Phishing, Why it happens and How can it be Avoibed?
Share it in
Phishing is a fraudulent practice of baiting the human into giving up information. The practice is most common with the use of emails, but can also be used with SMS messages, voice phishing over the phone, WhatsApp messages, SLACK, social media etc. For the rest of this document we will use mail as example for phishing attack.
There are many types of phishing bait, depending on the “fish” the phisher wants to catch. Below are a couple of examples of phishing bait:
Love bait -> Catches people looking for love or a romance.
Bank bait -> Catches people by pretending to be their bank and asking for information.
You’re the winner bait -> You have won and all you need to do is register to get the price.
Pleading bait -> Someone is in trouble and need your help.
Big Boss bait -> The bait looks to be from your boss.
Post/package bait -> You have a package waiting for you, all you need to do is confirm your address or pay a postage fee.
Virus warning bait -> Your machine is infected but clicking the link can help you remove it.
Whale bait -> Aimed at “big phish” high level people like CEO, COO, CISO, CFO, rich or famous people offering services9
Social media bait -> Tricks people with social media accounts to give up their login credentials.
Validation bait -> You need to validate your account.
What all these phishing techniques have in common is that they either want you to give up information or download some files that will give the phisher access. Often you are taken to a spoofed webpage that will ask for login credentials or you press a link whereas an automatic file will be downloaded in the background. Falling for a phishing bait can compromise your machine, network, social media accounts, bank access, credit card etc. The next thing you know (or may never know), your machine is now a part of a bot network controlled by a cyber criminal and ready to be used in a future DDOS attack.
The attack can be aiming for you as a private person or as an employee of a corporation.
Although there are many phishing techniques, we can mainly group them into two groups, phishing and spear phishing.
In a phishing attempt the phisher is trying their luck. The bait is sent in grand scale to many recipients in the hope that some will fall for it. In regular phishing attempts the success rate is relatively low, but the mere scale of the amount of mails that are sent out still make it an effective technique. Normally very little resources have been put into preparing the phishing. The whole technique focuses on the fact that there are plenty of phish in the sea and someone will probably fall for it.
Recent years have seen the sophistication of the phishing attack increase and it is now more common to see baits related to something relevant. Examples of these can be for example:
There are news articles about banks having problems. Later you get an SMS or an email pretending to be from your bank and asking you to confirm your bank account.
News articles state that millions of usernames and passwords found in a giant database on the dark web. Later you get an email where you can check if your username and password is compromised. All you need to do is click the link and insert your username and password.
While phishing is throwing the bait out there and hoping somebody will bite, spearfishing on the other hand has a more specific target. In spear phishing the phisher has done research beforehand, and already know important things about the target. Information gathered during the research can include:
Name of colleagues, staff, managers, peers, friends, family etc.
Name and status of ongoing projects.
Internal information that normally nobody outside the organization would know.
Customary activities like choosing which ideal organization to donate money to for Christmas.
Regular activities like who reports to who and when.
Due to the insider information that the spear phisher often has spear phishing can be very effective and it is not uncommon that up to 30% will fall for this type of phishing. The reason for this is the trust that we normally operate with. If the mail appears to come from someone, we know containing internal information, we are much more likely to trust that the mail is legitimate.
Around 90% of all successful cyber attacks starts with phishing. With these numbers it is no wonder that phishing is still very prevalent as a method for cyber-attacks.
Phishing is often used as an early part in the hacker’s plan. It is a lot easier to get a user to give up their credentials or credit card than to hack the systems to get this information. Crafting an email and sending it out can take you minutes and the gain can be several usernames and passwords. Hacking an encrypted system can take hours and be fruitless.
Why phishing? Because it works! Actually, it works really well.
Most scripts sent as attachments are normally filtered out by todays mail servers. That does not mean that all attachments are safe to click. Before clicking any attachments in a mail, you should verify the sender and origin of the mail. Is the document something that you expected from the sender or does it come out of the blue. If you have an anti-virus solution you can scan the document before opening it. You should be extra careful with file extensions such as executable files, script files, excel or word macro files, PowerShell and zip files.
What do you do if you think you have a phishing mail in your inbox?
Look for red flags that can confirm the phish.
Don’t press any links or open any attachments.
NEVER EVER give away your username and password.
If you are sure it is a phishing mail, take a screenshot from your mailbox and NOTIFY IT INMEDIATELY.
If asked by the CISO send the mail as an attachment to the CISO for further investigation to see if it was a random phishing attack.
Phishing is very common, and most people will experience some sort of phishing at one point or another. The best things you can do to avoid becoming a victim is to learn how to recognize the red flags that give away a phishing attempt.