Inside Out Security Blog » Data Security » The Complete Guide to Phishing Attacks

Phishing attacks have been a plight on individuals and organizations since the invention of email. As of late, these attacks have become more sophisticated and challenging to detect. Phishing attacks are one of the most common methods hackers use to infiltrate victims’ accounts and networks. According to Symantec, one in 2,000 emails are phishing attacks, which means there are 135 million attacks every day [1].

While phishing attacks are already a frequent occurrence, we tend to see a significant increase during times of crisis. Scammers take advantage of the chaos and confusion caused by these momentous events. Many people expect to receive emails from official sources such as expert organizations, insurance companies, government entities, etc., leaving ample opportunity for scammers to sneak their “real enough” emails into the fray. These seemingly innocuous emails intend to reroute users to fraudulent sites, attempting to dupe users into entering sensitive information.

What is Phishing?

Simply put, phishing is a tactic where scammers send out fraudulent emails and try to trick recipients into either clicking on a malicious link or download an infected attachment to steal their personal information. These emails can appear to come from organizations, like retailers and banks, or from individuals and teams within your organization, like H.R., your boss, or even the CEO.

If your employees don’t know the signs of a phishing scam, your entire organization is at risk. According to Verizon, the average time it took for the first victim of a large-scale phishing campaign to click on a malicious email was 16 minutes. It took twice as long — 33 minutes — for a user to report the phishing campaign to IT [2].

Given that 91% percent of cybercrimes are initiated via a successful phishing email campaign[3], these 17 minutes could spell disaster for your company.

Phishing Attack Methods

As mentioned above, most (if not all) phishing scams begin with an email made to look like it was sent from a legitimate source, but the attack and infiltration methods can differ from there. Some of these techniques can be as simple as tricking someone into clicking on a link to enter sensitive information or as complicated as running an executable file that spoofs a legitimate process that secretly gains access to your computer and network to run malicious software in the background.

Phishing scams will commonly utilize multiple methods of deception within a single attack. Typically these scams use link manipulation and website forgery in conjunction to make their scam as convincing as possible. When you receive a phishing email, one of the first things you’ll see is a seemingly legitimate URL to a commonly used and trusted website like Facebook, Amazon, YouTube, etc. with a message baiting you to click on the link. These messages will prompt users to enter sensitive information by claiming there is an issue with their account or order that needs to be resolved, and this is where website forgery comes into play.

While the link might look like a real “amazon.com” link, small typos or inconsistencies with the domain often reveals its true nature. These fraudulent domains are often referred to as typosquat domains. These malicious sites are designed to look as similar as possible to the real webpage, tricking unassuming victims into entering their credentials for the hacker to steal and use on the real site.

Hackers will often also attach a legitimate-looking file or include a link that, when clicked, will secretly download malicious software that will embed itself into the victim’s systems. These attacks will often inject malware that disguises itself as a legitimate executable that will run in the background, moving laterally through the user network to steal sensitive information like bank accounts, social security numbers, user credentials, and more. Sometimes the malware includes ransomware that will worm its way through the victim’s network, encrypting and exfiltrating sensitive data to hold for ransom.

Types of Phishing Attacks

The most common method of attack used by phishing scammers is to cast a wide net. They’ll send generic emails from commonly used sites out to as many people as possible in hopes of fooling a few into falling for their tricks. While this method is effective, it’s not the only way that phishers snag a catch. Some scammers will use more precise methods like spear phishing, clone phishing, and whaling to get the job done.

Spear Phishing and Whaling

Like general phishing attacks, spear-phishing and whaling use emails from trusted sources to trick their victims. Rather than casting a broad net, however, spear phishing targets specific individuals or impersonates a trusted person to steal credentials or information.

Like spear phishing, whaling creates campaigns around a specific target but with a bigger fish in mind. Rather than target a broad group like a department or team, these attackers channel their inner Captain Ahab by aiming their spear at high-level targets like executives or influencers with hopes to spear their white whale. Whale hunters seek to impersonate senior management like CEOs, CFOs, the head of HR, etc., to convince members of an organization to reveal sensitive information that would be of value to the attackers. For a whaling excursion to be successful, the attackers must perform more in-depth research than usual, with the hope of impersonating their whale accurately. Attackers are looking to use the whale’s authority to convince employees or other whales not to look into or question their requests.

Anecdotally, I have personally been targeted by a whale attack at a previous company where a scammer posed as my CEO, asking for my phone number so they could call me to ask for a favor. Luckily the email had plenty of tell-tale signs of fraud. The most obvious being the CEO’s office was only 10 feet from my desk, so he could have easily walked over if he needed me!

Clone Phishing

Clone phishing attacks are less creative than spear and whale fishing, but still highly effective. This attack style has all of the core tenants of a phishing scam. However, the difference here is that rather than posing as a user or organization with a specific request, attackers copy a legitimate email that has previously been sent by a trusted organization [4]. The hackers then employ link manipulation to replace the real link included in the original email to redirect the victim to a fraudulent site to deceive users into entering the credentials they would use on the actual site.

Email Scam Examples

It is common for scammers to spoof official-looking emails from retailers like Amazon or Walmart, claiming that you need to enter your credentials or payment information to ensure they can complete your order. Links embedded in the email will take you to a genuine-looking landing page to enter your sensitive information.

With more people shopping online than ever before due to the pandemic and the evolving digital retail landscape, scammers will be working overtime this year. During the holiday season, these types of scams increase exponentially due to all of the gift-buying happening. Many people have so many purchases that they don’t think twice about there being a problem with their orders.

An example of a phishing scam that has seen an uptick during the 2020 holiday season is a spoofed email from Amazon informing customers that they need to login to update their payment and shipping information to complete their order [5].

(Source)

From personal experience, I get constant emails from Amazon about shipping, arrival dates, confirmations, etc. If I didn’t know what to look for in these attacks, I would easily fall for the scam.

 The Anatomy of a Phishing Email

We’ve broken out the most common components of a phishing email. Check out our full infographic to test your knowledge.

Subject line

Phishing campaigns typically aim to create a sense of urgency using intense language and scare tactics, starting with the email’s subject line.

“From” field

The email will appear to come from a legitimate entity within a recognized company, such as customer support. However, upon closer look, you can see that both the sender’s name and email address is a spoof on a known brand, not a real vendor.

“To” field

Phishing emails are often impersonal, addressing the recipient as a “user” or “customer.”

Body copy

As with the subject line, the body copy of a phishing email typically employs urgent language to encourage the reader to act without thinking. Phishing emails are also often riddled with both grammar and punctuation mistakes.

Malicious link

A suspicious link is one of the main giveaways of a phishing email. These links are often shortened (through bit.ly or a similar service) or are formatted to look like a legitimate link that corresponds with the company and message of the fake email.

Scare tactics

In addition to urgent language, phishing emails often employ scare tactics in hopes that readers will click malicious links out of alarm or confusion

Email sign-off

As with the email’s greeting, the sign-off is often impersonal — typically a generic customer service title, rather than a person’s name and corresponding contact information.

Footer

A phishing email’s footer often includes tell-tale signs of a fake, including an incorrect copyright date or a location that doesn’t correspond with that of the company.

Malicious landing page

If you click on a phishing link, you’ll often be taken to a malicious landing page

How to Prevent Attacks

The best defense against phishing campaigns is knowledge. Attackers create phishing scams to look as convincing as possible, but they often have tell-tale signs revealing the farce. Requiring regular data security and social engineering training is an excellent prevention method that helps your organization learn the signs of malicious emails.

Here are some things to check anytime you receive an email asking you to click a link, download a file, or share your credentials, even if it appears to be coming from a trusted source:

• Double-check the name and domain the email is from
  • • Most legitimate emails won’t come from @gmail.com, @live.com, etc. They’ll usually be from private domains
• Check for obvious spelling errors in the subject and body
• The “to” and “from” lines are generic
• Do not share credentials—legitimate senders will never ask for them
• Do not open any attachments or download any suspicious links
• Report suspicious emails to whoever handles your IT security

If you even suspect that you received a phishing email, do not click it or any attachments. Instead, flag it and report it to the proper authorities. That may be to your organization’s IT department, the company that the email is being spoofed, or your email domain provider like Google, Microsoft, etc.

Don’t Take the Bait

Knowledge is power when it comes to protecting against phishing attacks. These scammers rely entirely on you falling for their ruse for their scam to be successful. Even if you believe you are an expert in spotting phishing scams, you can’t let your guard down; danger lurks behind every link. Phishing scams and emails will continue to get more sophisticated and challenging to detect as time goes on. As long as our everyday life continues to be digitalized, hackers will always be there to exploit innocent people for financial gain. The best way to stay safe and keep on top of everything is to continue to educate yourself on the most current forms of phishing scams.