Phishing is a social engineering technique that is becoming an increasingly common threat. It is currently considered the number one vector for malware infections. The following article describes some key aspects of phishing, as well as practical advice on spotting phishing messages.
In This Article
- What Is Phishing and How Does It Work?
- Who Is a Target?
- Common Phishing Themes and Indicators
- Practical Advice
- Additional Resources
What Is Phishing and How Does It Work?
Phishing is a technique where there is an attempt to “fish” for confidential information. The end goal is to steal sensitive data, infect devices, or simply cause disruption to an organization. By sending phishing emails or messages, attackers hope to gain sensitive information from the victim (such as credentials to log into a system) or to infect devices with malware, which can perform malicious actions like giving the attacker remote access to devices. Naturally, this can lead to the disclosure of confidential information and, thus, data breaches.
Phishing is most often carried out via email, but SMS and phone call phishing is also common practice. These techniques are sometimes referred to as smishing and vishing, respectively.
Phishing attacks can be carried out in various ways, so there are different red flags to look out for. An attacker may pretend to be from a certain department within the victim’s organization and ask them to reply to the email with the information they’re looking to obtain. Phishing can also be achieved indirectly - for example, by getting the victim to navigate to a legitimate-looking website (often a copy of a real and well-known website) where the victim attempts to log in, which ultimately discloses the victim’s login credentials to the attacker.
As for malware infections originating from phishing emails, attackers can easily achieve this by getting their victim to click on malicious links or download attachments containing malware sent within the email that is often disguised as something else and of an urgent nature.
Who Is a Target?
Mass phishing emails tend to target everyone at an organization, or several organizations, indiscriminately – these emails are vague enough that their content could apply to most people. Because they are quite general, the rate of success for the attacker is likely smaller; however, this is balanced by the fact that they are sending the email to hundreds or even thousands of people at once.
In order to make their attempts more believable and increase their chances of being successful, attackers may resort to “spear-phishing”. This is targeted phishing, meaning that the attack is conducted in a way that targets a specific organization, department, or group of people, by tailoring the contents of the email or message so that they are more relevant and believable. This often means that they address the victim by name and might impersonate services used by that individual or the organization they work for.
Different people may be targeted for different reasons. The higher the level of access someone has within an organization, the higher the risk posed by their account being compromised. An attacker may prefer to target these people in order to get higher privileges more quickly, but they are certainly not the only target. Phishing attacks targeting high-ranking people are sometimes called “whale-phishing” or “whaling”.
Attackers also often target non-technical staff, as they assume there is a lower level of awareness of phishing attacks within such departments. Employees who have a lot of information available on online platforms, such as LinkedIn, may also be at a higher risk of being targeted. For example, an attacker may find a victim's personal email address and send the phishing email to both personal and company email addresses, potentially making their request appear more legitimate to the victim. It is important to be conscious of what information is available online about them that could possibly be used in a phishing attempt.
In short, everyone can be a target.
Common Phishing Themes and Indicators
The subject lines of phishing emails will often use topics that people are likely to care about, such as promises of money prizes or alerts stating that something is wrong with the victim’s account. These subject lines often include information that serves as bait and attempts to exploit our natural human curiosity, making the target more likely to open the email.
Attackers may also try to trick victims by pretending to be someone of authority or a trusted party, such as their direct manager, the CEO of the company, a co-worker, the local authorities, or the tax/revenue office.
It is important to always double-check the sender email address. In more extreme phishing attempts, the attacker may gain unauthorized access to a legitimate email address from within the organization and use it to send their phishing emails to the rest of the organization. This, of course, greatly increases the chance of success for the attacker. Although this is uncommon, it is important for organizations to be aware that it is a possibility and for staff to remain vigilant. These emails will usually seem out-of-context or unlikely to come from that person. We recommend reporting any email containing phishing indicators, even if it comes - or appears to come - from within the victim’s organization.
Some other indicators include:
- There is a sense of urgency and authority in the content of the email.
- The sender is trying to make you download an attachment or click on a link with a degree of urgency.
- When you hover over the link with your mouse, you can see that the true destination of that link is different. Note: This usually appears at the bottom left corner of your screen when hovering over a link in an email. For example, the email might read “www.alertlogic.com” but when hovering over the link you see that the true destination is “www.alerltogic.com.”
- The email contains poor spelling and grammar issues, but this is not guaranteed. Messages can also be very well worded.
- The email starts with a generic greeting that doesn’t address the recipient by name, such as “Hi” or “Dear customer.”
- There is a suspicious subject line that sounds like bait. Example: “You’ve just won $1,000,000!”.
- The sender email address is a misspelled version of a known domain or is a completely unknown domain irrelevant to your organization.
Tip #1: Don’t rush – think before you click any links or download any attachments. Try to verify whether the communication is genuine without replying to the email.
Tip #2: Check the real link underneath a button or text on the body of the email by hovering over it with your cursor.
Tip #3: Notice whether the link starts with http or https. Most major legitimate websites use the secure protocol “https”. Although phishing websites using https have also been observed in the past couple of years, a link that starts with http is another possible indicator of phishing.
Tip #4: Be wary of shortened links. Attackers have begun using shortened links to hide their destination, so even when you hover over the text all you see is a short link that doesn't show the actual domain you will be sent to. Shortened links may look like https://bitly.com/2DZE9E, https://ow.ly/o6G7, or https://goo.gl/M2dd5. Finding out where these links are sending you is complex without clicking on them, so our best advice is to look for other indicators like the sender's email address and greeting. If the message doesn’t appear to be legitimate overall, don't reply to the email and don't attempt to click on the shortened link.
Tip #5: If you do recognize the sender, consider calling them to ask whether they really sent you an email. If you receive an email from an institution, such as your bank, whose legitimacy you are unsure of, you can always contact the institution on a trusted email address or phone number.
Tip #6: If you suspect you have received a phishing email or message, report it within your organization so other employees can be alerted.
Tip #7: Question everything. Attackers will attempt to trick you by acting as high-profile colleagues. Ask yourself whether this email is unexpected or out of the ordinary for this person, or simply ask the person whether they sent you an email.
Tip #8: Always check the domain name in the email. Attackers can craft domain names that will appear legitimate, but if a domain looks like ‘alertlogic.com.fakedomain.com’ - with a parent domain at the beginning followed by the sub-domain - it is fake and crafted by an attacker to trick victims. A real sub-domain URL will look like ‘info.alertlogic.com,’ with the sub-domain preceding the parent domain.
Tip #9: Always check the spelling and grammar of an email. If an email has poor spelling and grammar, it is possible that something is amiss.
Tip #10: No matter how convincing an email may look, there is no reason for personal information to be requested within an email. A reputable company should never need to ask someone for their password, and a bank does not need someone to send your account number to them – they already know it.
Tip #11: Phishers will eventually attempt to scam victims of their money by asking to cover expenses, taxes, etc. Should this happen, this is likely a scam - no reputable company will do this.
Tip #12: One of the main ways an attacker will attempt to trick victims into clicking on a malicious email is by crafting the email to look like it has come from someone in the users’ company or from a company the user has connections to. The best way to spot these emails is to know your contacts. As you go about their daily life, you will receive numerous emails from various sources – some are expected, and some are not. Take extra care of the unexpected emails, as these can be malicious in intent. If the email is unexpected or is from a person/company you have no ties to, delete the email. If an email seems out of the ordinary from a contact, question it.
National Cyber Security Centre’s (NCSC) Recommendations for a Multi-layered Approach to Phishing Defence: https://www.ncsc.gov.uk/guidance/phishing
Centre for the Protection of National Infrastructure’s (CPNI) “Don’t Take the Bait” free resources: https://www.cpni.gov.uk/dont-take-bait
Google’s free Phishing Quiz: https://phishingquiz.withgoogle.com