Contrary to popular belief, complex attacks aren’t always better or more successful. With regards to cybersecurity, one of the most successful attack vectors is a simple phishing email. Last year, alone 67pc of data breaches were caused by phishing scams, writes Steven Hope, CEO and co-founder of password and multi-factor authentication company Authlogics.
In such cases, hackers typically use malicious links or attachments to steal personal information or account data. Unfortunately, gone are the days when these were easy to spot and avoid. Attackers are becoming increasingly sophisticated, cleverly constructing emails to contain specific and relevant information to their victims, improving their likelihood of success. Once they manage to gain access to an account, they can gain a foothold in an organisation’s network and wreak immense havoc by launching larger attacks.
How does a malicious email lead to a full-blown cyber-attack?
Criminals rely on deception and a sense of urgency to trick victims into clicking malicious links or downloading attachments embedded with malware. There are several methods that threat actors use to trick their victims into a false feeling of security by impersonating well-known brands or even employees/employers. Depending on the type of technique used, the hackers can achieve different goals.
Phishing link:
This is often the method used to get individuals to handover sensitive information such as usernames, passwords, even banking information. Acquiring these are the first step an attacker can use to infiltrate a system to launch larger attacks. These links can come in all types of forms such as tailored messages from the victim’s ‘bank’. Threat-actors tend to send these to millions of victims to increase the chance that someone will bite and follow the link to then input their sensitive information on the attacker’s carefully constructed website. A recent example of this is the uptick of fake DHL emails circulating around holidays such as Black Friday and Christmas, as these are associated with an increase in online shopping and package deliveries. As a matter of fact, DHL emails became the most spoofed by threat actors, with emails and associated fake websites becoming increasingly convincing. Victims received an email alleging to be from DHL customer services; those who followed the link were taken to a nearly identical DHL website to share their delivery information and PayPal details in order to lift a temporary suspension of their account. And this is only one example of many.
Malicious attachments:
Another tactic hackers use are malicious attachments with embedded malware. Once opened, the victims infect their own computers with harmful software, which can spread throughout the entire network and allow hackers to steal sensitive information, conduct espionage or launch ransomware attacks.
What to look for to identify a phishing attack:
While threat actors are becoming more sophisticated in their approach to phishing, there are normally a few tell-tale signs that differentiate a phishing email from a normal one.
One of the most obvious indicators of a phishing scam is bad grammar. For this reason, it’s vital to read through all email thoroughly, to spot any abnormalities in punctuation or spelling. Another thing to look out for is inconsistencies in the sender email. If the email claims to be from PayPal or Apple but the sender email doesn’t have the correct domain, it’s highly likely a scam. Individuals should always email brands directly if they receive an email and aren’t sure of its validity. This also applies to the links in emails. These days it is possible to hover over emails before clicking on them. If the landing page doesn’t look quite right, it’s best to move the email to junk.
Lastly, victims must pay attention to email layouts. Threat-actors have improved their ability to spoof a brand’s email design, however there are typically still irregularities in a scam email. The securest way forward is to always proceed with caution; if something seems off, don’t trust the email before doing some research or contacting the sender directly.
Preventing phishing attacks:
The success of these attacks is concerning yet unsurprising. These days many individuals display major parts of their lives on social media. As such, there has been an increase in social engineering, a tactic that threat actors use to curate the perfect email for their victims. They use the easily available information their victims post online to make their scams sound more convincing, improving their chances of success. Once a victim enters their account information into a spoofed website, threat-actors can potentially use this to deduce a user’s password habits; this way they will gain access to several of the victim’s accounts. Many users still follow bad password practices and re-use the same or similar passwords across multiple sites, making it easy for hackers to socially engineer their way into victim accounts to steal data or launch larger attacks. As a result, users should make sure to not only be vague about personal information online but to not use birthdays, pet names, family names or other personal information to secure important (or any of their) accounts.
In tandem with good password practices, users should deploy multi-factor authentication in order to provide a stronger barrier of security to their personal information. This will not only protect their accounts from a breach, but it will prevent a threat-actor from launching a successful phishing attack, even if the victim gives up their password.
Ultimately, no company or individual is safe from falling victim to a phishing attack. Threat-actor sophistication is growing and as these types of scams are becoming harder to spot, more people will find themselves being tricked. The best way forward is to protect accounts with secure passwords and multi-factor authentication and to know what to look out for when checking emails.
Companies can provide cybersecurity training that involves simulated phishing links, which if clicked won’t cause any harm but will teach employees to think twice about what links to click or what files to download. Human error is the weakest link when it comes to cybersecurity. Also, from a company’s perspective, the investment in identifying compromised credentials and preventing poor password practices is extremely valuable for protecting employees logons and a company’s infrastructure overall. Accessibility to an enterprise-grade password breach database is a great stepping stone to enhancing authentication methods. That being said, if individuals are taught about the consequences and the methods to prevent a phishing scam, their own and their company’s accounts and networks will be better protected. Typically, threat-actors will be deterred if they don’t believe they have an easy way in.
