common forms of cyber attack. In fact, a survey by The Office of National Statistics notes that half of the respondents experienced at least one phishing message in the month prior to being asked.  

It’s a deceptive technique that poses a threat to individuals and organizations alike. The success of these attacks hinges on exploiting trust, familiarity, and psychological manipulation. It attempts to deceive individuals into taking harmful actions and, if successful, the consequences can be severe.  

Unlike other forms of cyber attack, there’s no firewall to protect you from the deceptive techniques of a bad actor. Therefore, learning all about phishing and how to prevent it is key.

In this guide, we’ll be going through:

• What is phishing?
• A brief history of phishing
• How does phishing work?
• Why is phishing a problem for organizations?
• Different types of phishing attacks
• A real-world example of a phishing scam
• How to identify a phishing email
• How to prevent phishing
• What to do if you click on a phishing link
• How to report a phishing email in the UK and US
• CovertSwarm’s phishing attack simulation services

What is phishing?

The term “phishing” derives from the word “fishing” because attackers use bait to trick their targets into taking the desired action.

Attackers pose as legitimate individuals, companies, or even co-workers. They’ll send fraudulent emails or urgent text messages in the hopes that you’ll hand over the information they need.

The ultimate goal of phishing is to gain unauthorized access to valuable information and use it for nefarious purposes.

A brief history of phishing

Phishing, originating in the mid-1990s, initially targeted AOL users by impersonating employees or support representatives. It quickly expanded to defraud users of popular services like eBay and PayPal. 

By the late 1990s, phishing tactics evolved significantly. Hackers began sending fraudulent emails that mimicked trusted companies to deceive recipients into divulging personal information.

They began incorporating social engineering tactics and impersonating bigger fish like financial institutions, government agencies, and well-known brands. 

In the late 2000s, an even more targeted approach emerged – spear phishing. Attackers tailored their messages to specific individuals to enhance credibility and increase success. 

Phishing techniques continue to evolve and capitalize on emerging technologies or communication channels. This form of cybercrime has proven to be a persistent and adaptable threat, constantly exploiting digital advancements and human psychology. 

How does phishing work?

Phishing exploits trust, utilizes deception, and employs manipulation to trick individuals into divulging sensitive information or carrying out harmful actions. Here’s how it typically unfolds:

1. Reconnaissance – bad actors gather information about potential targets, such as email addresses, social or company information. Attackers may also monitor your social media feed or look for a data breach.
2. Message creation – you’ll receive a notification that appears legitimate and trustworthy. Attackers often impersonate well-known companies, financial institutions, or government agencies to increase their success rates.
3. Baiting the victim – the message is designed to manipulate your emotions so as the receiver, you may feel curiosity, urgency, or even fear. Attackers may claim you’ve won a lucrative prize or warn you that your account has been compromised.
4. Delivery – you tend to not be the only victim as hundreds of messages are usually sent out via various channels. Attackers are also careful about their delivery – they’ll use email spoofing to appear legitimate and keep suspicions at bay.
5. Deception and interaction – it’s time to see if you take the bait. Did you click on the malicious link and unwillingly download an infected attachment? Did you provide your login details on a spoofed website and give away your personal information?
6. Exploitation or control – once you’ve carried out their desired action, you’ve given malicious actors access to your sensitive information. Say goodbye to your passwords, credit card details, and/or personal data. You’ll also have bigger things to worry about, including financial fraud, identity theft, or further targeted attacks.
7. Covering tracks – you can try to find the culprit, but it’s probably untraceable. Malicious actors take precautions to cover their tracks and avoid detection as they use obfuscation, encryption, or anonymizing tools to hide their identity.

Why is phishing a problem for organizations?

Phishing poses a significant problem for organizations due to its potential to cause financial losses, damage to reputation, and compromise of sensitive information. Here are some key reasons why phishing is a major concern for organizations:

Financial losses

Phishing attacks often aim to deceive individuals into revealing their financial credentials, such as credit card information or login credentials for online banking.

If employees within an organization fall victim to such attacks, it can result in unauthorized access to corporate accounts, fraudulent transactions, or theft of funds. These financial losses can have a direct impact on the organization’s bottom line.

Data breaches and information security

Phishing attacks frequently involve tricking employees into providing sensitive information, such as login credentials or access to corporate networks. If successful, attackers can gain unauthorized access to confidential company data, trade secrets, customer information, or intellectual property.

This breach of information security can lead to severe consequences, including legal and regulatory repercussions, loss of competitive advantage, and erosion of customer trust.

Network and system compromise

Phishing attacks may also involve the installation of malware or ransomware onto a victim’s computer or network.

Once compromised, the attacker can gain control over the infected system, allowing them to steal data, launch further attacks within the organization’s network, or encrypt critical files and demand a ransom.

These disruptions can cause significant operational downtime, loss of productivity, and costly efforts to restore affected systems.

Reputational damage

Falling victim to phishing attacks can severely impact an organization’s reputation. If customers, partners, or stakeholders discover that their personal information has been compromised due to a successful phishing attack, they may lose trust in the organization’s ability to safeguard their data.

Negative publicity, customer churn, and a damaged brand image can result in long-term consequences for the organization’s success and viability.

Employee productivity and morale

Phishing attacks often rely on social engineering techniques that manipulate employees into taking certain actions or disclosing sensitive information.

The time and resources required to remediate the effects of successful attacks, such as investigating incidents, restoring systems, and providing additional security training, can significantly impact employee productivity.

Moreover, employees who fall victim to phishing attacks may experience diminished morale, feeling responsible or embarrassed about their mistake.

Different types of phishing attacks

It’s not just suspicious emails you should look out for, phishing attacks come in all types of formats. Here are the most common:

Email phishing

This is the most common type of phishing attack. Attackers send deceptive emails that appear to be from legitimate sources, such as banks, social media platforms, or trusted organizations.

These emails often contain links to fake websites or attachments that, when clicked or opened, can lead to the theft of sensitive information or the installation of malware.

Spear phishing

Spear phishing attacks target specific individuals or organizations. Attackers customize their phishing attempts to appear highly personalized and tailored to the recipient.

They may use information gathered from various sources to make their emails or messages more convincing and increase the likelihood of success. Spear phishing attacks often target high-level executives or employees with access to valuable data.

Whaling

Whaling is a type of phishing attack that specifically targets senior executives or individuals in positions of power within an organization.

Attackers aim to trick these high-profile targets into revealing sensitive information or performing actions that could compromise the organization’s security. Whaling attacks often employ sophisticated techniques and may involve impersonating CEOs or other executives.

Smishing

Smishing attacks occur via SMS or other messaging platforms.

Attackers send text messages pretending to be from legitimate sources, such as banks or service providers, and attempt to deceive recipients into revealing personal information or clicking on malicious links. Smishing attacks exploit the trust and immediacy associated with text messages.

Vishing

Vishing, or voice phishing, involves attackers making phone calls and impersonating trusted entities, such as bank representatives, government agencies, or technical support personnel.

The attackers use social engineering techniques to deceive individuals into disclosing sensitive information or performing actions that could compromise their security.

Pharming

Pharming attacks manipulate the Domain Name System (DNS) to redirect users to fraudulent websites without their knowledge. Instead of relying on deceptive emails or messages, pharming attacks exploit vulnerabilities in the DNS infrastructure to redirect users to malicious websites that mimic legitimate ones.

Once users enter their login credentials or other sensitive information on these fake websites, attackers can capture and misuse that data.

Malware-based phishing

In these attacks, phishing emails or messages contain attachments or links that, when clicked, download malware onto the victim’s device.

The malware can take various forms, such as keyloggers, ransomware, or remote access tools, allowing attackers to gain unauthorized access to systems, steal sensitive information, or control the infected devices.

A real-world example of a phishing scam

One of the most infamous phishing scams is the Google Docs phishing attack that occurred in 2017. Here’s how it unfolded:

1. Attack method: users received an email from what appeared to be a known contact. It contained a message about a shared Google Doc and a seemingly legitimate “Open in Docs” button. 
2. Deception and compromise: clicking the button redirected users to a phishing page designed to collect Google account credentials. 
3. Unauthorized access: victims unknowingly provided their credentials, allowing attackers to access their Gmail accounts and associated services.  
4. Rapid spread: attackers sent further phishing emails to the contacts of compromised accounts, exploiting the trust associated with Google services. 
5. Mitigation: Google quickly responded by taking down the malicious application, revoking access, and urging users to update security settings.  

It’s important to note that the Google Docs phishing attack was just one example of a phishing campaign, and phishing attacks can take various forms and target different platforms or services.

Therefore, it is crucial for users to remain vigilant, exercise caution when clicking on links or granting permissions, and regularly review their account settings and security settings to protect themselves against phishing attempts.

How to identify a phishing email

Identifying a phishing email can be challenging. If you have doubts, trust your instincts and refrain from responding, downloading attachments, or clicking on links. Some general red flags to look out for include:

• Sender’s email address: check the sender’s email address for variations or misspellings compared to legitimate organizations.
• Generic greetings or salutations: beware of generic greetings like “dear customer” instead of personalized ones like your username or name.
• Urgency or threats: look out for emails that create urgency or employ threats to prompt immediate action.
• Poor grammar and spelling: phishing emails often contain grammatical errors, spelling mistakes, or awkward language.
• Suspicious links or attachments: be wary of links or attachments from unknown or unexpected sources. Hover over the link to check if the URL matches the expected destination.
• Request for personal information: legitimate organizations do not typically request sensitive information via email, especially passwords or credit card details.
• Poor visual design: be suspicious of emails with inconsistent formatting, mismatched fonts, or poor graphics.
• Verify through official channels: if alarm bells are ringing, contact the organization independently through official channels. 

How to prevent phishing

Adopting a multi-layered approach that combines technical measures with human vigilance will increase your chances of preventing a potential breach. We recommend that you consider:

Employee education and training

• Conduct regular security awareness training to educate employees on phishing risks and consequences.
• Teach employees to identify phishing emails and tactics, and report suspicious incidents.
• Promote a cybersecurity-aware culture, encouraging caution and vigilance with emails and unfamiliar sources.

Strong email security measures

• Implement robust email filtering solutions with anti-spam and anti-phishing technologies to block malicious emails.
• Enable email authentication protocols to prevent email spoofing.

Multi-Factor Authentication (MFA)

• Implement MFA to add an extra layer of security. 
• This helps prevent unauthorized access even if phishing attacks compromise usernames and passwords.

Web filtering and URL scanning

• Use web filtering solutions to block access to malicious websites. 
• Regularly scan URLs in emails and web content to detect and block phishing attempts.

Regular software updates and patch management

• Keep software, operating systems, and applications up-to-date with the latest security patches. 
• Apply updates and patches regularly to address vulnerabilities.

Incident response planning

• Develop a comprehensive incident response plan for phishing incidents.
• Define roles, establish communication channels, and conduct regular drills.
• Invest in a cybersecurity firm who provide organizations with incident response services.

Continuous monitoring and threat intelligence

• Implement robust security monitoring systems.
• Stay informed about emerging phishing techniques, trends, and indicators of compromise through threat intelligence sources.

Security policies and procedures:

• Establish and enforce strong security policies and procedures for email usage, data handling, and access controls.
• Regularly communicate and reinforce policies to ensure compliance and foster a strong security culture.

What to do if you click on a phishing link

Worried you may have clicked on a phishing link? It happens on a daily basis. You’ll need to take immediate action. Start with the following steps:

1. Disconnect from the network: unplug your network cable and disable the Wi-Fi.
2. Scan your device for malware: run an antivirus scan to detect and remove downloaded malware or malicious files.
3. Change your passwords: change all your passwords and create strong, unique replacements.
4. Enable Multi-Factor Authentication (MFA): enable MFA or two-factor authentication (2FA) wherever possible.
5. Monitor your accounts: keep an eye on any suspicious activity or unauthorized transactions.
6. Report the phishing incident: contact the relevant authorities as well as your employer’s security team.
7. Educate yourself: learn how to detect and avoid future phishing attacks. 

How to report a phishing email

Reporting a phishing email to the relevant authorities helps contribute towards the fight against cybercrime.

Reporting phishing emails in the US

• Federal Trade Commission (FTC): report phishing emails by forwarding the suspicious email to the FTC at [email protected].
• Anti-Phishing Working Group (APWG): forward suspicious phishing emails to the APWG at [email protected].
• Internet Crime Complaint Centre (IC3): report phishing emails to IC3 through their website at www.ic3.gov. 

Reporting phishing emails in the UK

• Action Fraud: report phishing emails in the UK to Action Fraud at www.actionfraud.police.uk.
• National Cyber Security Centre (NCSC): forward suspicious emails to [email protected] without clicking on links or downloading attachments.
• Your Internet Service Provider (ISP): contact your Internet service provider if you suspect the phishing email originated from their network.

CovertSwarm’s phishing attack simulation services

In today’s digital landscape, organizations must employ a multi-dimensional security strategy to stay ahead of potential threats. Regular employee training and anti-phishing software will only go so far in protecting against sophisticated cyber attacks. 

Enlisting the expertise of a cybersecurity firm like CovertSwarm provides invaluable support by fortifying your security stance and creating an additional layer of defense. 

Our Swarm will use any angle they can to gain entry, detect weaknesses, and uncover your most hidden vulnerabilities. To learn more about our phishing attack simulation services, reach out to a member of our team.