There are many, many ways that malicious attackers trick normal hard working people into handing over prized data, be it looking for financials, personal information or sensitive documents.

Just last week, I received an email purporting to come from a business partner, requesting that I pay our company’s contractor a specific amount of money IMMEDIATELY. Bank account details were provided.

My initial thought was that it was a legit email sent to me in error, but when I looked more closely, I could see that the sender email was forged. I happen to know personally know al

The contractors I work with, and I also happen to work in cybersecurity, so I am perhaps not the ideal victim for this type of attack.

This type of phishing scam is known as Business Email Compromise (BEC), and it was unsuccessful primarily because it was an opportunistic attack disguised as a targeted attack. The attackers had done poor research, making it much easier for me, the potential victim, to suss out scam.

Whatever phishing attack type is used – spear phishing, whaling, vishing, Business Email Compromise (BEC) or clone phishing – you can bet they will try to make use of social engineering tactics to dupe the victim.

Types of phishing attacks

Phishing: mass-mailing or non-targeting communication, sent in the hope that a small percentage of recipients fall for the ruse.

Spear phishing: A targeted phishing attack with specific potential victims in mind.

Clone phishing: Email is made to look virtually identical to a legitimate communication, to trick the recipient that it is real.

Vishing: Also known as voice phishing, vishing is where the caller might pretend to be a senior player demanding urgent information over the phone (such as login credentials)

Whaling: A targeted phishing attack that goes after a prime target, such as a CEO or top executive.

Phishing attack commonalities

Once potential targets are identified, successful attackers go into research mode to identify the path of least resistance for the greatest return. In other words, who are the choicest victims to make the shortlist. It is a bit like a robber casing a number of homes, deciding which one to burgle. They might be attracted to a particular home, but still be deterred by obvious security features (floodlights, burglar alarm, bolted doors, and windows, etc.). In this case, our burglar is likely to move to another house.

In phishing, you are looking for target victims that you can connect with and dupe into unwittingly parting with some sensitive information, be they sensitive files, money or login credentials.

Here is how this might work if you were identified as a potential target by a phishing group:

  1. Learn as much as they can about you By digging through all types of sites to learn key information about your friends, family, hobbies, habits, and job.
  2. Get into your inner circles. They may try and trick their way into your online circles, by posing to be an old colleague or friend for instance.
  3. Hack your accounts or those of trusted contacts Accounts without multi-factor authentication, or strong and unique login credentials are particularly vulnerable.  

Information gathered during this research phase helps attackers hone the scam strategy into something that feels authentic, urgent, and important.

The attackers then must choose their psychological tactics to trick the target – these might leverage fear (e.g., accusing the target of misconduct and threatening penalties), authority (e.g., where the sender pretends to have authority or seniority over the target) and/or shaming (e.g., threatening to expose a target for purported or sensitive activities).

Communication vectors include messaging apps, social networks, and email. They can also communicate in person or via phone, as in vishing. And, of course, the strategy could include a multi-vector approach to increase the credibility of the attacker’s story.

How to protect your users from phishing attacks

There are two key ways to protect your users from unwittingly letting an intruder inside your organization’s secret sanctum.

One – educate them. Teach them what to look out for, how to protect their accounts, what types of communications are suspicious, as well as how to report anything suspicious.

Two – build defenses. Have a solid security strategy in place to deter a potential attacker from even fingering you as a possible victim. This includes powerful business anti-spam, award-winning antivirus protection, and an enforceable email content policy.

More information available at https://www.gfi.com/products-and-solutions/email-and-messaging-solutions/gfi-mailessentials