The threat of phishing
As organizations aim to protect their assets, infrastructure, and personnel from harm, it is critical for security teams to be aware of specific attack methods employed by threat actors. This includes phishing—a commonly-used attack method that’s leveraged against a wide range of public and private entities.
In fact, phishing often precedes further offensives. This threat gives malicious actors access into your organization’s systems and networks, giving threat actors an access point that allows them to move laterally, and into possession of confidential data.
Protecting your organization from a phishing attack requires both team- and individual-driven efforts. In this blog, we’ll explain how to best keep your assets and infrastructure secure by understanding:
- What phishing is, types of phishing attacks, and how they work
- Warning signs of a phishing scheme
- Preventive countermeasures, including the role of education and threat intelligence
What is phishing?
Phishing refers to an attack method that uses social engineering techniques to acquire personal information, such as login usernames and passwords. Threat actors use social engineering techniques to manipulate a system or individual into improperly granting them permissions or benefits, or divulging protected information outright.
Examples of phishing attacks include:
- Sending out fraudulent emails impersonating organizations or administrators and asking for victim credentials.
- Creating a fraudulent website impersonating a target website that then harvests a victim’s login information.
Phishing attacks target individual employees throughout the company. This is in direct contrast to other attack methodologies that combat organizational security teams. This makes it more difficult for security teams to prevent. Especially if employees are not equipped to identify phishing attacks and report them.
Types of phishing attacks
Spear phishing refers to a targeted campaign in which a threat actor sends a personalized email to a specified person, business, or organization. The email generally impersonates a trusted source, such as an executive, and contains either malware-infected documents or links to malicious websites.
Phishing vs. spear phishing
The biggest distinction between phishing and spear phishing is that phishing attacks are typically more generic. Spear phishing is targeted at a specific person or entity.
Both rely heavily on social engineering to attack a potential victim. They rely on an individual trusting the message, tricking them into clicking or downloading a malicious link or file. Or, it could seek to navigate them to a spoofed website where threat actors harvest sensitive data or credentials.
Whaling, also known as “CEO fraud,” refers to an attack on a high-value target, such as a corporate executive. The term “whaling” is a play on phishing and spear-phishing. Whaling consists of a spear-phishing email that is sent to a high-value target. The attacker then poses as a potential business partner or a company employee. They then ask the recipient to wire money to a mule account. These emails often use legitimate-looking graphics and domain names to dupe targets.
Vishing, a portmanteau of “voice” + “phishing”, is an attack that’s done via voice. The caller usually claims to be someone from the government, tax department, law enforcement, or the victim’s bank.
The scam is often framed as if the victim is in trouble with one of the aforementioned entities. The attacker will pretend to be a representative of that organization, pressuring the caller into sharing private information. Additionally, the caller will threaten victims, claiming that they will either arrest them or close their bank account.
Vishing may be a voicemail, urging the recipient to call back immediately in order to prevent further action against them.
Smishing (SMS phishing)
Smishing, a combination of SMS + phishing, refers to a phishing attack that’s done via text message. Victims receive a text with a message that directs them to click on a malicious link.
Phishing threat landscape
Popular and relatively non-technical
Phishing advertisements and services are one of the most popular offerings within illicit communities. Phishing is popular among actors because it requires little to no technical acumen. It relies on the exploitation of the human element of an organization’s threat landscape. Because of the low bar of technical entry, phishing is commonly employed by a range of threat actors. It is favored by low-level cybercriminals to advanced persistent threat groups alike.
Customized and non-customized attacks
Phishing attacks may look like a shipment tracking notification, a newsletter, a promotional email, or some other type of message. Often, they do not appear to be customized or specifically addressed to the recipient. Threat actors have also been known to leverage significant events, such as natural disasters or global news events, to lend a theme to a campaign, making it more likely that an unwitting user will respond.
On the other hand, spear phishing campaigns will typically leverage details an attacker knows about the recipient, including personally identifiable information or employer details. This can be from data breaches or publicly available information via open source or social media. This includes information posted by the company itself such as job titles, contact information, or organizational charts. Threat actors will make heavy use of any sourced content to specifically craft seemingly believable and authentic content.
Similarly, threat actors may use techniques to trick employees into providing network access by giving up usernames and passwords. Or helping bypass two-factor authentication (2FA) by crafting specific email messages that appear to legitimately come from within the user’s organization. Once inside the network, threat actors can move laterally and gain access to higher-privileged accounts. This allows for more control of the system and likely more data to steal, which can create significant security incidents for a targeted organization.
Protection from phishing attacks
The primary way that users can protect themselves from spear phishing attacks is to never click on any link associated with an unsolicited email. Threat actors are very clever at making campaigns appear to be legitimate emails. This may include weaving an organization’s real contact or website information into a phishing message to lend the appearance of legitimacy. Users should always be wary of unsolicited messages, particularly those that require the user to click on a link or download content.
Additionally, checking web domains to ensure they are legitimate is a common cybersecurity practice to avoid phishing attacks, particularly if a site is asking a user to enter login credentials or any other type of sensitive information. Threat actors may use legitimate domains as a landing page before redirecting users to a malicious web page, so verifying that a site is legitimate before entering sensitive information is paramount.
Individuals should seek to limit the amount of personal information publicly available about themselves. Threat actors will seek out this information in spear phishing attacks to create highly customized messages that will appear believable to the victim and trick a user into providing sensitive information that they may not otherwise provide. Threat actors continue to devise increasingly sophisticated campaigns that can trick even the most savvy of users. Taking an extra moment to scrutinize a message that may appear to contain an out of ordinary or unsolicited request is one of the most critical ways to defeat these types of attacks.
Best practices to mitigate phishing attacks
There are several steps your organization can take to make it easier to prevent a successful phishing attack.
- Educate employees on the signs of a phishing attack and instill the message that they should avoid clicking on links from emails they are not expecting, do not have a secure domain or a domain that matches the organization the sender claims to be from, or ask the recipient to share private information.
- Install anti-phishing add-ons to company devices and browsers, which can alert employees when an email looks suspicious or comes from a known phishing site.
- Enforce password rotation to require employees to change passwords after a given time period.
- Install firewalls to shield your devices from attempted attacks and prevent threat actors from successfully infiltrating your network.
The importance of threat intelligence
It is critical for your organization to have a strong threat intelligence program that alerts your security team to suspicious online activity or social media chatter that may hint at an imminent attack.
This intelligence gives your teams an unfiltered look into conversations threat actors are having online about how to create effective phishing campaigns, circumvent anti-phishing software, or solicit scam pages to steal your data. By having this awareness, your organization’s security personnel can implement better defensive measures that keeps them a step ahead of the threat actors they’re being targeted by.
Monitoring online chatter about phishing also alerts your team to circumstances that may invite an increased number of attacks. Threat actors will often leverage major news events to capitalize off of them, as was observed during the height of the COVID pandemic with COVID-related scams, or fake charities that crop up in the wake of tragedies like natural disasters or terrorist attacks.
Educate and communicate
Good threat intelligence also bolsters a company’s ability to educate its employees, providing real-life examples and the most current information to ensure individuals have a strong understanding of the threat landscape they are facing.
This data allows you to communicate internally about risks you may encounter or steps other teams should take based on intelligence found in illicit communities to make your actions more timely and effective.
Get Flashpoint on your side
Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.