The threat of phishing
As organizations aim to protect their assets, infrastructure, and personnel from harm, it is critical for security teams to be aware of specific attack methods employed by threat actors. This includes phishing—a commonly-used attack method that’s leveraged against a wide range of public and private entities.
In fact, phishing often precedes further offensives. The access that phishing can grant a threat actor can then be leveraged as an entrance to your organization’s private systems and networks, giving threat actors an access point that allows them to move laterally, and into possession of confidential data.
Protecting your organization from a phishing attack requires both team- and individual-driven efforts, since it is often employees who are targeted in order to give threat actors the access they need to exploit your data. In this blog, we’ll explain how to best keep your assets and infrastructure secure by understanding:
- What phishing is, types of phishing attacks, and how they work
- Warning signs of a phishing scheme
- Preventive countermeasures, including the role of education and threat intelligence
What is phishing?
Phishing refers to an attack method that uses social engineering techniques to acquire personal information, such as login usernames and passwords. Threat actors use social engineering techniques, like phishing attacks, to manipulate a system or individual into improperly granting them permissions or benefits, or divulging protected information outright.
Examples of phishing attacks include:
- Sending out fraudulent emails impersonating organizations or administrators and asking for victim credentials.
- Creating a fraudulent website impersonating a target website that then harvests a victim’s login information.
In contrast to certain other attack methodologies that go after an organization’s systems in ways that are more directly overseen by its security team, phishing attacks will target individual employees throughout the company. This can make them more difficult for security teams to prevent, especially if employees are not properly educated on how to spot a phishing attack and report it.
Types of phishing attacks
Spear phishing refers to a targeted phishing campaign in which a threat actor sends a personalized email to a specified person, business, or organization. The email generally impersonates a trusted source, such as an executive, and contains either malware-infected documents or links to malicious websites.
Phishing vs. spear phishing
The biggest distinction between phishing and spear phishing is that phishing attacks are typically more generic, whereas spear phishing is targeted at a specific person or entity.
Both phishing and spear phishing rely heavily on social engineering to attack a potential victim. They both rely upon an individual’s tendency to trust what they are reading to trick them into clicking a malicious link, downloading a malicious file, or navigating to an authentic-looking website where threat actors may harvest sensitive data or credentials.
Whaling, also known as “CEO fraud,” refers to an attack on a high-value target, such as a corporate executive. The term “whaling” is a play on phishing and spear-phishing. A whaling attack consists of a spear-phishing email sent to a high-value target; the attacker often poses as a potential business partner or a company employee, and asks the recipient to wire money to a mule account to finalize an urgent business transaction. To dupe employees, these emails often use legitimate-looking graphics and domain names.
Vishing, a portmanteau of “voice” + “phishing”, refers to a phishing attack that’s done via voice. The caller usually claims to be someone from the government, tax department, law enforcement, or the victim’s bank. The scam is often framed as if the victim is in trouble with one of the aforementioned entities, and the caller will pressure the victim into sharing private information by threatening them with being arrested or having their bank account closed if they do not comply.
Vishing may also take the form of voicemails, which urge the recipient to call back immediately in order to prevent further action against them.
Smishing (SMS phishing)
Smishing, a combination of SMS + phishing, refers to a phishing attack that’s done via text message. Similarly to traditional phishing, victims will receive a text with a message that directs them to click on a malicious link.
Phishing threat landscape
Popular and relatively non-technical
Phishing advertisements and services are one of the most popular offerings within illicit communities. Phishing is popular among actors because it requires little to no technical acumen and relies on the exploitation of the human element of an organization’s threat landscape. Because of the low bar of technical entry, phishing and spear phishing are commonly employed by a range of threat actors, from low-level cybercriminals to advanced state-sponsored threats groups alike.
Customized and non-customized attacks
Phishing attacks may look like a shipment tracking notification, a newsletter, a promotional email, or some other type of message that often does not appear to be customized or specifically addressed to the recipient. Threat actors have also been known to leverage significant events, such as natural disasters or global news events, to lend a theme to a phishing campaign and make it more likely that an unwitting user will respond to the content.
On the other hand, spear phishing campaigns will typically leverage details an attacker knows about the recipient, including personally identifiable information or employer details. This data can be sourced from database breaches as well as from publicly available information about the individual that can be located via open source searches or social media, including content about an employee or organization that is made publicly available by the organization (such as job titles, contact information, or organizational charts). Threat actors will make heavy use of any publicly disclosed or open source content to specifically craft the content of the message so that it is more believable or appears to be authentic.
Similarly, threat actors may use spear phishing techniques to trick employees into providing network access by giving up usernames and passwords or helping to bypass two-factor authentication (2FA) by crafting specific email messages that appear to legitimately come from within the user’s organization. Information leveraged in these types of attacks may also come from data disclosed across illicit communities or sourced via open-source research. Once inside the network, threat actors can move laterally and gain access to higher-privileged accounts, allowing for more control of the system and likely more data to steal, which can create significant security incidents for a targeted organization.
Protection from phishing and spear phishing attacks
The primary way that users can protect themselves from spear phishing attacks is to never click on any link associated with an unsolicited email. Threat actors have gotten very clever at making both phishing and spear phishing campaigns appear to be legitimate emails. This may include weaving an organization’s real contact or website information into a phishing message to lend the appearance of legitimacy. Users should always be wary of unsolicited messages, particularly those that require the user to click on a link or download content.
Additionally, checking web domains to ensure they are legitimate is a common cybersecurity practice to avoid phishing attacks, particularly if a site is asking a user to enter login credentials or any other type of sensitive information. Threat actors may use legitimate domains as a landing page before redirecting users to a malicious web page, so verifying that a site is legitimate before entering sensitive information is paramount.
Individuals should seek to limit the amount of personal information publicly available about themselves. Threat actors will seek out this information in spear phishing attacks to create highly customized messages that will appear believable to the victim and trick a user into providing sensitive information that they may not otherwise provide. Threat actors continue to devise increasingly sophisticated spear phishing campaigns that can trick even the most savvy of users. Taking an extra moment to scrutinize a message that may appear to contain an out of ordinary or unsolicited request is one of the most critical ways to defeat these types of attacks.
Best practices to mitigate phishing attacks
There are several steps your organization can take to make it easier to prevent a successful phishing attack.
- Educate employees on the signs of a phishing attack and instill the message that they should avoid clicking on links from emails they are not expecting, do not have a secure domain or a domain that matches the organization the sender claims to be from, or ask the recipient to share private information.
- Install anti-phishing add-ons to company devices and browsers, which can alert employees when an email looks suspicious or comes from a known phishing site.
- Enforce password rotation to require employees to change passwords after a given time period.
- Install firewalls to shield your devices from attempted attacks and prevent threat actors from successfully infiltrating your network.
The importance of threat intelligence
It is critical for your organization to have a strong threat intelligence program that alerts your security team to suspicious online activity or social media chatter that may hint at an imminent phishing attack.
This intelligence gives your teams an unfiltered look into conversations threat actors are having online about how to create effective phishing campaigns, circumvent anti-phishing software, or solicit scam pages to steal your data. By having this awareness, your organization’s security personnel can implement better defensive measures that keeps them a step ahead of the threat actors they’re being targeted by.
Monitoring online chatter about phishing also alerts your team to circumstances that may invite an increased number of attacks. Threat actors will often leverage major news events to capitalize off of them, as was observed during the height of the COVID pandemic with COVID-related scams, or fake charities that crop up in the wake of tragedies like natural disasters or terrorist attacks.
Educate and communicate
Good threat intelligence also bolsters a company’s ability to educate its employees, providing real-life examples and the most current information to ensure individuals have a strong understanding of the threat landscape they are facing.
This data allows you to communicate internally about risks you may encounter or steps other teams should take based on intelligence found in illicit communities to make your actions more timely and effective.
Get Flashpoint on your side
Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.