Phishing is a form of confidence scam that uses social engineering to harvest personal information by gaining the trust of unsuspecting victims. Hackers can use this information for identity theft, or espionage, ultimately granting the instigator access to data or funds. Of course, none of this is new. What is new and alarming is the fast pace at which phishing attacks are evolving to infiltrate organizations without detection.
Phishing exploits the weakest link
Modern security systems are becoming more difficult to hack. For that reason, cybercriminals have shifted their attention to the user, which is typically the weakest link in the security chain. Brute-forcing passwords takes time, and countermeasures are usually in place to lock accounts after a number of failed attempts. On the other hand, you can convince the user to simply give you their credentials. You just need to persuade them that you are entitled to them. This often involves prompting the user into urgent action before they have time to think about the scenario.
Historically, phishing emails were synonymous with poor phrasing and language. Nowadays, individuals tend to have access to fewer funds and less valuable data than companies. This means, the sophistication of phishing and social engineering has adapted to be more convincing. As companies have implemented email filters to prevent scam emails ever reaching the user, phishing has moved primarily to mobile platforms.
Spear phishing and whaling attacks are on the rise
Sometimes, the attacker uses splices of information from multiple users to build a picture of the company. They then create targeted attacks aimed towards specific high-level users. Spear-phishing is an example of a targeted attack against an individual that relies on information gleaned from partner companies or colleagues to make the con seem more convincing. Whaling is a variation of the above where the attack targets C-Level staff at the company. The principle is largely the same: seem convincing and authoritative, and use urgency to prompt unthinking user action.
Phishing attacks have gone mobile
Mobile devices often operate beyond the LAN perimeter while having access to corporate resources. Messaging apps now offer end-to-end encryption, which prevents enterprise software detecting phishing links until the user clicks on them. Mobile devices don’t offer link previews, so the only way to find out where a link leads is to tap on it. At this point, the user will be presented with a screen that resembles the one they expected to see. All that is missing at this point is a sense of urgency to get the user to share credentials.
The Phishing email
Two-factor authentication makes passwords useless on their own, but enterprising scammers have found a way around it. Imagine a scenario where you receive an email telling you that your credentials have been compromised, and must immediately log into Office 365 to reset your password. The link at the end of the email looks legitimate, and when you tap it, you land on a page that looks like the Office 365 login page.
The URL in your browser also looks legitimate (but in fact may be a longer URL that the browser automatically truncates due to screen size). So, in order to protect your data, you supply your username and password. The phishing site forwards this data to the real site. This triggers Authenticator, or a text message with a PIN. You see the screen which tells you that you need to enter the PIN to proceed, and you duly do. At this point, you have divulged all the necessary information for a 3rd party to compromise your account, while thinking that you were protecting yourself.
Protect yourself and your business
Spotting a phishing attack is not always simple, but there are several steps you can take to minimize the chances of a successful attack:
- Be suspicious of urgent emails with current hot topics. Due to the current pandemic, there are many variations of scams where users are told that somebody that they have been in contact with has tested positive for COVID-19, and that they urgently need to click on a link for their own safety. These topics will change with world events, but the end goal is always the same.
- Question anybody or anything that asks for your credentials. If you have followed a link to reset a password, ask yourself if you could have gotten there directly. For example, most companies will send you a common email to tell you that your credit card has been declined. If this is plausible, then go directly to the website of the service directly and log in there. Never follow the link provided in a 3rd-party email.
- Try to apply common sense. You haven’t won any competitions or lotteries that you haven’t entered. Even if you had, did you supply your email address when you bought the ticket? Why does the message tell you that you only have 24 hours to reply?
- If you provided information to a link that you suspect was a scam, report it immediately to your security team. Reset any passwords that might have been compromised using legitimate links. If you have other accounts that use the same password, change those as well.
Asavie provides the leading protection against phishing by automatically blocking access to malicious or unknown sites. Even if a user clicks on a fraudulent link, the landing page is automatically blocked. We offer secure network-level protection so that users can work remotely and securely. Learn more.