Spot The Phish

A phishing attack in progress

To click or not to click? That is the question … and I’m calling it “Spot the Phish”.

According to the 2019 Cyber Security Breaches Survey, phishing is now the most common type of cyber-attack¹. Phishing attacks, in particular email spoofing, account for 90% of data breaches² and in the last year have grown by 67%³.

In the UK alone, it is reported that more that £190k a day is lost by cyber-crime victims. The UK Government’s National Cyber Security Centre (NCSC) stopped 140,000 separate phishing attacks last year, as well as taking down 190,000 fraudulent government sites4.

Currently the top ten domains impersonated in phishing attacks are: Microsoft, PayPal, Netflix, Facebook, Bank of America, Apple, CIBC, Amazon, DHL and Docusign5 and almost 80% of phishing emails are sent on a weekday with Tuesdays and Wednesdays being the top days6.

Anyone can be phished and more than 99% of attacks require human interaction to succeed7. Even clicking on an Unsubscribe link in an unwanted email can put your organisation at risk8:

•  Toyota’s parts supplier, lost $37M to a phishing attack where the scammer impersonated the CEO and targeted the finance department9.

  • •  Gmail, the email brand owned by Google, got hit with a major phishing attack targeting 1 billion users worldwide with an email posing as a trusted contact10.
  • •  Quickbooks, an accountancy software platform, suffered a ransomware attack after a phishing email targeted its sales department. However, the company refused to pay the attacker’s ransom11.
  • •  Oregon Judicial Department, a state court, exposed 6,000 individuals’ personal information after a phishing attack targeting court employees compromised five email accounts12.

But what exactly is a phishing attack? It’s the practice of sending fraudulent communications (usually via email) that appear to come from a reputable source, with the goal of stealing sensitive data or installing malware on the victim’s device13. Such attacks can be categorised in the following ways:

1) Spear Phishing: Once an attacker has gathered sufficient intelligence, they create bespoke and personalised emails to target users with information which is more likely to grab their attention14. Recent research suggests 91% of cyber-attacks begin with spear phishing15.

2) Whaling: Directed at a CEO and often known as “CEO fraud” or BEC (Business Email Compromise) scam, this attack uses credible information such as individual names or companies the business is known to transact with to fraudulently acquire money or confidential data16.

3) Vishing: An attack carried out over the phone, often an automated call asking the user to enter particular numbers. The call is redirected to a fake call centre specifically set up by the attacker to convince the user to hand over confidential details17.

4) Smishing: SMS phishing (text message or DM phishing). Often includes a link sent directly to the user’s phone or DM (direct message on socials) which when clicked it redirects to a fake webpage18.

5) Search engine phishing: The creation of a webpage heavily loaded with keywords. When a user enters any of the attacker’s keywords into a search engine, they are directed to the page. If the user attempts to purchase anything on the site their card details are collected18.

6) Deceptive phishing: Attempting to obtain confidential information by posing as a renowned and trustworthy brand. Often with the intention of stealing money or launching another attack. Usually targeted at large groups of people18.

A popular misconception is that all phishing emails are unsophisticated. We’re all aware of the obvious “Nigerian prince” email offering a share in a large fortune if we hand over our personal details or click on a link. I say “obvious” but these emails still unbelievably still successfully extort over $700K a year from US consumers!19

But we should not ignore the fact that any of us can be targeted with more sophisticated emails. This could be as simple as an email purporting to come from “Domino’s” with a pizza offer20 or an email seemingly from “LinkedIn” with an update on the searches you appeared in during the week21.

As non-malicious as they may seem, they have been carefully crafted to catch you out. Where previously a phishing email was easily identifiable due to being sent from a public email domain/the domain name being misspelt/the email being poorly written and containing grammatical mistakes or a suspicious-looking link or a dodgy attachment, this is no longer the case.

The Phish is getting harder and harder to spot!

Understanding more about phishing attacks can help you combat against them. Do you know if you are protected against such attacks? Are you reassured that one of your users won’t be your security downfall?

Putting the right processes in place to ensure your business will avert an attack is essential. Without giving your users the correct tools to face an attack, they may well be your downfall. Phishing attacks are increasing in intelligence and believability, making your business one click away from a security breach. With that in mind, how can you protect your business against a clever phish?

(1) Phishing Simulation Tests

Launching simulated phishing attacks on your users and tracking their reactions will give you the tools to evaluate how vulnerable your organisation is to a phishing attack. Providing your users with security awareness training allows them to gain first-hand knowledge and experience, allowing you to implement “how to” preventative guides and prevent a successful attack on your organisation.

(2) End User Training and Education

Phishing attacks will always be aimed at end users. Reinforcing your employees as your last line of defence is an important step in the process to ensure your chances of being successfully phished stays low. Following structured security awareness training, they will be better able to “spot the phish” and it will help ensure processes are put in place for high risk users to clarify before processing payments or responding to anything within a malicious email.

(3) DMARC – Domain Based Message Authentication Reporting and Conformance

DMARC can be one of your business’ best defences against phishing attacks. The inbound features will check and authenticate emails based on their domain before allowing them into your environment, if it does not pass the system will automatically quarantine (move to spam folder) or reject the email message (block delivery to your mailbox entirely). The outbound features allow you to publish policies to ensure that emails leaving your business are definitely created by one of your users, giving you visibility over emails and an essential line of defence for fraudulent detection.

(4) Verification processes

If the correct control processes are put in place before monetary transactions are completed, there will be a verification process to ensure the contact has actually requested those funds to leave the business. By speaking to the contact directly or putting payment verification processes in place, this will help to verify the transactions and better secure the business’ security against phishing attacks.

Ensuring your end users represent a human firewall and act as an effective last line of defence will allow your business to stand up against cyber-attacks.

Guidance from the UK Government’s National Cyber Security Centre (NCSC) on how to defend your organisation against phishing attacks is available here: https://www.ncsc.gov.uk/guidance/phishing

To learn more about Security Awareness Training or DMARC, please get in touch.