What is a Phishing Attack?

A phishing attack is a cyber-attack where an attacker crafts a fraudulent yet genuine-looking email to deceive recipients into carrying out harmful instructions. This can be clicking on a link, opening an attachment, providing sensitive information, or transferring money.

How Do Phishing Attacks Work?

Target Research and Content Crafting

The crux of a phishing attack is getting the email recipient to believe the phishing message. To do this, attackers need to craft email content that is relevant or interesting to the recipient. Also, it must be consistent with the tone, language, and style of the organization or person they are pretending to be. A conscientious attacker will spend lots of time on research. For mass phishing campaigns, attackers often impersonate famous brands like DHL, Amazon, and Google. In fact, LinkedIn is reported to be the most impersonated brand in phishing attacks in Q1 2022. For specific organizations, attackers tend to do in-depth research. They then search for employees' email addresses on the company’s website or social media to send phishing emails.

Once the victim is tricked, the attacker can proceed to the next stage of achieving their objectives.

Objective 1: Information Theft

Some phishing emails are designed to steal personal information. These emails pretend to be from trusted sources such as well-known enterprises and government departments. They create an excuse to make the recipient provide their personal data. The scammers can sell this information or use it for their own gain. This includes applying for credit cards in the victim’s name, applying for a tax refund, and making insurance claims.

Objective 2: Financial Fraud

Some phishing emails instruct recipients to transfer funds to an account. These emails often purport to be from a trusted sender, such as a boss or a well-known organization. They present a situation that requires immediate attention to create a sense of urgency. Victims may be left too anxious to check the credibility of the email and end up making the transfer. In a new public service announcement, the FBI's IC3 reported that business email compromise (BEC) scams cost companies around the world $43 billion between June 2016 and December 2021.

Objective 3: Network Intrusion

A phishing attack can be used to breach enterprise networks to achieve bigger objectives, such as ransomware infection and data theft. In fact, phishing attacks are one of the most common ways threat actors gain initial access to enterprise networks. According to the Cisco 2021 Cybersecurity Threat Trends report, 90% of data breaches involve phishing. Phishing attacks achieve network infiltration in two main ways.

  • Phishing links: Most phishing emails contain a link that takes the recipient to a web page controlled by the attacker. This web page may directly download malware onto the victim’s machine. The web page may be a fake login portal for a commonly used business service. Attackers can use these phishing sites to record the victim’s input data to steal their username and password. This allows the attacker to gain network access by logging in as a trusted user. Statista detected a total of 611,877 phishing sites worldwide in Q1 2021, up from 165,722 in Q1 2020.
  • Phishing attachments: Some phishing emails are attached with malicious files. These files can be disguised using unsuspicious file names. They can also be legitimate file types like Word and Excel files that have been tampered with. For example, attackers can embed a macro function in Office files to run programs and connect to the internet when opened. The macro function can also act as a loader to download and execute another malware payload. Other common phishing attachments include .exe, .zip, .rar, .pdf, and .iso files.

After loading their malicious files and tools onto the victim's machine, attackers can use more sophisticated techniques to escalate the attack.

Phishing attack: phishing email credentials theft

Types of Phishing Attacks

Phishing attacks can be carried out in a number of different ways.

Phishing Campaign

In a phishing campaign, attackers send emails to thousands and millions of users. These messages are relevant or of interest to a broad audience. For example, emails that inform users of suspicious activity on their accounts and ask them to change their password. These phishing attacks aim to steal credentials or other confidential information. For example, phone numbers, account numbers, social security numbers, and credit card details.

Spear Phishing Attack

Spear phishing is a targeted form of phishing attack against specific individuals, organizations, or industries. Attackers typically conduct in-depth research on their targets to craft phishing messages that are highly realistic and relevant. According to Symantec’s Internet Security Threat Report 2019, 65% of threat actors used spear phishing as the primary attack vector.

Internal Spear Phishing Attack

Internal spear phishing attack occurs when an internal user’s email account is hacked. It is then used to send spear phishing emails to contacts within the organization or third parties. The use of a trusted email account to launch spear phishing greatly improves the chances that links and attachments are accessed. Internal spear phishing is used for lateral movement inside a network as opposed to an initial breach.

Whale Phishing Attack

Whale phishing is a type of spear phishing attack where the targets are high-ranking individuals, such as a CEO – the big phish, or whale, so to speak. Attackers may also pose as the CEO to issue fraudulent instructions to subordinates, also known as CEO fraud. The authority of such an individual makes it very likely that recipients comply with the email’s instructions. According to newly released data by Statista, the global volume of CEO fraud increased from 9,708 in 2017 to 17,607 in 2020. FBI’s 2021 IC3 report found that BEC was responsible for $2.4 billion in losses to U.S. companies in 2021.

Social Media Phishing Attack

As the name suggests, social media phishing attack is conducted on social media platforms like Facebook, Twitter, and LinkedIn. This type of phishing attack can take various forms. Attackers may simply post phishing scams that entice users to click on a link. They may also set up fake accounts to make acquaintances with users. Attackers then gather their personal information to guess their credentials and security answers or send them malicious files.

Real-Life Examples of Phishing Attacks

COVID-19 Phishing Campaigns (Mass Phishing Campaign)

In the early days of the COVID-19 pandemic, the FBI found a rise in fraud schemes related to the Pandemic. Over the past two years, scammers have taken advantage of the COVID-19 pandemic to launch COVID-themed phishing campaigns. Common topics include financial relief, vaccines and cures, and case updates. Emails have impersonated the Centers for Disease Control and Prevention (CDC) to appear highly trustworthy. Recipients are often made to give up sensitive information or click on malicious links that download malware. This can lead to malware or ransomware infection.

COVID-19 Phishing Campaigns

Image of COVID-themed phishing email that posed as the CDC, courtesy of BBC

Ireland Health Service Executive Ransomware Attack (Spear Phishing)

In May 2021, a ransomware attack hit Ireland’s Health Service Executive (HSE), with the attacker demanding a ransom of $20M. HSE has published a post-incident review of the attack. It was discovered that the breach occurred as a result of an internal user opening a malicious Excel file attached to a spear phishing email. The attacker operated inside HSE’s network for 8 weeks and deployed the ransomware on May 14, 2021. The attack encrypted 80% of HSE’s systems and led to severe disruptions in healthcare services across Ireland. Roughly 700GB’s worth of personal data of thousands of Irish citizens was stolen.

Financial Times Cyber-Attack (Internal Spear Phishing)

In May 2013, the Financial Times (FT) came under a spear-phishing attack by the Syrian Electronic Army (SEA). The hackers managed to gain access to an FT employee’s corporate email account. This came with the email addresses of every FT staff. SEA used the trusted account to send phishing emails containing a link that appears to connect to a CNN web page. When FT discovered the phishing attempts, its IT department sent emails to warn employees of the threat. SEA used this to their advantage by mimicking the warning emails to trick even more users.

Financial Times Cyber-Attack

Image of spear phishing email that mimicked the IT department’s warning message, courtesy of FT Labs

FACC Phishing Attack (Whale Phishing/CEO Fraud)

In January 2016, Austrian aerospace parts maker FACC lost €50 million in one of the largest CEO fraud scams. The attacker posed as the company’s CEO and sent a phishing email to an employee in the finance department. The email asked the employee to transfer funds for one of the company’s acquisition projects. The employee obliged, and the money was transferred to an account under the attacker’s control. The company fired the CEO and CFO for failing to live up to their duties.

Attack on Security Researchers (Social Media Phishing)

On January 25, 2021, the Google Threat Analysis Group (TAG) reported a series of attacks targeting security researchers. The attacker set up a research blog to pose as security researchers. They also set up multiple Twitter accounts to contribute to the blog with write-ups, analyses, and videos of exploits. The attacker made acquaintance with real security researchers and gained their trust. They then proposed to collaborate with the researchers on vulnerability research. Victims were sent a VS project that contained the attacker’s custom malware in the form of a DLL file. The DLL was used for command and control (C2), and the attack led to the theft of valuable research.

Attack on Security Researchers (Social Media Phishing)

Images of Twitter profiles of attackers posing as security researchers, courtesy of Microsoft TAG

Why Phishing Attacks are So Successful

Phishing attacks are one of the most favored attack vectors (network entry points) of attackers. This is due in part to their high success rate. So why are phishing attacks so successful? It essentially boils down to two fundamental reasons.

  • Weak Email Security: Phishing attacks are successful largely because phishing emails are not always blocked from reaching the mailbox. This is down to weak email filtering and made worse by a technique called email spoofing. This allows attackers to forge the sender’s address. The wide scope of business email communication means that it would be impractical to have strict email settings. For example, to only accept emails from contacts or block certain file attachments. Even so, employees may still fall victim to internal spear phishing sent from a trusted account. As long as phishing emails land in the mailbox, there is always a chance of deceiving the recipient.
  • The Human Element: Phishing attacks belong to a category of cyber-attacks known as social engineering. Social engineering involves human interaction and tricking people into specific actions. Humans are considered the weak links in a computer network. Most employees have little to no knowledge of network security. This is down to a lack of cyber security training to raise security awareness and teach best practices. However, even if employees have a certain degree of security awareness, it is almost impossible to be vigilant at all times. Sometimes you are simply in a rush or too tired to inspect every email. Attackers are acutely aware of this and exploit it in full.

Protect Against Phishing with Sangfor Security Solutions

Sangfor NGAF (NGFW)

Sangfor NGAF is the world’s first AI-enabled next generation firewall (NGFW). While traditional firewalls rely on signatures to block threats, next-gen firewalls integrate a range of advanced capabilities.

In the case of phishing attacks, Sangfor NGAF connects with Threat Intelligence (TI), a component of Neural-X, to inspect the reputation of IPs, URLs, and files in real-time. If a phishing victim is lured into clicking a link, Sangfor NGAF sends the URL to Neural-X TI for analysis. Connection to the URL is blocked if it is deemed malicious.

Sangfor NGAF also benefits from the integration of Sangfor Engine Zero, a world-class AI-powered malware detection engine. Engine Zero has been pitted against tens and millions of malware samples to train its malware detection accuracy and efficiency. Engine Zero not only detects known malware but also unknown malware by learning to recognize the characteristics of malware. Phishing attachments are thoroughly scanned to detect maliciousness, such as irregular code that indicates tampering. Such files are blocked from being accessed or downloaded by Sangfor NGAF to prevent malware infection. With Sangfor NGAF deployed, 99% of malware is prevented from breaching the network.

Sangfor Endpoint Secure (EDR)

Sangfor Endpoint Secure is an endpoint detection and response (EDR) solution that goes beyond traditional endpoint security software like antivirus. Endpoint Secure stands ready to clean up malicious files that managed to sneak past the firewall and download onto the endpoint.

As with NGAF, Endpoint Secure is integrated with Engine Zero and performs AI-powered malware analysis on files loaded onto endpoints. However, Endpoint Secure has the added ability to detect malicious files based on their behavior and not solely on features. For example, malicious files downloaded from phishing links or attachments usually connect to the internet to download additional files, run automated commands, or create new files on the endpoint. These malware-like behaviors can be detected by the intelligent detection of Engine Zero. The perpetrating files will be blocked from running and quarantined.

Endpoint Secure is not only able to put a stop to malicious files but also correlates with NGAF to kill the chain of infection in one click. For example, Endpoint Secure can work with NGAF to identify and quarantine the malicious process that is making C2 communication.

Sangfor Cyber Command (NDR)

While NGAF and Endpoint Secure are great at detecting malware and threats, we understand that nothing is 100% foolproof. Sangfor Cyber Command provides a crucial layer of protection for a multi-layered defense against phishing and other cyber-attacks.

Sangfor Cyber Command is a network detection and response (NDR) solution that analyses real-time network traffic to detect hidden threats. To do this, Cyber Command uses machine learning to build and learn baselines of normal network activity. AI-powered behavioral analytics analyses real-time network traffic and compares results with these baselines to detect anomalies.

The idea is that the breach of one device is usually no good to an attacker. To achieve bigger objectives, attackers need to move inside the network and establish communication with their own infrastructure. These activities show up in network traffic. Given that malicious operations are different to normal network behavior, NDR solutions can detect them as anomalies and unearth the threat. Cyber Command further correlates with NGAF and Endpoint Secure to map the kill chain and instructs them to take remedial action, such as isolate compromised hosts.

When used in conjunction, Sangfor’s cutting-edge security solutions deliver a holistic multi-layered protection system against all types of advanced cyber threats.


Contact Us to Learn More

Listen To This Post


Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Healthcare Data Security: How to Prevent Ransomware in Healthcare

Date : 22 Sep 2022
Read Now

Cyber Security

How Supply Chain Cyber-Attacks Are Squeezing Businesses

Date : 13 Sep 2022
Read Now

Cyber Security

IHG Hack Claimed by Vindictive Couple Using Wiper Malware. How Safe are You?

Date : 09 Sep 2022
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
NGAF - Next Generation Firewall (NGFW)
SASE Access
icon notification