What is Phishing?

It may surprise people to learn that hacking isn’t always entirely technical. One of the most effective ways for a threat actor to deliver malware can be something as simple as sending the victim an email or text with either an attachment that has malicious code in it or a link that will take them to a site which will often either throw malicious code at them in a drive-by-download or ask them to enter login details.  

This is phishing, a social engineering technique that hackers commonly employ for delivery of their exploits not only because it is highly effective but as it’s easy enough that anyone can really do it. Phishing emails can come from even non-technical criminal groups that have just bought off-the-shelf ransomware, since sending an email with a link or attachment is quite straightforward. 

Phishing is, at its core, all about tricking a person into doing something which subsequently allows the hacker to get into systems and install malware like ransomware or get sensitive information they may sell on the dark web or use to gain access to systems later. 

With cybercrime exploding in 2021, especially in regards to ransomware, and phishing techniques becoming exponentially more advanced, businesses need to keep up to avoid suffering a devastating cybercrime. 

What are some different kinds of phishing? 

There are a number of different, creative techniques that hackers can use to utilise phishing and they vary in effort. This effort is measured by how much reconnaissance the hacker has done on the target and how much effort they have put into crafting a very authentic-seeming email that will trick the user.  

Can phishing only be done by email? While email phishing is a common delivery method, malicious actors can often also utilise other attack vectors such as: 

• Messages on social media or forums. 
• Smishing, where the phishing through texts on phones.  
• Vishing, where threat actors call you and demand sensitive information like card or account or transfer money under the guise of a trusted entity like a fraud investigator. 
• Search Engine phishing, also known as SEO poisoning, where malicious actors embed links into compromised sites, upping their SEO rankings and tricking users to go to their scam websites.  

Anything that sends you a message and tries to convince you to click on a link or attachment or part with sensitive information in any way can be a phishing attack vector. 

It can even be as creative as creating and using social media profiles to impersonate employers and trick people into giving out personal information. 

The complexity of phishing can range from: 

• Generic phishing with mass recipients, typically requiring the least amount of effort with the content being rather impersonal. 
• Spear Phishing, which is more focused with a specific audience in mind and typically harder to spot. The threat actor has done their research and, for example, are now masquerading as a trusted entity like HR, telling an employee to click on a link to update their employee details. 
• Whaling, one of the most extreme forms, is where a specific, high-profile individual, often a CEO or CFO, is researched to create an effective lure for them to fall victim to. 

All of them, at their core, are about manipulating individuals into performing an action that will have malicious consequences by disguising it as something more legitimate, tricking users into believing they’re doing something in their best interests. 

People can often be tricked by not realising how much information actually exists about them online, either from data breaches and the dark web or the number of things they’ve innocently posted on social media over the years. 

What are signs of phishing? 

Most security is designed on the logic of keeping threats out. Once your network is compromised, malicious software can spread across your machines and network. Technology can be made effectively useless without human processes to support it, use it and react to problems properly. 

One of the most common means of phishing is email. So, what’s the trick to determining if it’s a legitimate email staring back at you or one sent from a threat actor masquerading as a trusted entity?  

In regards to emails, the signs to look out for can include: 

• Generic greetings like ‘Dear Customer’ instead of personal names or usernames that most companies prefer. 
• Spelling and grammar mistakes can be very common. 
• Attachments may have common executables like .exe, .com, .jar, .msi, .bat, .scr and more. 
• Message may be either too-good-to-be-true or threatening, creating a sense of urgency 
• As most email clients will show you the actual email address by hovering your mouse over the sender's display name, if it doesn’t match then it’s likely a scam. 
• A fake address. 
• If you hover over the link and the actual URL address doesn’t match. 

Phishing conducted via social media messengers or via texts follow similar trends. Make sure to always examine the sender, the content and links/attachments before clicking. 

Why phishing training is important 

Hackers use a multitude of techniques and tactics to use ensnare their victims, they will: 

• Modify the display name presented in an email application so it appears to be from someone you trust. 
• Register a site or email with a similar address to the real one aside from some slight variation in spelling. Such as calling a site ‘goolge.com’ in the hopes users will mistake it for google.com. 
• Use URL shorteners to make their URL look closer to that of a more legitimate site’s. 

Companies need to make sure that their staff are well-trained to spot the signs of phishing. While it may seem like all solutions to cybersecurity have to be a technical function, most technical systems can be made useless by an insider opening the door and letting malware like ransomware onto a corporate system.  

Cybercrimes are on the rise, with phishing among the top three crimes reported by victims in 2020. The problem isn’t going away, so companies and their employees need to have policies and procedures in place that follow cybersecurity best practices and make sure to keep their employees continuously up-to-date with the latest techniques and tactics malicious actors employ. 

Further safeguards 

There are a number of things you can do to safeguard yourself against phishing attempts. Most of the time it requires you to be a bit more analytical than just trusting an email just because on first glance it may appear innocuous. 

You need to: 

• Check if the tone of the message matches who the threat actor is impersonating. If possible, phone the trusted sender directly to confirm they did in fact send it if you’re suspicious. 
• Consider if the message could be using information that could have been taken from social media, company sites or even a data breach your company may have previously suffered. Threat actors weaponise this information to make their phishing more effective. 
• Avoid sending personal, sensitive information over email or messenger. Even if it is from a trusted entity, their account could be hacked. 
• Be wary and don’t click links before you check what the actual URL destination is. You can do this by hovering the mouse over it. 
• If an email or message is asking you to change your password, your account details or financial information, go to the website directly by typing in the URL into a new browser instead of clicking on the link provided. 
• Analyse attachments before you open them. Are the files something you were expecting? Do you trust the sender? 

Often in cybersecurity, the little mistake of not being a tad more observant is what gets a lot of people, companies need to train their staff to always be vigilant and follow cybersecurity best practices.  

If you suspect you have fallen victim to a phishing attack, report it immediately as time is a devastating commodity malicious actors utilise. The more time hackers have, the more damage they can do. 

How to tell if a website is legit or not? 

Before you input any sensitive information, such credentials or financial information on a website, there are steps you can take to determine if the webpage you’re on, which may ‘appear’ to be for a legitimate company, is fake or not. 

• Check the address bar to see if it’s http or https.  Https means your data will be encrypted and is used by any legitimate, secure site asking for credentials or financials, while http means your data is unencrypted when it’s transferred, meaning it is unsecure.  
• Https can be indicated by a lock symbol in the toolbar or green text in the website address, although browsers can differ. 
• Check if the website address matches what you know exactly. If there’s a slight difference, don’t trust it, as threat actors often make their scam website’s URL very similar to a legitimate one’s to trick users. 
• You can use URL de-shorteners to see that full domain name if it’s been shortened. 
• Consider if the webpage looks oddly old-fashioned. For example, if you go onto Facebook and it suddenly seems almost like an older version with cruder CSS and HTML, then don’t trust it. Instead, retype the address. 

How can I find out what information exists about me online? 

The internet is a vast, vast ocean of data and often it can feel like it’s impossible to know how much these malicious actors and people in general could know about you, your employees and your company.  

Securiwiser is a security monitoring tool which can check for exposure and data breaches in regards to your email addresses and associate email addresses, discover how much information exists about you, your company and your employees both on the regular and dark web that could be weaponised for phishing attacks, and much more. 

Click here to sign up for a free cybersecurity report.