Phishing is a fraudulent practice of baiting the human into giving up information. The practice is most common with the use of emails, but can also be used with SMS messages, voice phishing over the phone, WhatsApp messages, SLACK, social media etc. For the rest of this document we will use mail
as example for phishing attack.
There are many types of phishing bait, depending on the “fish” the phisher wants to catch. Below are a couple of examples of phishing bait:
What all these phishing techniques have in common is that they either want you to give up information or download some files that will give the phisher access. Often you are taken to a spoofed webpage that will ask for login credentials or you press a link whereas an automatic file will be downloaded in the background. Falling for a phishing bait can compromise your machine, network, social media accounts, bank access, credit card etc. The next thing you know (or may never know), your machine is now a part of a bot network controlled by a cyber criminal and ready to be used in a future DDOS attack.
The attack can be aiming for you as a private person or as an employee of a corporation.
Although there are many phishing techniques, we can mainly group them into two groups, phishing and spear phishing.
In a phishing attempt the phisher is trying their luck. The bait is sent in grand scale to many recipients in the hope that some will fall for it. In regular phishing attempts the success rate is relatively low, but the mere scale of the amount of mails that are sent out still make it an effective technique. Normally very little resources have been put into preparing the phishing. The whole technique focuses on the fact that there are plenty of phish in the sea and someone will probably fall for it.
Recent years have seen the sophistication of the phishing attack increase and it is now more common to see baits related to something relevant. Examples of these can be for example:
While phishing is throwing the bait out there and hoping somebody will bite, spearfishing on the other hand has a more specific target. In spear phishing the phisher has done research beforehand, and already know important things about the target. Information gathered during the research can include:
Due to the insider information that the spear phisher often has spear phishing can be very effective and it is not uncommon that up to 30% will fall for this type of phishing. The reason for this is the trust that we normally operate with. If the mail appears to come from someone, we know containing internal information, we are much more likely to trust that the mail is legitimate.
Around 90% of all successful cyber attacks starts with phishing. With these numbers it is no wonder that phishing is still very prevalent as a method for cyber-attacks.
Phishing is often used as an early part in the hacker’s plan. It is a lot easier to get a user to give up their credentials or credit card than to hack the systems to get this information. Crafting an email and sending it out can take you minutes and the gain can be several usernames and passwords. Hacking an encrypted system can take hours and be fruitless.
Why phishing? Because it works! Actually, it works really well.
Most scripts sent as attachments are normally filtered out by todays mail servers. That does not mean that all attachments are safe to click. Before clicking any attachments in a mail, you should verify the sender and origin of the mail. Is the document something that you expected from the sender or does it come out of the blue. If you have an anti-virus solution you can scan the document before opening it. You should be extra careful with file extensions such as executable files, script files, excel or word macro files, PowerShell and zip files.
What do you do if you think you have a phishing mail in your inbox?
Phishing is very common, and most people will experience some sort of phishing at one point or another. The best things you can do to avoid becoming a victim is to learn how to recognize the red flags that give away a phishing attempt.
DON’T CLICK THAT BAIT!