Working in the Cyber Security sector there are many topics I discuss with people when talking about the work I do, and admittedly a lot of it sounds like complete jargon. One topic that immediately hits home with everyone I speak to is phishing awareness – the elephant in the room, the issue that keeps coming up again and again.
Around 3.4 billion phishing emails are sent every day across the world, and nearly 1.5 million phishing sites are created every month, to be used in phishing attacks. There is such a huge market here for criminals to exploit, so the threat must be taken seriously, no matter what size organisation you are, both from a professional and personal account perspective. If you haven’t already checked out our blog on general cyber security hygiene, you can do so here. Need some advice protecting yourself or your organisation against phishing attacks, or have you already been the victim of one? Get in touch today at email@example.com to talk to our helpful team about how we can help you moving forward.
Wait a second it is ‘fishing’ with a ‘ph’…
If you hadn’t already guessed the terminology around phishing comes from the fishing industry itself, as the attacks that cyber threat actors carry out mirror similar processes conducted by fisherman around the world. On a side note, for those wanting to learn more about the impact of humans on marine species, check out the latest documentary on Netflix which has got parties on both sides of the discussion riled up. – Seaspiracy.
Let’s break down the 4 most common types of phishing attacks.
Wait, where did this come from again?
The domain is often the first giveaway of a phishing email, as a poor choice of domain from the attacker can be an immediate red flag – I often receive emails from “PayPal”, but a quick glance at the sender domain reveals a personal Gmail account – no dice.
There are three main methods of deception to be wary of when it comes to the domain;
Dude, have they not heard of spell check?
This is probably the first giveaway for me on 50% of the phishing emails I receive. As discussed early in the types of phishing attacks, those generic bulk phishing emails that you receive – think PayPal, eBay, Amazon, DPD, are put together to be quick and effective and often done within a custom program or tool that the attacker is using to send out bulk emails. One of the major issues attackers find here is that in a legitimate email platform, such as Microsoft Outlook or Gmail, there will be a spelling and grammar checking tool working in the background to clean up silly mistakes, but this will typically not be the case in their custom tools – leading to silly errors that come across as an unpolished email – therefore unlikely to have come from a professional company.
The other key factor here is the look and feel of the email. Admittedly you may not have received many emails from a company before, so it may be hard to determine if the email format is legitimate or not, but there are usually giveaways here, such as bad grammar, pixelated logos and images, inconsistent font, and colour schemes.
But I need to action this straight away it looks important!
As an attacker your greatest weapon is the sense of urgency – as rushing leads to mistakes and checks being missed. A careful, calm, and patient target is likely to take their time reading through your email, performing their checks, and identifying anything suspicious or not quite right about it. Which is why phishing emails almost always contain a sense of urgency.
Your account has been locked, your credit card has been used fraudulently, you need to reset this password, you need to update your details now or your account will be deleted. These are some of the most common phrases seen in phishing emails because they immediately cause a sense of panic, which can lead to mistakes. Unless you are expecting an email or a phone call about something, this is the first time you have heard about an issue, treat the email as phishing until you finalise your checks. Take the time to digest the situation and understand what the next course of action should be, even if the email suggests otherwise.
Wait a second, where are you trying to send me?
This is the bread and butter of a phishing email – it’s where the malicious content is and so the target of the whole process. The attacker wants their victim to panic, rush through the email and believe they need to take immediate action, and the quickest way to do so is to review an attached document, or click on the link to launch the website. Bam – this is where the malicious attack will take place.
Lets start with links first. You have received an email from “PayPal Security”, telling you that there has been fraudulent activity on your account, and you need to take action by clicking the link below, which appears to be “security.paypal.com”. All seems to check out so far right? Hovering over a link in an email or document however will reveal the true target of the link – and if this is different to what it says this is a major red flag to be wary of. Instead of the domain it should be going to, it’s taking you to “definitelynotascam.com”.
Next lets deal with attachments. Links are the most common form of phishing and as such are the area that users are most wary of, so criminals will continually seek out new ways to conduct these attacks. Attachments are a powerful way to add a sense of urgency without having to have a suspicious link in there – and you will often see these used on internal seeming emails, for example the spear phishing and whaling attacks we discussed earlier. “Hey boss, can you quickly review this document for me before I send it out to the client?” is one common method seen. Be sure to disable macros on your system, as these are commonly used within documents to store the malicious attack. To be safe, do not open an attachment you are not expecting. If possible, send a message (instant message or text message) to verify that the person is the genuine sender and the document was meant for your eyes.
I guess this is just my lucky day.
Whilst phishing attacks focus on the element of urgency, some go down the line of intending to scare the victim – “You must do this now or this will happen!” Whilst fear and intimidation is one common tactic, another is to get a victim’s guard down by making them a fantastic offer that they have to action straight away!
Prize winnings, tax rebates, insurance claims are common tactics from scammers in this area, enticing the victim to ignore their safety measures and chase the reward. So, the best advice here is to be mindful of what you have actually applied for and remember that no company will give you anything for free out of the blue.
Let me just check this first.
This is probably the most effective way to inspect and handle a phishing email, and is my go to method of choice. For example, if I receive an email from Facebook instructing me to update my password, even if I am highly confident that the email is legitimate, I won’t click through the link in the email to launch Facebook – I will open a new tab in my browser and login myself.
Whilst following through links in emails is appealing from an efficiency perspective, taking those extra few seconds to action the request yourself provides that peace of mind that you haven’t been phished. Whenever you receive a ‘high alert’ or ‘urgent’ email from a particular website, if you login to your account manually you should also be greeted with the same notification – if you don’t, this is a potential sign that this email was not legitimate.
Wait there’s another one!
Consent phishing is a growing area of concern across the industry, primarily because of the expansion of federated identity. Through federated identity, a user can sign up for an account with a new website, for example Canva without actually having to create an account on Canva – they authenticate through a third party, such as Google, Facebook or Amazon. This provides the benefit of less accounts to manage for the user but it also emphasises why this attack vector has grown.
Now if an attacker is able to compromise a Federated Account, this could potentially grant access to more than just one account’s worth of access, with all the other linked logins tied to that account potentially vulnerable. Which is why there has been an increasing spike in phishing attacks attempting to harvest user logins for commonly used accounts for Federation, like Microsoft, Amazon, Facebook, and Google.
Consent phishing goes a step further, using pop ups to request extensive permissions on an application after sign in. The most common examples tend to involve Facebook, Microsoft, and Google accounts for good reason – this is where sensitive data is likely to be found, either in emails, messages, or documents.
When you link a third-party application to another provider, for example Facebook, a pop-up window requests you to approve a set of permissions that this third-party app can take on your behalf using your Facebook account. Attackers play on the fact that people are inherently busy and do not take time to read the small print, indicating what permissions you are agreeing to.
“Send messages as you”, “Read your mail”, “Read your contacts”, “Have full access to your files” are just some examples of permissions you should be extremely careful with! By agreeing to this, you are providing this third-party app with access rights, typically through API access tokens to read and potential write to this information. An important lesson here is to always know what you are agreeing to!
Phishing is such a challenging area to crack down on, with so many different techniques and variants available to attackers. The challenge for email providers, such as Microsoft and Google to identify suspicious emails is that if they use far too robust algorithms for identifying phishing content, there is likely to be a level of false positives, meaning that genuine emails can be missed by users, ending up in their junk / spam box. Whilst this article is not an exhaustive list of all the different ways to spot a phishing email, it should provide a useful guide in how you can take matters into your own hands and improve your protection against this form of attack. No one wants to be part of another statistic.
Interested in wanting to build a secure website, mobile application, or a visual identity for your organisation? Then get in touch today at firstname.lastname@example.org for a free, tailored quote to your requirements. We hope you enjoyed this week’s blog, stay tuned for next week’s edition!