Phishing is one of the most common cybersecurity concerns. It is often used as a means for an attacker to gain access to a target environment. Once inside, the attacker can take advantage of the foothold provided by the phishing attack to achieve their objectives.
How Phishing Works
Phishing attacks are all about manipulation. A phishing email is designed to get the recipient to do something that is in the attacker’s best interest and that can harm the user or their organization. This could include providing login credentials to a password, installing and executing malware, or handing over other sensitive data.
Since complying with the attacker’s demands is not in the recipient’s best interests, phishers use a variety of tactics to trick them into doing so. This includes a mixture of psychological manipulation combined with deception.
Phishing: The Psychology Behind Why We Click
Phishing attacks use a range of psychological techniques to trick recipients into taking a certain action. Some common phishing tactics include:
- Creating a Sense of Urgency: Phishing emails are often designed to create a sense of urgency, telling the recipient that they need to do something “before it’s too late.” By rushing the email recipient, the phisher increases the probability that they will miss any warning signs – like poor grammar or a spammy email address – that could indicate a phishing email.
- Business as Usual: Often, after compromising an email account, attackers will use that account in further phishing attacks. They might respond to an existing conversation (or create a fake one), taking advantage of the fact that the email looks legitimate.
- Use of Authority: Many phishing scams will use an appeal to authority with the phisher masquerading as the recipient’s boss or someone else high up within the organization. This technique takes advantage of the fact that employees are accustomed to complying with orders from higher ups and don’t want to question orders.
- Offering a Reward: Some phishing emails appeal to greed, either directly or indirectly. The recipient of the email may be told that they will get a reward for doing something or the email may be framed as providing access to a special, limited-time offer for something.
- Threats and Blackmail: Some phishing schemes don’t even pretend to be legitimate, trusting fear to achieve their nefarious goals. These attacks will claim that the attacker has access to embarrassing information about the victim that will be exposed if they don’t comply with the attacker’s instructions.
These are only some of the psychological tactics that cybercriminals use in their phishing attacks. Anything that can bypass a recipient’s defenses and get them to click on a link or open an attachment is an effective technique for a phisher.
Common Phishing Tricks
In addition to psychological manipulation, phishers will also use a variety of tricks to make their emails look more legitimate. Some of the most common techniques include:
- Lookalike Domains: Phishers commonly use lookalike domains to make an email address under their control look like one that the recipient knows and trusts. For example, jsmith@cornpany.com can easily be mistaken for jsmith@company.com, but the addresses are completely different.
- Plausible Domains: In addition to lookalike domains, phishing emails can use addresses that are plausible but incorrect. For example, a phishing attack pretending to be an email from customer support may come from help@company-support.com. However, company.com and company-support.com are two totally different domains, and the attacker may own company-support.com.
- Odd File Types: Phishing emails occasionally use odd file types to sneak in malware under the guise of a legitimate file. For example, something claiming to be an invoice (which would logically be a PDF) may be a ZIP file or executable containing malicious code.
- Mismatched Links: Even if an address is shown in the text of a link, it doesn’t mean that it is the actual target of that link. An attacker may create an email that looks like a legitimate communication from a company but just replace the targets of the embedded links with ones to their own sites.
- Shared Documents: The rise of cloud-based document storage and sharing (like Google Drive, Microsoft 365, etc.) has provided new opportunities for phishers. Some email scanning solutions only check the contents of the email itself for malicious content. An email sharing a cloud-based document that contains malicious links can slip past the scanners.
Phishing attacks are a continual cat and mouse game between scammers and defenders. Each time one side develops a new tool or technique, the other works on finding a way to defeat it.
As a result, phishing attacks are growing increasingly sophisticated. For example, a recent attack used Morse code to hide malicious content from email scanning solutions.
Common Types of Phishing Attacks
Phishing attacks come in many different forms, but some types of attacks are more common than others. Some of the most common forms of phishing include:
- Account Issues: Some phishing emails claim that there is an issue with an account that needs to be fixed immediately (unusual login, unauthorized purchase, etc.). Clicking the link and logging in sends the recipient’s login credentials to the attacker.
- Fake Invoices: Phishers targeting businesses will send an email claiming to be an unpaid invoice from a supplier. Whether or not the supplier is legitimate, the banking details in the invoice will point to an attacker-controlled account instead.
- Missed Delivery: Some phishing emails will claim to be from a delivery company stating that delivery of an order has failed and that some action is needed by the recipient. This is another tactic to steal login credentials or payment card details.
- Business Email Compromise (BEC): In a BEC attack, the phisher masquerades as the CEO or someone else in authority. These attacks commonly instruct the recipient to make a wire transfer to close a deal, pay an invoice, etc.
While these are some of the most common phishing pretexts, they are far from the only ones. Phishers will also take advantage of current events (COVID-19, the Olympics, etc.) and other pretexts to make their emails look more realistic and their attacks more successful.
How to Protect Yourself Against Phishing Attacks
Phishing attacks are designed to get the recipient to do the attacker’s bidding. They always involve taking some action that is unusual and can cause harm to the individual recipient or their organization.
The best defense against phishing attacks is to stay vigilant and think twice before doing anything that seems a bit unusual or potentially suspicious. If an email contains a link to be clicked, visit the site directly instead and find the target page from there. If an attachment is unsolicited and seems suspicious, call the sender and confirm before downloading or opening it.
If you think that you have received a phishing email, report it to the IT security team so that they can investigate and respond if anyone else clicked on the email.
No one can detect every phishing email, so it is important for companies to have processes in place for managing potential phishing attacks. An email security system can help to detect and block a potential phishing attack, and the use of multi-factor authentication can mitigate the impact of compromised credentials.
In the event of a successful phishing attack, it is important to begin incident response as quickly as possible to minimize the damage to the company. Having a professional incident response team on-call can mean the difference between a devastating ransomware attack or data breach and a non-event. Contact the Halborn cybersecurity team at halborn@protonmail.com for more info on how we can help your organization prevent or mitigate phishing attacks.