The oldest trick in the book still works: why phishing is here to stay
Phishing might be one of the first forms of cybercrime that ever appeared. Some of the scams that were circulating in the early days of the internet have even entered popular culture – does everyone remember the story of the prince from far away who needed a bit of money, just to get him through to when he’d finally be granted access to his trust fund?
With time, users became savvier, but fraudsters’ tricks became more sophisticated. From spear-phishing to BEC scams, attackers have learnt that by doing some research and spending a little more time crafting their messages, they could use malicious emails – which are convenient and inexpensive – to make their way into organisations’ networks and either scam them for large sums or gain a beachhead from where to launch an attack.
As part of cybersecurity month, Edgescan has compiled a list of today’s most common phishing techniques, with some advice on how to prevent falling for cybercriminals’ tricks. Spoiler alert: user education features prominently!
- Scam emails
This type of phishing scam is the least sophisticated. It’s generally not very targeted, with the same message going out to a list of contacts (usually email addresses that have been exposed as part of a data breach), so a good way to spot one is to look for generic salutations. As part of this type of scam, fraudsters will impersonate a known brand that the recipient is likely to have a connection with. Amazon and Microsoft are all-time favourites, and so are tax collection agencies and other institutions most people will recognise. The email body will contain a call to action, such as clicking on a link to redeem a prize or to rectify a problem with an account. The link will then take the victim to a malicious domain, designed to steal the user’s data.
Tips: A language of urgency is always a red flag, and so are grammatical errors. Whenever in doubt, taking a little more time to validate that the sender is who they are purporting to be is always worth it: hover over a link to see if the URL directs to a webpage that looks real, and if in doubt type the address manually into the search bar. It’s important to inspect URLs carefully, as often attackers use omogliphs. For example, a fraudster impersonating the UK’s HMRC might create domains like www.hrnrc.co.uk, where the “m” is substituted by the similar looking “rn”.
- Spear phishing
Spear phishing is much more targeted, as it requires scammers to do some background research on their potential victims. These malicious emails are crafted to deceive a specific person, so they will contain a lot more personal information, such as their name, place of employment, job title, and more. Spear phishing is more common when attackers are aiming at an organisation, and are looking for a foothold into the network.
Tips: The best way to protect your organisation from spear phishing is user education. Fostering a culture that puts security first and rewards employees for taking the time to validate the legitimacy of a message goes a long way to minimise the success of phishers. Email filtering systems – often provided as a default by email hosting providers – can be set to flag any email coming from an external, unrecognised sender, and might be set to give a warning to users when they are about to download an attachment that should not be trusted.
- BEC/CEO Fraud
This type of phishing email is the most vicious to spot. It usually entails attackers compromising the email address of a top level executive, from which they will contact other employees and ask them to transfer funds to a certain account. Instead of the client’s account, however, the money will land into the fraudsters’ pockets. This attack is subtler to spot because the malicious message comes from a trusted email address that the recipient will recognise.
Tips: in this case, too, education remains an organisations’ first line of defence. The fact that these scams continue to be effective is also somewhat aided by the fact that senior executives often don’t attend cybersecurity awareness training alongside other employees. It’s therefore important to extend those courses to the whole company, and to run them on a regular basis, as opposed to a one off.
Phishing attacks are here to stay because they offer fraudsters an easy and cost-effective way to launch an attack. The wealth of data exposed as part of the data breaches that make the news on a daily basis gives cybercriminals a huge pool of potential victims, who they can target conveniently with a Phishing-as-a-service tool, available for a few hundred dollars on the dark web. The only way to reduce attacks praying on the human factor is to make them unprofitable: only when it is no longer worthwhile for scammers to send malicious emails will they stop targeting our inboxes.