While technical security measures continue to improve, phishing remains one of the cheapest and easiest ways for cyber criminals to gain access to sensitive information.
Simply by clicking a link, victims can endanger their company’s security and put themselves at risk of identity theft.
They might also compromise their personal information, login credentials such as usernames and passwords, and financial information, including credit card numbers.
This page provides an overview of phishing and explains how security awareness training can help you avoid falling victim.
What is phishing?
Phishing is a type of social engineering attack in which cyber criminals trick victims into handing over sensitive information or installing malware.
More often than not they do this via malicious emails that appear to be from trusted senders, but sometimes use other means, which are explained below.
How does phishing work?
Most phishing campaigns employ one of two basic methods:
Malicious email attachments, which usually have enticing names, such as ‘INVOICE’, install malware on victims’
machines when opened.
Links to malicious websites
Malicious links point to websites that are often clones of legitimate ones, which download malware or whose login pages contain credential-harvesting scripts.
Types of phishing website
There are many types of malicious website, including:
Pharming/DNS cache poisoning
Pharming attacks redirect a website’s traffic to a malicious site that impersonates it by exploiting vulnerabilities in the system that matches domain names (the URL you type into your browser address bar) with IP addresses (the string of numbers assigned to each device connected to a network).
These spoof websites’ URLs look genuine, but are subtly different from the ones they impersonate.
They aim to take advantage of typing mistakes when users enter URLs into their browser address bar.
For instance, they might:
- Misspell the legitimate URL;
- Use letters that are next to each other on the keyboard, such as ‘n’ in place of ‘m’;
- Swap two letters round; or
- Add an extra letter.
Clickjacking/UI (user interface) redressing/iframe overlay
Attackers use multiple transparent layers to place malicious clickable content over legitimate buttons. For example, an online shopper might think they are clicking a button to make a purchase, but will instead download malware.
Tabnabbing and reverse tabnabbing
In these attacks, unattended browser tabs are rewritten with malicious sites. Unsuspecting users who return to the tab may not notice that the page is not legitimate.
Targeted phishing attacks
Most phishing emails are sent at random to large numbers of recipients and rely on the sheer weight of numbers for success. (The more emails are sent, the more likely they are to find a victim who will open them.)
However, there are also many types of attack – known as spear phishing – that target specific organisations or individuals. As with broader phishing campaigns, emails might contain malicious links or attachments.
A copy of a legitimate email that has previously been delivered, but sent from a spoof address that closely resembles the email address of the original sender. The only difference between it and the original email is that links and/or attachments will have been replaced with malicious ones. Recipients are more likely to fall for this sort of attack as they recognise the contents of the email.
A type of spear phishing that targets high-profile individuals, such as board members or members of the finance team. These attacks require additional effort on the part of the attacker, but the rewards are potentially greater: CEOs and other C-suite executives have more information and greater levels of access than junior employees. Moreover, a senior staff member’s compromised account can be used to carry out BEC attacks.
BEC (business email compromise)
These emails often take the form of ‘urgent’ requests purporting to be from senior staff, such as the CEO or CFO. They use social engineering tactics to fool more junior staff members into wiring money to the wrong recipient or disclosing confidential business information.
How to identify phishing emails
According to Proofpoint's 2019 State of the Phish Report, 83% of information security professionals experienced attacks in 2018, up from 76% in 2017.
Even if your organisation has strong technical security measures, some phishing emails will inevitably get through.
It is therefore critical for all employees to be able to recognise them. Things to look out for include:
- Public email domains
- Misspelled domain names
- Bad grammar and spelling
- Suspicious attachments/links
- Sense of urgency
View our phishing infographic for more information
How we can help you mitigate the threat of phishing
IT Governance is a leading provider of IT governance, risk management and compliance solutions. Browse our range of staff awareness e-learning courses and phishing solutions: