Phishing is a form of cybercrime where targeted individuals or organisations receive emails, telephone calls or text messages from someone claiming to be a legitimate institution, seeking to lure the individual into providing private data including (but not limited to) private details such as banking details and passwords.
What is more, advances in technology and cybercrime practices have made these attacks increasingly sophisticated and more difficult to spot. Very often, the victim will be ‘tricked’ into clicking a malicious link or attachment that downloads malware, or otherwise hurried into providing personal details for an ‘urgent’ and ‘legitimate’ cause.
Phishing is most commonly seen as targeting organisations and their employees. These phishing campaigns are often specifically targeted, with attackers using company information to generate ever more convincing impressions on staff. As such, it is integral for organisations and individuals to have procedures and policies in place to protect against the vast risk that phishing poses.
Methods of phishing
Email and SMS phishing
This is the most common form of phishing, with typical targets for impersonation being that of the government, HMRC, banks and other financial services. Often, these emails are not tailored to any specific individual or company, instead being sent out in bulk, hoping to catch as many victims as possible in a single cast net.
SMS phishing is largely similar to email phishing - its medium instead being mobile phones. They operate by inciting victims to click malicious link, call or email the attacker (where they will then be encouraged to divulge private information).
Page and Search Engine hacking
Page hacking involves the use of legitimate website URLs to redirect victims to malicious websites.
Also known as ‘SEO poisoning’, search engine phishing involves hackers getting malicious websites to rank at the top of search engine results, therefore inciting more clicks. Once entered, victims entering the site means they often compromise sensitive data.
Voice phishing
Voice phishing is typically conducted via text-to-speech synthesiser, with calls to victims exposing an urgent threat (for example, illegal activity on their credit card) that will lead them through to a call with an attacker, who will prompt the giving of details to ‘solve’ the issue at stake.
Targeted phishing attacks
Spear fishing
Here, cyber criminals use specialist technology to obtain information about a particular organisation (through publicly available sources). Victims are often members of the organisation, and the malicious emails are typically engineered in such a way so as to make the victim think they are legitimate messages from within the organisation.
Whaling
With this type of phishing, cyber criminals undertake research about a company’s CEO or another senior leader. They then create a similar email address and impersonate that individual. An example of this could be an email from the CEO of a company to an employee asking them to review an attachment, which turns out to be corrupt.
Clone phishing
Similar to whaling is clone phishing. This is where a previously sent email that contained a link or attachment is taken by the cyber criminal and used to create a spoof email that’s almost identical to the original. The link or attachment is replaced with a malicious version. When the new is sent out, it appears to come from the original, legitimate sender.
Protecting against phishing attacks
Given the ever-sophisticated nature of phishing, individuals and organisations are encouraged to take a multi-layered approach to protection. The more resilient your defence, the better you are protected. A multi-layered system could comprise the following (non-exhaustive) measures:
Knowing and spotting the signs
Though modern technology makes it harder to detect phishing scams, there are still some signs one can look out for:
Shortened links (hyperlinks)
Very often, hovering over these short links shows you the real URL hiding behind it. It is also important to check for very subtle spelling areas e.g. ‘rn’ is often used to replace ‘m’ (‘bank of arnerica’).
Emails with little text and/or contain errors
Images are often used to hide malicious code, and therefore one should be ware of emails with lots of images and little text (unless otherwise anticipated). Alongside this, these emails are rarely 100% accurate, and even the email address itself may contain very subtle errors.
Unusual requests, often with a sense of immediate urgency
If an email appears to be from a legitimate individual within your organisation, be wary of unusual and immediate requests from people in other departments or senior positions that may seem totally out of the blue.
Employee training, coupled with a positive security culture
It is important to appreciate that phishing attacks very often target junior members of staff and rely, psychologically, on conditioned responses to matters of urgency and the requests of senior figures. Employees therefore need training to gain a greater understanding of the signs of phishing, coupled with a firm understanding of the company’s common practice (and therefore what kinds of calls, emails and requests for information are not to be expected). Maintaining a positive culture around this learning also ensures that employees are not discouraged from reporting phishing attacks).
Powerful system security and strict security policies
Domain Fraud Prevention
Setting up Domain Fraud Prevention (e.g. DMARC, SPF, DKIM) stops phishers using your domain to make their own links, emails or calls look legitimate. This also makes it more difficult to imitate company emails, which is hugely important from both a safety and reputation-based perspective.
Two-factor authentication (2FA)
This is perhaps the most effective method for preventing/protecting against phishing attacks, with the added level of verification forming a secure barrier to hackers even if first levels of protection are compromised.
Spam email filter/blocking service
Filtering emails enables the flagging/blocking of phishing emails before they reach you, or members of your organisation, therefore reducing the probably of an attack.
Strict password management policy
A very good protective measure is ensuring everyone frequently updates all their passwords.
Quick response to incidents
No amount of system security renders you or your organisation 100% safe - after all, some phishing attacks are simply down to human error. Therefore, it is just as important to have an incident response plan as it is to engage with preventative measures. An incident response plan should detail exactly what should happen once aware of a phishing attack, including:
-
The key person to report any incidents
-
What you should do with your devices if any attack has happened
-
Who is responsible for addressing the attack
