"Why try to hack your technology when it's easier to just trick a person?"
That's what most attackers are already thinking. And, if you read Part 1, it's probably no surprise to hear that phishing and social engineering attacks are very common and continue to be a successful initial attack vector.
In this three-part series, we're talking about ways to level up your defenses and teach you what you didn’t know you needed to know about phishing emails and similar types of cyber-attacks that are designed to trick your users.
We won’t get deeply technical, but across these three articles, we will dive deep into why it’s still a major concern today, how phishing attacks work, and how to protect yourself.
This week, let’s take a closer look at how phishing attacks work so we know what to watch for and to better understand what’s at stake.
Typically, they are going to ask you to do something like click a link, respond with sensitive information, or open a file. They may even ask you to send money, gift cards, or pay an invoice.
In some cases, the link you interact with may lead to a credential-harvesting site that looks like a trusted login page solely designed to pass your username and password along to the attacker.
"By the way, if someone steals your credentials and you have Multi-Factor Authentication (MFA), it may not be enough to stop an attack. MFA Bypass is 100% possible, so while it’s harder to use stolen credentials when MFA is in place, there are ways to get around that. (There is never a silver bullet in cybersecurity that will be the end-all solution, it takes layers of security!)"
Phishing could also involve links that go to a malicious site, open a file, or take you to a trusted file share service but with malicious contents.
However it plays out, interacting with a phishing email could result in access to one of your accounts, capturing of sensitive information, getting malware or ransomware, and secondary attacks like an email compromise.
It’s one of the easiest ways in because emails can be sent at scale, and it only takes one unlucky user having a bad day to end up a victim.
Phishing attacks leverage a number of techniques to try to get us to click or respond. It can include one or several of the following:
They may have disguised themselves by making their email look like something or someone you would trust.
For example, instead of “amazon.com”, they might use “arnazon.com” by making the lower-case RN look like an M. They can also use different characters like the “A” in “usbank.com” and “usbαnk.com”.
And, if you haven’t set up common email security configurations like SPF, DMARC, and DKIM, it can be almost impossible for a person to tell on their own that someone is “spoofing” or impersonating your email domain to make it look like their message is actually coming from your email address.
We’ll define these and explain their role in security in Part 3.
Usually, they are going to play on emotions. They don’t want you to think for too long about things, so there’s usually a sense of urgency around their messaging, sometimes threatening consequences like getting locked out of your account, losing money, etc.
It must be effective because, according to Verizon’s 2024 Data Breach Investigations Report, phishing attacks happen fast!
Verizon found that the median time to click on a malicious link after the email is opened is 21 seconds, and then it takes only another 28 seconds to enter the data. That means the median time for users to fall for phishing emails is less than 60 seconds!
They are hoping to catch you off guard or at a time when you’re too busy and distracted to worry about what you’re doing. Some messages may just be flat-out confusing, hoping you’ll bite because you aren’t sure what’s going on.
They also have ways to tell when employees are new or when they can expect you to be busy, so they hope to catch you at a time where a lack of clarity works in their favor. We all know that new employee who is eager to impress their new CEO with how quickly they can get those iTunes gift cards!
We also see this play out when links take the user to a “Credential Harvesting Site” designed to capture your username and password and that mimics another login we recognize.
The unsuspecting user just thinks: “That’s odd, I thought I was already signed in, I’ll just do it again”. And they may likely never know what just happened.
This works like other forms of clickbait, but another aspect of phishing is commonly using our curious nature to see what’s going on.
Maybe we can’t help but see what the spreadsheet labeled “Executive Payroll” has in it…
They may also use other information they already know about you from other attacks or data breaches.
Sometimes, an attacker may show a password or something to “prove” that they are a reliable and trusted person when that information may be out there for anyone to find.
We also see this happen when someone in the chain is compromised, and the attacker sends an invoice you were expecting or asks you to change a bank account number for an upcoming transaction.
Depending on what information can be gathered in their reconnaissance phase, an attacker may use combinations of the above techniques to craft the perfectly timed email.
A great example is when there is a Business Email Compromise of a third party, and the attacker is able to jump in with a timely message asking to make a change to a deposit or sends an invoice.
Their visibility into the other party’s email allows them to know just what to do and when to do it. And, because they time it carefully, things seem to go as anticipated on your end.
Days, weeks, or months later, you may find that the money you sent was never received. Well, not by the person you had hoped received it!
Our next article will dig deeper into this but it’s a combination of security practices and, most importantly, security awareness training combined with phishing simulations to help users test their ability to identify suspicious messages and to help you identify possible gaps in training or your employees that need more help.
Read Part 3 Now!