What is Phishing?

The Threat of Phishing

Organizations aim to protect their assets, infrastructure, and personnel from harm. Therefore, it is critical for security teams to be aware of specific attack methods employed by threat actors. This includes phishing. Phishing is a commonly-used attack method. It is used against a wide range of public and private entities.

In fact, phishing often precedes further offensives. This threat gives malicious actors access into your organization’s systems and networks. This gives threat actors an access point. It allows them to move laterally and gain possession of confidential data.

Protecting your organization from a phishing attack requires both team- and individual-driven efforts. In this blog, we’ll explain how to best keep your assets and infrastructure secure. We do this by understanding:

• What phishing is, types of phishing attacks, and how they work 
• Warning signs of a phishing scheme
• Preventive countermeasures, including the role of education and threat intelligence

What is Phishing?

Phishing refers to an attack method that uses social engineering techniques. It aims to acquire personal information, such as login usernames and passwords. Threat actors use social engineering techniques. This manipulates a system or individual. The manipulation is done to improperly grant them permissions or benefits. Or, it divulges protected information outright. 

Examples of phishing attacks include:

• Sending out fraudulent emails impersonating organizations or administrators and asking for victim credentials.
• Creating a fraudulent website impersonating a target website that then harvests a victim’s login information.

Phishing attacks target individual employees throughout the company. This is in direct contrast to other attack methodologies that combat organizational security teams. This makes it more difficult for security teams to prevent. Especially if employees are not equipped to identify phishing attacks and report them.

Types of Phishing Attacks

Spear Phishing

Spear phishing refers to a targeted campaign. A threat actor sends a personalized email to a specified person, business, or organization. The email generally impersonates a trusted source, such as an executive. It contains either malware-infected documents or links to malicious websites.

Phishing vs. Spear Phishing

The biggest difference between phishing and spear phishing is that phishing attacks are typically more generic. Spear phishing is targeted at a specific person or entity. Both rely heavily on social engineering to attack a potential victim. They rely on an individual trusting the message. They trick them into clicking or downloading a malicious link or file. Or, it could seek to navigate them to a spoofed website. Threat actors harvest sensitive data or credentials there. 

Whaling

Whaling, also known as “CEO fraud,” refers to an attack on a high-value target. This could be a corporate executive. The term “whaling” is a play on phishing and spear-phishing. Whaling consists of a spear-phishing email that is sent to a high-value target. The attacker then poses as a potential business partner or a company employee. They then ask the recipient to wire money to a mule account. These emails often use legitimate-looking graphics and domain names to trick targets.

Vishing

Vishing, a combination of “voice” + “phishing”, is an attack that’s done via voice. The caller usually claims to be someone from the government, tax department, law enforcement, or the victim’s bank.

The scam is often framed as if the victim is in trouble with one of the entities mentioned above. The attacker will pretend to be a representative of that organization. They pressure the caller into sharing private information. Additionally, the caller will threaten victims. They claim that they will either arrest them or close their bank account.

Vishing may be a voicemail. It urges the recipient to call back immediately. This is to prevent further action against them.

Smishing (SMS phishing)

Smishing, a combination of SMS + phishing, refers to a phishing attack that’s done via text message. Victims receive a text with a message. This directs them to click on a malicious link.

Phishing Threat Landscape

Popular and Relatively Non-technical

Phishing advertisements and services are one of the most popular offerings within illicit communities. Phishing is popular among actors because it requires little to no technical knowledge. It relies on the exploitation of the human element of an organization’s threat landscape. Phishing is commonly employed by a range of threat actors. This is due to the low bar of technical entry. It is favored by low-level cybercriminals to advanced persistent threat groups alike.

Customized and Non-customized Attacks

Phishing attacks may look like a shipment tracking notification, a newsletter, a promotional email, or some other type of message. Often, they do not appear to be customized or specifically addressed to the recipient. Threat actors have also been known to use significant events. These include natural disasters or global news events. They lend a theme to a campaign. This makes it more likely that an unsuspecting user will respond.

On the other hand, spear phishing campaigns will typically use details an attacker knows about the recipient. This includes personally identifiable information or employer details. This can be from data breaches or publicly available information via open source or social media. This includes information posted by the company itself. Examples are job titles, contact information, or organizational charts. Threat actors will make heavy use of any sourced content. This is to specifically craft seemingly believable and authentic content.

Similarly, threat actors may use techniques to trick employees. This is done to provide network access by giving up usernames and passwords. They may also craft specific email messages. These messages appear to legitimately come from within the user’s organization. This helps bypass two-factor authentication (2FA). Once inside the network, threat actors can move laterally. They gain access to higher-privileged accounts. This allows for more control of the system. It likely leads to more data to steal. This can create significant security incidents for a targeted organization. 

Protection from Phishing Attacks

The primary way that users can protect themselves from spear phishing attacks is to never click on any link associated with an unsolicited email. Threat actors are very clever at making campaigns appear to be legitimate emails. They may weave an organization’s real contact or website information into a phishing message. This is to lend the appearance of legitimacy. Users should always be wary of unsolicited messages. This is particularly true for those that require the user to click on a link or download content.

Additionally, checking web domains to ensure they are legitimate is a common cybersecurity practice. This is done to avoid phishing attacks. This is particularly important if a site is asking a user to enter login credentials or any other type of sensitive information. Threat actors may use legitimate domains as a landing page. This is before redirecting users to a malicious web page. So, verifying that a site is legitimate before entering sensitive information is paramount.

Individuals should seek to limit the amount of personal information publicly available about themselves. Threat actors will seek out this information in spear phishing attacks. This is to create highly customized messages that will appear believable to the victim. This tricks a user into providing sensitive information that they may not otherwise provide. Threat actors continue to devise increasingly sophisticated campaigns. These can trick even the most savvy of users. Taking an extra moment to scrutinize a message that may appear to contain an out of ordinary or unsolicited request is one of the most critical ways to defeat these types of attacks.

Best Practices to Mitigate Phishing Attacks

There are several steps your organization can take to make it easier to prevent a successful phishing attack.

• Educate employees on the signs of a phishing attack and instill the message that they should avoid clicking on links from emails they are not expecting, do not have a secure domain or a domain that matches the organization the sender claims to be from, or ask the recipient to share private information.
• Install anti-phishing add-ons to company devices and browsers, which can alert employees when an email looks suspicious or comes from a known phishing site.
• Enforce password rotation to require employees to change passwords after a given time period.
• Install firewalls to shield your devices from attempted attacks and prevent threat actors from successfully infiltrating your network.

The Importance of Threat Intelligence

It is critical for your organization to have a strong threat intelligence program that alerts your security team to suspicious online activity or social media chatter that may hint at an imminent attack. 

Stay Aware

This intelligence gives your teams an unfiltered look into conversations threat actors are having online. These conversations are about how to create effective phishing campaigns, circumvent anti-phishing software, or solicit scam pages to steal your data. By having this awareness, your organization’s security personnel can implement better defensive measures. This keeps them a step ahead of the threat actors they’re being targeted by.

Monitoring online chatter about phishing also alerts your team to circumstances that may invite an increased number of attacks. Threat actors will often use major news events to take advantage of them. This was observed during the height of the COVID pandemic with COVID-related scams. It was also seen with fake charities that crop up in the wake of tragedies like natural disasters or terrorist attacks.

Educate and Communicate

Good threat intelligence also strengthens a company’s ability to educate its employees. It provides real-life examples and the most current information. This ensures individuals have a strong understanding of the threat landscape they are facing.

This data allows you to communicate internally about risks you may encounter. You can also communicate steps other teams should take based on intelligence found in illicit communities. This makes your actions more timely and effective.

Get Flashpoint on Your Side

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Frequently Asked Questions (FAQ)

Q: What is phishing, and how does it relate to social engineering?

A: Phishing is a common attack method that uses social engineering techniques. This is done to manipulate individuals into giving up private information, such as passwords, or clicking on malicious links.

Q: What are the three most common types of highly targeted phishing attacks?

A: The three most common types are Spear Phishing (targeted at a specific person or entity), Whaling (targeting high-value executives), and Smishing (phishing conducted via text message, or SMS).

Q: What is the most effective defense against phishing attacks?

A: The most effective defense is a combination of employee education (to instill wariness about unsolicited emails and links) and technological controls (like anti-phishing add-ons and firewalls) to stop the malicious content from reaching the user.