What is Phishing?
Phishing is a type of social engineering cyberattack that uses email as a delivery method with an aim to coerce users into performing actions that could compromise their security.
One of the more common types of email phishing is when an attacker sends an email that appears to be from a legitimate source (such as a bank or another well-known business) in an attempt to trick the recipient into clicking on a malicious link and provide their authentication details to the attacker via a log-in page.
Phishing emails can also contain attachments that, when opened, install malware on the victim’s device. This malware can then be used to steal sensitive information, such as login credentials or financial information, or gain access to the target user’s internal network.
Types of Phishing Attacks
Phishing attacks can take many forms, but generally the most commonly seen phishing attacks are generic spam emails that are sent to a large number of recipients. These emails often contain messages designed to create a sense of urgency to alarm the recipient in to taking immediate action, such as clicking on a link or downloading an attachment.
Spear Phishing
Spear phishing is a targeted form of phishing that is directed at specific individuals. The attacker will often research their target to create an appropriately convincing email that appears to be from a trusted source (e.g., their IT team or management). This can include using the target’s name, job title, or other personal information to make the email seem more legitimate.
Whaling
Whaling is somewhat of a subtype of spear phishing that specifically targets high-profile individuals within an organisation. This could be the business’ executives or senior management. An attacker may use more sophisticated tactics, such as creating a fake website that looks like a legitimate login page, or by performing other forms of social engineering out-of-band to increase the chances of success.
Clone Phishing
Clone phishing is essentially reusing the branding and trust of a legitimate email (for example, an email from a SaaS platform for a password reset link) and involves copying the existing email format and replacing any links or attachments with malicious versions. The attacker sends the cloned email to their targets, hoping that they will not notice the difference and will click on the malicious link or attachment.
How to Recognise Phishing Emails
There are several signs that can help you identify a phishing email:
- Suspicious Sender: Check the sender’s email address to see if it matches the organisation it claims to be from. Be cautious of emails from free email services (e.g., Gmail, Yahoo) that claim to be from a legitimate business.
- Reply-To Address: Check the reply-to address to see if it matches the sender’s address. If it is different, this could be a sign that the email is not legitimate and the attack is spoofing the sender’s address.
- Urgent or Alarming Messages: Be wary of emails that create a sense of urgency or pressure you to take immediate action.
- Spelling and Grammar Errors: Many phishing emails may contain spelling and grammar mistakes, which can be a sign that the email is not legitimate.
- Suspicious Links or Attachments: Hover over any links in the email to see the URL before clicking on them. Be cautious of any attachments, especially if they are from unknown senders or have unexpected file types (e.g., .exe, .zip, .dmg).
- Requests for Sensitive Information: Legitimate organisations will never ask for sensitive information (e.g., passwords, credit card numbers) via email.
- Unusual Requests: Be cautious of emails that ask you to perform unusual actions, such as transferring money or providing personal information.
- Generic Greetings: Phishing emails that are sent en-masse often use generic greetings such as “Dear Customer” instead of addressing you by name, but this is not always the case with more targeted attacks.
- Email Headers: You can check the email headers to see if the email failed any authentication checks, such as SPF, DKIM, or DMARC. Organisations should ensure that they have these email authentication mechanisms in place to help prevent email spoofing.
How to Protect Yourself from Phishing Attacks
To protect yourself from phishing attacks, it is important to be vigilant and cautious when receiving emails, especially those that contain links or attachments. Here are some tips to help you stay safe:
- Verify the Sender: If you receive an email from a sender you do not recognise, or if the email seems suspicious, do not click on any links or download any attachments. Instead, contact the organisation directly using a phone number or email address that you know to be legitimate.
- Use Multi-Factor Authentication (MFA): Enable MFA on your accounts whenever this is possible. This greatly increases the security of your accounts, as even if an attacker is able to obtain your password, they would still need the additional authentication factor (e.g., a code generated by your authenticator application) to gain access.
- Keep Software Up to Date: Ensure that your operating system, web browser, and any other software you use are kept up to date with the latest security patches. This can help protect you from vulnerabilities that attackers may exploit.
- Use Anti-Malware Software: Install and regularly update anti-malware software on your devices to help detect and prevent malware infections.
- Report Suspicious Emails: If you receive a suspicious email, report it to your IT department or email provider. This can help them take action to protect other users from similar attacks.
What to Do if You Fall Victim to a Phishing Attack
If you believe you have fallen victim to a phishing attack, it is important to take immediate action to minimise the potential damage. Here are some steps you should take:
- Report the Incident: Report the phishing attack to your IT department, email provider, or the organisation that was impersonated in the email. This can help them take action to protect other users from similar attacks.
- Change Your Passwords: If you provided your login credentials to an attacker, change your passwords for the affected accounts immediately. If you use the same password for multiple accounts, change those passwords as well and ensure that you have unique passwords per account/service that you use.
- Sign Out of All Sessions: If you provided your login credentials, sign out of all active sessions on the affected account to prevent the attacker from maintaining access.
- Enable Multi-Factor Authentication (MFA): If you have not already done so, enable MFA on your accounts to provide an additional layer of security.
- Monitor Your Accounts: Keep an eye on your accounts for any suspicious activity, such as unauthorised transactions or changes to your account information.
- Run a Malware Scan: If you downloaded an attachment or clicked on a link in the phishing email, run a full malware scan on your device to check for any infections.
Email Phishing Simulation and Security Awareness Training
One of the most effective ways to protect your organisation from phishing attacks is to conduct regular phishing simulations and provide security awareness training to your employees.
Phishing simulations can involve technical assessments, where ethical hackers will attempt to bypass technical security controls that are put in place to prevent phishing attacks, or they can involve sending simulated phishing emails to employees to test their ability to recognise and respond to phishing attempts.
Security awareness training can help educate employees on how to recognise and respond to phishing attacks, as well as other types of cyber threats. This can include training on how to identify suspicious emails, how to create strong passwords, and how to use multi-factor authentication.
Contact our team today to learn more about our phishing simulation services. Educate your employees and improve your organisation's security posture.Want to go Phishing?
