Myhrtoolkit CTO, Kit Barker explains what phishing is and what businesses can do to help protect against the effects of phishing scams.
What is phishing?
If you’ve used email for any time at all, you’ve probably heard of – and unfortunately experienced – phishing. Phishing is the name given to any fraudulent attempt to obtain sensitive information such as usernames and passwords by impersonating a legitimate source.
As we’ll discuss later, there are many types of phishing, but in general the term phishing usually relates to bulk, automated attempts to obtain information via emails. These emails are not targeted at any individual or organisation; they are sent to a wide range of email addresses from a variety of email databases available online.
Attacks of this type will impersonate the most common software platforms or services such as major banks, productivity software, and other online services.
There are plenty more phish in the sea…
There are many varieties of phishing attacks, not just the bulk attacks described above. The main types of phishing attacks are:
Whereas bulk phishing is a blanket, automated attack at a wide range of targets, spear phishing is a targeted attack aimed at an individual or organisation. A competent attacker can gather a lot of information about employees, systems in use, and recent events at your organisation. With this information, spear phishing attacks can be very difficult to spot.
Also called “whaling”. This is where “whales” or C-level employees are targeted. Most whale phishing is targeted and so also a spear phishing attack. As well as being difficult to spot, these attacks are also particularly dangerous due to the seniority of the people targeted.
Voice-phishing is a phishing attack over the phone. Just like email, these attacks can be bulk and automated or personal and targeted. Bulk attacks take the form of automated messages and can be simple to spot – as most organisations don’t send automated messages to people, any such message is suspicious. However, targeted and personal vishing attacks can be very convincing.
This is a phishing attack over SMS or other messaging protocol. These can be easy to miss for a few reasons: “from” names are easy to spoof and people are less aware of the risks from message-based attacks.
How does phishing impact businesses?
The answer to this question entirely depends on the type of attack, the person affected, and the security in place on the system or network. In the worst-case scenario, this could result in an attacker gaining access to everything you can access, and that’s bad in anyone’s book!
That said, all breaches should be treated as serious and urgent. You may believe you don’t have sufficient access to cause any real damage, but a common tactic is for attackers to use compromised accounts as a staging post to launch further attacks. If your email account is compromised, then everyone in your contact list is at a greatly increased risk. These people trust you and are much more likely to follow links or open attachments contained in your emails. With your account breached, attackers can send real email that really comes from your account. It’s not a spoof and, if done well, is extremely hard to spot.
How to stop phishing attacks
Just like ogres and onions, security is all about layers. Any robust protection should include multiple levels and a plan for what happens when they fail. This is often referred to as “assume breach”.
1. Stopping attacks reaching users
This first layer often utilises technology to identify and intercept messages before they reach your inbox. Being technical in nature, these measures are likely to be installed and configured by your IT support but include tools such as email filters, DMARC and SPF.
2. Train users how to spot phishing attacks
Trained users are an absolutely essential part of any organisations’ security. Showing users how to spot the attacks that get through your first layer of security is crucial.
Some of the key things to be aware of in phishing attacks include:
Out of context messages or unexpected senders
You should always ask yourself: is it normal for this person to email me about this? If the answer is no, further checks are required.
Requiring urgent action or a sense of urgency
A frequent tactic of attackers is to invoke a sense of urgency. If you feel pressured to act quickly, the message needs extra care.
Know what services your organisation use, and what alert messages look like
This will make it easier to spot when something fishy. For example, knowing that your email is provided by Google, and that all quarantine or account expiration messages go to your administrator, means that you instantly know that any such message you receive is fake.
Be on the lookout for suspicious URLs
Emails often show links with different text to that of the actual URL. Hovering over the link will reveal the real URL. However, it is also common for genuine emails to have tracking links which lead initially to a website other than that suggested. Sharing links from the likes of Dropbox or SharePoint are also often convoluted – even genuine links can look suspicious.
If you’re unsure whether a message is genuine or not:
- Verify using a different channel. For vishing attacks, this can be hanging up and calling the phone number on the company’s website. For emails with sharing links, this could include opening a known safe website and checking the “shared with me” section. Or even calling the person who sent the email, using a trusted number – not the one in any email.
- Ask for help. If you’re unsure, raise the question with whoever is responsible for IT or information security in your organisation.
- If you’re still unsure, assume it’s fake and delete it.
3. Create a culture of security awareness
The culture of your organisation is critical to maintaining an effective defence against any cyber-attack. As mentioned above, users need to be trained how to spot attacks, but it is just as important that they feel safe to report mistakes.
If we “assume breach”, we will expect some attacks will get through and have plans in place to deal with this. When this happens, speed is of the essence. Users need to know what to do, who to contact, and most of all know that they are not going to be punished for failing to spot an attack.
Users who fear being punished are unlikely to own up to mistakes. This is worst scenario for everyone.
If you would like to know more about creating a security culture, then as it happens, I’m giving a webinar on just this topic in April! Head over to our webinars page to sign up for this or any of our other webinars.
Written by Kit Barker
Kit is myhrtoolkit's Chief Technology Officer and a company director for myhrtoolkit who leads the technical team in developing the system. On our blog he shares specialist knowledge and tips around data security and company culture.