Cyber criminals are getting creative with their ways and organizations have to lookout for new ways to prevent phishing attacks. You do need to stay abreast of cyber news, so you can spot newer ways hackers are targeting businesses. But if there was a way you could understand the primary methods hackers use to plan phishing attacks, wouldn’t that make it easier for us all to come up with ways to prevent phishing?
Some ethical hackers from a cybersecurity company have recently published an article carefully curated after studying hundreds of phishing attacks. In the article, they lay down the different ways hackers plan out their intrusions. It is very helpful to understand a phisher’s mindset from someone who’s paid to behave like a hacker. Towards the end of this blog, we also give you some potent steps to take to prevent phishing.
How phishing emails are crafted
Choosing a target
There are two kinds of phishing attacks. In one, the hacker(s) create a generic phishing email and send it out to a bunch of potential victims. This is a ‘whoever bites’ approach and does not have a high success rate. The second method is spear phishing. In spear phishing, cyber criminals target specific people or a group of people with their phishing emails. Spear phishing yields more output than bulk phishing.
Once a target or an entire branch of targets (for e.g., the CA/CS branch during audit season) is fixed, the phisher moves on to the further steps.
Choosing an emotional press-point
As we’ve discussed in our series on social engineering (blog post to be linked), cyber crimes are more strongly based on the mentality of the victims than we might like to think.
Phishers spend a lot of time researching their victims, and understanding what bait they are most likely to respond to. A CEO is more likely to react to an email that causes a panic. Workplace emergencies or an input for a key decision are typically ruses that will work with such individuals. On the other hand, juniors are more likely to engage in email forward chains and entertainment mails from their peers. A hilarious video from a colleague will be a good bait for such employees.
There are some basic tendencies that have been so hardcoded into our psyche that we forget all reasoning and act on them. Some of our emotional responses are towards:
1. Fear
“Your account has been frozen! Resubmit your credentials to unfreeze it.”
2. Hope
“Fill out the form for a chance to win some cash!”
3. Curiosity
“Russia finds a vaccine for Covid-19. Click the link to know more.”
4. Satisfying a current need
“Unhappy with your current job? There’s an opening at our company that pays double!” Or, “Dieting tips for weight loss…” if you’re currently stressed about your fitness.
If you’re a chosen victim, you can assume hackers have mined extensive data on you. They know you inside out and know to extend a phishing bait you’ll bite.
Crafting the phishing email
Email is the entry point for most of the phishing attacks. An experienced hacker will spend a lot of time in crafting the perfect email that will cause you to shutdown the logic centers of your brain and act impulsively, emotionally. There could be phishing links in hyperlinked text, attached documents, or even the Unsubscribe link. The email is designed such that you will treat it like any other email and not think twice about it. This makes it that much harder to prevent phishing.
Delivering the scam email
Here, a hacker has two choices. Either he buys a free Gmail / other mailing service inbox or he spoofs an existing domain (for e.g., f0rbes newsletter instead of forbes newsletter). The delivery is also not random. It is well timed, and meticulously hidden behind harmless, valid sending addresses. This is where Business Email Compromise (BEC) comes into picture.
A complete guide on understanding and preventing Business Email Compromise.
Now, all the hacker has to do is to wait for you to engage with the email.
How do I prevent phishing in my organization?
There are certain steps you need to take in order to prevent phishing effectively.
Establish a company-wide security outlook
Not every business is techno-savvy. In fact, some organizations believe because they are smaller in size, or don’t belong to the technology domain, they cannot be targeted for phishing. Nothing could be further from the truth. Anyone and everyone can become a phishing target. It is important that your employees are cyber-aware, and are in tune with the latest happenings in the online security world. We encourage you to hold corporate seminars on cybersecurity, and imbibe a security consciousness in each one of your employees.
Develop response protocols
Sometimes, cyber-attacks are reversible and/or recoverable. But because you’ve never thought about how you’ll react if you fell victim to phishing, you tend to clamber madly, without a clear idea of what to do. Instead, get involved in corporate security training, and establish clear Standard Operating Procedures on ways to proceed in the event of cyber fraud. Some of the simple steps you can take is a company-wide password change policy or the enabling of multi-factor authentication (MFA).
Some companies also hire Rapid Response Teams who kick into gear as soon as email scam is detected. Such teams also provide ethical hacking services, whereby a security specialist tries hacking into your system to uncover the flaws.
Partner up with a security service provider
Not everyone has the resources to have an entire team at their disposal. However, some cybersecurity companies like Logix provide email security tools AND constant 24X7 support. It’s as good as having a supporting partner that handholds you through the process of achieving maximum online security.
Our email security services block all major email borne threats. If you are looking for ways to prevent phishing, consider taking a look at our Email ATP solutions.
Frequently Asked Questions
What are some easy ways to spot and prevent phishing?
Phishing emails are generally poorly worded and filled with spelling mistakes. Also, if you receive a random email with a generic greeting (Dear Sir), it may be a bulk phishing attempt. A good way to spot phishing links is to hover over the links in the email to know the actual destination URL. Similarly look for the actual email addresses behind the sender’s display name.
Can I prevent phishing in my organization on my own?
Yes, by being extremely vigilant and up-to-date with current cyber security, you can ward off most phishing attempts. However, as we discuss in the section “Choosing an emotional press-point”, phishing emails are designed to defeat common sense and alertness to trigger an emotional response. That’s why we suggest businesses to procure third party email security services.
Can phishing attack damage be reversed?
In rare cases, by having sound response strategies in place and approaching the right authorities at the right time, phishing losses have been reversed. However, these are unlikely scenarios and need rapid action in order to work.