4 min read

Phishing belongs to a category of cyberattacks known as social engineering.  That is, the hackers are trying to make people act in a certain way that they can exploit.

In the case of phishing, it’s trying to get the recipient to click on an email that looks safe and trustworthy but is actually dangerous.

Attackers use emails that are designed to look trustworthy to gain access to networks or information.

phishing email

Phishing (pronounced ‘fishing’) is one of the oldest forms of cybercrime.  It started in the 1990s, when hackers tried to deceive AOL users into giving up their log-in credentials.

Today, unfortunately, phishing is undergoing something of a renaissance.  It’s becoming much more widespread and is one of the most common ways that ransomware attacks are initiated.

According to Verizon, 60% of all ransomware attacks in 2017 originated in malicious phishing emails.

And therefore, of course, some of the largest data breach stories of recent years originated with successful phishing attacks.  Do you remember when Hillary Clinton’s campaign emails were hacked during the 2016 presidential election?

It started with this phishing email sent to campaign chair John Podesta.

gmail podeta phishing

This email, of course, wasn’t really from the Gmail support team (their address is not at ‘googlemail.com’).

One of the reasons phishing is becoming so popular is that it doesn’t require an evil genius hacker. Criminals with very little technical skill can buy ‘phishing kits’ online that allow them to launch campaigns that use pre-designed templates.

Thousands and thousands of emails can be launched, and only one one needs to be ‘successful’ for the hackers to profit.

How Do Phishing Attacks Work?

Let’s take a look at an example phishing email and break it down a little.  This will give us some insight into how phishing attacks usually work.

phishing

 

So, first we notice that the phishing email is designed to look as though it’s coming from a trusted source.  Amazon is about as big and well known a brand as there is in the world today.

The attackers even have the real logos.  When the attackers start the email with ‘Dear Client,’ they’re simply playing the odds.  They know there’s a good chance your business actually is a client of Amazon.

Phishing emails will appear to come from some sort of trusted source.  Paypal is frequently used.  So are banks and major technology companies such as Google (see the Gmail example above) and Microsoft.

There’s often a sense of urgency as well.

Your bank account has been breached!  Click here now to protect your money.  Or, your Office365 account has been hacked!  Click here now to change your password.

When there’s a sense of urgency coming from what appears to be an authoritative source, it can be hard to resist following instructions.

Links and Attachments

The emails want you to take action by either clicking on a link or opening an attachment.

The link will either immediately start downloading malware onto your network or it will take you to a site that is designed to look like a real site (for instance, Amazon.com), where you will be prompted to enter information such as your credit card details.

There are two common ways phishing emails get you to click on a link.

Either the URL will look very similar to a trusted web address (for instance, BancofAmerica.com instead of BankofAmerica.com) or the anchor text for the URL shows an address that is not really the actual URL (as in the Amazon example above):

 

faked anchor text url

 

The other mechanism is to have you open an attachment, which will begin downloading malware to your network.

The way the attackers get you to do open an attachment is by disguising it as something legitimate, of course.

The security firm Symantec has actually looked into the most common types of fake attachment descriptions in phishing emails.

phishing email disguises

 

Invoices from supposed clients are the most common category of fake phishing attachments.

Phishing attacks are getting more and more sophisticated and some of them look incredibly real.

Still, you’ll commonly see certain errors if you look closely: generic, non-specific greetings; fake/incorrect domains that sent the email; spelling errors; and URLs that don’t match anchor text.

 

whale phishing

Spear Phishing and Whale Phishing

Most phishing attacks work on the model of ‘soft targeting.’  The criminal sends thousands (or even millions) of emails to anonymous, random recipients and hopes a few bite on the bait.

But some phishing attacks are highly targeted.

When a criminal targets a specific individual, it’s known as ‘spear phishing.’  (‘Whale phishing’ is a subset of spear phishing and refers to targeting CEOs or other VIPs.)  In these cases, attackers do some research beforehand on the recipient.

This makes the phishing all the more effective, because details in the email will be correct.

One of the most dangerous types of spear phishing will leverage professional relationships to direct employees to make payments.  An email that looks like it’s coming from a superior will direct a company accountant, for instance, to make a large transfer of money to a client.

Of course, the details will actually have ensure the transfer is made to an account controlled by the attackers.

How Do You Protect Against Phishing?

There are a few simple solutions you can implement at your business to greatly reduce the threat from phishing emails.

First, have good anti-spam protection for your email system.

Second, make sure employees receive basic training on identifying phishing emails and that they’re reminded of this training regularly.  Employees get busy and forget about the threat of phishing.  There are actually automated online services that will provide regular training.

Third, institute a policy that links in external emails are not clicked upon except in exceptional circumstances.

Very rarely do you actually have to click on a link.  If Amazon or Bank of America emails you and you are actually a customer, just go into your web browser and log-in to your account on their site.

Finally, have a policy in place that payments or transfers of a certain amount cannot be completed just on the authority of an email.  A manager must authorize it by phone.