Phishing attacks are one of the biggest attack vectors used against companies in the 21st Century. A phishing attack is a type of social engineering where an attacker sends a fraudulent message designed to trick a human victim into revealing sensitive information to the attacker or download malicious software on the victim’s infrastructure. Phishing attacks are responsible for approximately 32% of data breaches. The reason it’s so effective is that it takes advantage of the human element of a company. Technical controls will do whatever they are configured to contain minimal errors, and there’s not much room for manipulation once configured properly. However, end-users are more unpredictable, often lacking cybersecurity knowledge that’s not related to their job title. This makes them ideal targets for hackers. It’s important to perform user awareness training to defend against phishing attacks so that employees can recognize phishing emails and not be fooled into giving up their information or deploying malware. The training needs to focus on helping users identify the elements of a phishing attack. This article goes over some of the main ways to recognize phishing emails:
Often, phishing emails are part of a larger phishing campaign. This means the emails are being sent to hundreds, or even thousands, of recipients. Therefore, these emails often don’t have details such as the employee’s first and last name, job title, and company. One of the first hints that an email, text message, or phone call isn’t legitimate is that it is very vague in addressing the recipient and doesn’t provide details about their request. If someone sends a direct message, the sender should know the name, company, and even title. If an email uses terms like him/her or the company about the receiver, that may signify that the email is part of a phishing campaign.
A sense of urgency
Another common tactic of hackers is to instill a sense of urgency where users feel like they need to take action right away. By making people feel a rush, attackers are hoping to rush the potential victims into making a mistake without thinking. A common example of this is receiving an email saying that there is an issue with your bank account and that you need to call a certain number within 24 hours, or you risk losing your entire account balance. Also, any email that gives a strict timeline to avoid some negative consequence should be viewed suspiciously.
A huge giveaway for a phishing email is suspicious links. If an email asks you to click on a certain link, check that the URL corresponds to the website that the email is referencing. For example, if the request is to log into a personal Netflix account, make sure that the hyperlink leads to Netflix.com or, better yet, open a new tab and manually navigate to Netflix. This ensures that one is going to the correct website and not a replica site made by a hacker. A common social engineering tactic is creating replicas of popular websites and tricking people into navigating to that site and trying to log in. Once that’s done, one’s credentials will be sent to the attackers, and they will be able to log in to the victim’s account.
Source @ Malware Traffic Analysis
For phishing attacks that want recipients to install malware, there will be some attachment to the message. This malware can be any file, but the most common types will be Excel, Word docs, or images. Excel and Word documents can contain computer scripts called macros. These macros can be set so that if someone downloads the file and enables macros, these scripts will execute automatically. Similarly, some people can create files that look like jpeg or png files and attach them to emails. Once someone downloads one of these files that resemble a picture and then opens it, the file executes. Teach employees to refrain from opening attachments from unknown senders. This limits the chance of accidentally downloading malware. When unsure if an email contains malicious attachments, both the attachment and URLs can be uploaded to virustotal.com. VirusTotal scans files and URLs and determines if they show any signs of being malicious.
Source @ Mailguard
Misspelled or public domains
Most organizations have their domains and are not likely to send emails from private domains like “@gmail.com” or “@hotmail.com.” If the domain name after the @ corresponds to the company they claim to represent, then the email is legitimate. However, the two parts of the email to be cautious of are the display name and the local part of the email, the part in front of the @ symbol. When sending an email, there’s the option to choose a display name, which can have nothing to do with the email address. Also, the local part of the email, the part before the @ symbol, can be anything that the user wants, which can mislead people. The part people need to pay attention to is the domain name, which comes after the @ symbol. Lastly, make sure that the domain name is spelled correctly. A misspelled domain name is a signal that someone is misleading.
Source @ welivesecurity
The email is poorly written
The last sign of a phishing attack is poor grammar and spelling. The predominant theory on why this is the case is that its part of a filtering system in which the cybercriminals want to target the most gullible people. This may be people who aren’t well-versed in the English language or aren’t very security-conscious. The idea is this: if people are less likely to pick up on the warning signs in the email, they are less likely to pick up on the scammer’s tactics later on. While this theory isn’t confirmed, it’s been well noted that a poorly written email tends to be a sign that the email doesn’t come from a legitimate company.
Phishing attacks are one of the most popular forms of cyberattacks for gaining initial access to a company. Teaching employees how to recognize these threats is an important step in reducing the likelihood that a company will be infected via this method. Fortunately, most phishing emails have the same signs, and giving employees the proper training increases their ability to recognize these emails whenever they are targeted. If a company has the resources, it will be beneficial for its cybersecurity professionals to perform their red teaming exercises. They create a mock phishing campaign and see if employees follow their user awareness training. This helps track employee performance before and after the training and identifies what types of phishing emails they struggle with the most. These metrics are useful in determining what type of training is most needed going forward.