An Evolving Cyber Threat

4 Ways of Recognising Phishing Attacks in 2020 Many of us likely think ourselves wise enough not to be fooled by a social engineering attack, though in our technological age, the lengths to which hackers and criminals will go to gain our confidence, information, and money can be surprising.

As the 2020 global pandemic has forced many into remote work situations, with cyber criminals taking every opportunity to exploit the situation and many institutions warning the public about phishing emails, it is vital that users do not allow scammers the upper hand. Recognising phishing attacks is essential to ensure that your organisation stays secure.

Phishing Threat

With around 90% of organisations experiencing targeted phishing attacks, and 22% of all breaches involving a phishing element, combating information security attacks will always require users to understand the threat landscape and be on the lookout for suspicious communications.

Phishing, being the most common form of social engineering attack, often targets users at their weakest. Interjecting themselves into conversations at the critical point, directing you to expose sensitive information and compromise your organisation’s information security, hackers may spend a great deal of time discovering how you are best manipulated.

4 Easy Ways of Recognising Phishing Attacks

The low cost and relative ease with which large volumes can be sent makes phishing emails a global issue that looks unlikely to end any time soon.

Although there are many successful attacks every day, there are a few simple methods of successfully recognising phishing attacks to ensure you can avoid them.

  1. Subject

The appearance of authenticity is an attacker’s greatest weapon; an illusion that begins with the first thing a user sees. Frequently imploring urgency or supposed importance, attackers know and exploit the shortcuts to trust and interest.

Promises of prizes, refunds, invoices and ‘too good to be true’ deals are among the tricks, with many phishers also attempting to appear part of on an ongoing conversation (‘RE’, ‘Fwd’ and ‘Follow-up’.

  • Address

Next is the communications address. Again, attackers frequently seek to mimic trusted or known senders. From CEOs of a company to online marketplaces, attackers use variations of addresses to appear authentic.

For example, the substitution of Ls for 1s or the jumbling or reversal of letters. At a glance, an address such as support@email.hustix.io, may appear legitimate, but upon closer inspection can be detected as inauthentic.

  • Links and Attachments

The purpose of most phishing attacks is to steal confidential, or sensitive information, most commonly credentials. To do so, an attack typically needs you to click a link or attachment for this to work, which is why both these email elements need to be treated with suspicion.

Malicious attachments and links are frequently disguised, with file types obfuscated (e.g. FILENAME.PDF.exe) and links that appear to point to a different location than it appears.

By hovering over a link, the actual URL can be safely inspected. Likewise, any potentially dangerous file types (in particular .exe) should be scanned before opening or disregarded immediately.

  • Content

The content of an email also gives a user a strong indication of the authenticity of communication. With many phishing emails being spam from relatively unsophisticated overseas scammers, spelling mistakes are common.

As well as suspect spelling, users are also advised to judge the tone of an email before taking any action or following any links. For example, the use of titles (Miss, Mr, Mrs) may be normal in commercial communications, whereas informal language is typically absent and to be treated with reasonable suspicion.

Fighting Phishing

Whether it is opening an ‘interesting’ or ‘urgent’ attachment, following a disguised or suspicious link, or even following deceptive instructions, we must all look out for the signs of a phishing attack, Including inauthentic sender addresses, tonal inconsistencies, spelling mistakes, hidden URLs and suspicious attachments.  

Think about your potential weaknesses.

Think about how you may be being manipulated.

Think about who might be profiting from your behaviour.

All questions that are integral to creating an information secure culture.

Vishing (Voice Phishing) Case Study

In early 2019, artificial intelligence-based voice software was used to defraud a company out of almost £200,000. Perhaps the first in a new trend of ‘deep-fake fraud’, an executive of a UK-based energy company believed he was speaking on the phone to his overseas boss, when in fact what he was communicating with was not even human.

Complying with an urgent request, the executive made the whopping transfer to a ‘supplier’, all without suspecting anything was amiss. It was only by the third phone conversation and a second large transfer request, that the executive became suspicious. However by that time, it was too late.

Having mimicked an accent and intonation well enough to fool an employee into transferring thousands of pounds, it is disconcerting to think where this technology could lead. As both video and voice imitation software develops, organisations will increasingly need to think about how it is they protect themselves from social engineering attacks.

There are many ways in which people can become the victims of a social engineering attack. Some can be very subtle, whereas others less so. What they all have in common is the objective of manipulating you into helping a malicious actor get closer to their goal.

Along with the frequency, the cost of these kinds of attacks on organisations continues to grow year-on-year, making it more important than ever to ensure that your employees are recognising phishing attacks.

With methods and techniques becoming ever more sophisticated, neither individuals nor organisations can afford to take the chance of being ill-prepared when the phishing attack happens.

When faced with the alternative, it always pays to take those few extra moments to confirm who you are communicating with and that your actions are not compromising security.