What is a Phishing Attack?
A phishing attack is a cyber-attack where an attacker crafts a fraudulent yet genuine-looking email to deceive recipients into carrying out harmful instructions. This can be clicking on a link, opening an attachment, providing sensitive information, or transferring money.
How Do Phishing Attacks Work?
Target Research and Content Crafting
The crux of a phishing attack is getting the email recipient to believe the phishing message. To do this, attackers need to craft email content that is relevant or interesting to the recipient. Also, it must be consistent with the tone, language, and style of the organization or person they are pretending to be. A conscientious attacker will spend lots of time on research. For mass phishing campaigns, attackers often impersonate famous brands like DHL, Amazon, and Google. In fact, LinkedIn is reported to be the most impersonated brand in phishing attacks in Q1 2022. For specific organizations, attackers tend to do in-depth research. They then search for employees' email addresses on the company’s website or social media to send phishing emails.
Once the victim is tricked, the attacker can proceed to the next stage of achieving their objectives.
Objective 1: Information Theft
Some phishing emails are designed to steal personal information. These emails pretend to be from trusted sources such as well-known enterprises and government departments. They create an excuse to make the recipient provide their personal data. The scammers can sell this information or use it for their own gain. This includes applying for credit cards in the victim’s name, applying for a tax refund, and making insurance claims.
Objective 2: Financial Fraud
Some phishing emails instruct recipients to transfer funds to an account. These emails often purport to be from a trusted sender, such as a boss or a well-known organization. They present a situation that requires immediate attention to create a sense of urgency. Victims may be left too anxious to check the credibility of the email and end up making the transfer. In a new public service announcement, the FBI's IC3 reported that business email compromise (BEC) scams cost companies around the world $43 billion between June 2016 and December 2021.
Objective 3: Network Intrusion
A phishing attack can be used to breach enterprise networks to achieve bigger objectives, such as ransomware infection and data theft. In fact, phishing attacks are one of the most common ways threat actors gain initial access to enterprise networks. According to the Cisco 2021 Cybersecurity Threat Trends report, 90% of data breaches involve phishing. Phishing attacks achieve network infiltration in two main ways.
- Phishing links: Most phishing emails contain a link that takes the recipient to a web page controlled by the attacker. This web page may directly download malware onto the victim’s machine. The web page may be a fake login portal for a commonly used business service. Attackers can use these phishing sites to record the victim’s input data to steal their username and password. This allows the attacker to gain network access by logging in as a trusted user. Statista detected a total of 611,877 phishing sites worldwide in Q1 2021, up from 165,722 in Q1 2020.
- Phishing attachments: Some phishing emails are attached with malicious files. These files can be disguised using unsuspicious file names. They can also be legitimate file types like Word and Excel files that have been tampered with. For example, attackers can embed a macro function in Office files to run programs and connect to the internet when opened. The macro function can also act as a loader to download and execute another malware payload. Other common phishing attachments include .exe, .zip, .rar, .pdf, and .iso files.
After loading their malicious files and tools onto the victim's machine, attackers can use more sophisticated techniques to escalate the attack.
Types of Phishing Attacks
Phishing attacks can be carried out in a number of different ways.
- Phishing Campaign: In a phishing campaign, attackers send emails to thousands and millions of users. These messages are relevant or of interest to a broad audience. For example, emails that inform users of suspicious activity on their accounts and ask them to change their password. These phishing attacks aim to steal credentials or other confidential information. For example, phone numbers, account numbers, social security numbers, and credit card details.
- Spear Phishing Attack: Spear phishing is a targeted form of phishing attack against specific individuals, organizations, or industries. Attackers typically conduct in-depth research on their targets to craft phishing messages that are highly realistic and relevant. According to Symantec’s Internet Security Threat Report 2019, 65% of threat actors used spear phishing as the primary attack vector.
- Internal Spear Phishing Attack: Internal spear phishing attack occurs when an internal user’s email account is hacked. It is then used to send spear phishing emails to contacts within the organization or third parties. The use of a trusted email account to launch spear phishing greatly improves the chances that links and attachments are accessed. Internal spear phishing is used for lateral movement inside a network as opposed to an initial breach.
- Whale Phishing Attack: Whale phishing is a type of spear phishing attack where the targets are high-ranking individuals, such as a CEO – the big phish, or whale, so to speak. Attackers may also pose as the CEO to issue fraudulent instructions to subordinates, also known as CEO fraud. The authority of such an individual makes it very likely that recipients comply with the email’s instructions. According to newly released data by Statista, the global volume of CEO fraud increased from 9,708 in 2017 to 17,607 in 2020. FBI’s 2021 IC3 report found that BEC was responsible for $2.4 billion in losses to U.S. companies in 2021.
- Social Media Phishing Attack: As the name suggests, social media phishing attack is conducted on social media platforms like Facebook, Twitter, and LinkedIn. This type of phishing attack can take various forms. Attackers may simply post phishing scams that entice users to click on a link. They may also set up fake accounts to make acquaintances with users. Attackers then gather their personal information to guess their credentials and security answers or send them malicious files.
Real-Life Examples of Phishing Attacks
COVID-19 Phishing Campaigns (Mass Phishing Campaign)
In the early days of the COVID-19 pandemic, the FBI found a rise in fraud schemes related to the Pandemic. Over the past two years, scammers have taken advantage of the COVID-19 pandemic to launch COVID-themed phishing campaigns. Common topics include financial relief, vaccines and cures, and case updates. Emails have impersonated the Centers for Disease Control and Prevention (CDC) to appear highly trustworthy. Recipients are often made to give up sensitive information or click on malicious links that download malware. This can lead to malware or ransomware infection.
Image of COVID-themed phishing email that posed as the CDC, courtesy of BBC
Ireland Health Service Executive Ransomware Attack (Spear Phishing)
In May 2021, a ransomware attack hit Ireland’s Health Service Executive (HSE), with the attacker demanding a ransom of $20M. HSE has published a post-incident review of the attack. It was discovered that the breach occurred as a result of an internal user opening a malicious Excel file attached to a spear phishing email. The attacker operated inside HSE’s network for 8 weeks and deployed the ransomware on May 14, 2021. The attack encrypted 80% of HSE’s systems and led to severe disruptions in healthcare services across Ireland. Roughly 700GB’s worth of personal data of thousands of Irish citizens was stolen.
Financial Times Cyber-Attack (Internal Spear Phishing)
In May 2013, the Financial Times (FT) came under a spear-phishing attack by the Syrian Electronic Army (SEA). The hackers managed to gain access to an FT employee’s corporate email account. This came with the email addresses of every FT staff. SEA used the trusted account to send phishing emails containing a link that appears to connect to a CNN web page. When FT discovered the phishing attempts, its IT department sent emails to warn employees of the threat. SEA used this to their advantage by mimicking the warning emails to trick even more users.
Image of spear phishing email that mimicked the IT department’s warning message, courtesy of FT Labs
FACC Phishing Attack (Whale Phishing/CEO Fraud)
In January 2016, Austrian aerospace parts maker FACC lost €50 million in one of the largest CEO fraud scams. The attacker posed as the company’s CEO and sent a phishing email to an employee in the finance department. The email asked the employee to transfer funds for one of the company’s acquisition projects. The employee obliged, and the money was transferred to an account under the attacker’s control. The company fired the CEO and CFO for failing to live up to their duties.
Attack on Security Researchers (Social Media Phishing)
On January 25, 2021, the Google Threat Analysis Group (TAG) reported a series of attacks targeting security researchers. The attacker set up a research blog to pose as security researchers. They also set up multiple Twitter accounts to contribute to the blog with write-ups, analyses, and videos of exploits. The attacker made acquaintance with real security researchers and gained their trust. They then proposed to collaborate with the researchers on vulnerability research. Victims were sent a VS project that contained the attacker’s custom malware in the form of a DLL file. The DLL was used for command and control (C2), and the attack led to the theft of valuable research.
Images of Twitter profiles of attackers posing as security researchers, courtesy of Microsoft TAG
Why Phishing Attacks are So Successful
Phishing attacks are one of the most favored attack vectors (network entry points) of attackers. This is due in part to their high success rate. So why are phishing attacks so successful? It essentially boils down to two fundamental reasons.
- Weak Email Security: Phishing attacks are successful largely because phishing emails are not always blocked from reaching the mailbox. This is down to weak email filtering and made worse by a technique called email spoofing. This allows attackers to forge the sender’s address. The wide scope of business email communication means that it would be impractical to have strict email settings. For example, to only accept emails from contacts or block certain file attachments. Even so, employees may still fall victim to internal spear phishing sent from a trusted account. As long as phishing emails land in the mailbox, there is always a chance of deceiving the recipient.
- The Human Element: Phishing attacks belong to a category of cyber-attacks known as social engineering. Social engineering involves human interaction and tricking people into specific actions. Humans are considered the weak links in a computer network. Most employees have little to no knowledge of network security. This is down to a lack of cyber security training to raise security awareness and teach best practices. However, even if employees have a certain degree of security awareness, it is almost impossible to be vigilant at all times. Sometimes you are simply in a rush or too tired to inspect every email. Attackers are acutely aware of this and exploit it in full.
Best Practices to Avoid Falling for Phishing Attacks
Verify the email’s authenticity
Even though phishing emails can look highly authentic at first, there are various clues that may indicate that the email is fake on closer inspection.
- Email Header
- Check the actual email address of the sender and see whether it is consistent with the sender’s displayed name. Check very carefully since attackers try to make fake email addresses look genuine. A forged email address may contain irregular spelling, word order, and punctuation.
- Check whether the email was sent to any other addresses in the “cc” field. Untargeted phishing emails are sent to a large number of random addresses. Real emails about your personal affairs certainly will not be sent in this manner.
- Email Content
- Check whether the content of the email actually applies to you. For example, an email that warns you of a problem with a service that you do not actually use is definitely fake.
- Check the quality of the language. Some threat actors may not be native to the country that you are from, and therefore spelling and grammar mistakes might appear.
- Beware of emails that appear to be from trusted contacts that request you to do something unreasonable, such as transferring funds or giving up your personal information, login credentials, and credit card details. If you are not sure, contact the person through other means, such as telephone or a communication app to confirm.
- If there is a link in the email, do not click it but hover over it so that the URL appears in a bubble. Check whether the URL is consistent with context of the email, especially the domain (the part before the “.com” or equivalent). You should also do this for links that appear as URLs as they might in fact be text that is hyperlinked.
- Check whether the URL begins with https or http. The former with the “s” indicates that encryption is enabled, while it is not for the latter. The majority of trusted web addresses begin with https, so one that does not can potentially be dangerous.
- If there are any attachments in the email, hover over the attachment to check the full name of the file. Various things can indicate a threat, for example, file names that are not consistent with the email’s content and file names that are particularly long with spaces that obscure the end of the file name.
- Check the file extension (the part after the “.” at the end of a file) to see whether it is consistent with what it is meant to be, for example, an “.exe” file instead of what is meant to be a document.
Access your real account
Some phishing emails might warn you that a particular account of yours needs attention and provides you with a link to solve the issue. If you do indeed have such an account, the email could potentially be real. However, don’t click on the provided to solve the issue. Log in to your account through official channels and deal with the matter in this way, for example, to pay a bill (if there is one) or to change a password.
Reach out to the organization
For suspicious emails from organizations such as a company or a government agency, it’s recommended that you contact them directly through means other than replying to the email. Search on the internet for their official number or email address. This can be a little convenient and might delay attending to the affair, but it’s always better to be safe than sorry when it comes to cyber security.
Protect Against Phishing with Sangfor Security Solutions
Sangfor NGAF (NGFW)
Sangfor NGAF is the world’s first AI-enabled next generation firewall (NGFW). While traditional firewalls rely on signatures to block threats, next-gen firewalls integrate a range of advanced capabilities.
In the case of phishing attacks, Sangfor NGAF connects with Threat Intelligence (TI), a component of Neural-X, to inspect the reputation of IPs, URLs, and files in real-time. If a phishing victim is lured into clicking a link, Sangfor NGAF sends the URL to Neural-X TI for analysis. Connection to the URL is blocked if it is deemed malicious.
Sangfor NGAF also benefits from the integration of Sangfor Engine Zero, a world-class AI-powered malware detection engine. Engine Zero has been pitted against tens and millions of malware samples to train its malware detection accuracy and efficiency. Engine Zero not only detects known malware but also unknown malware by learning to recognize the characteristics of malware. Phishing attachments are thoroughly scanned to detect maliciousness, such as irregular code that indicates tampering. Such files are blocked from being accessed or downloaded by Sangfor NGAF to prevent malware infection. With Sangfor NGAF deployed, 99% of malware is prevented from breaching the network.
Sangfor Endpoint Secure (EDR)
Sangfor Endpoint Secure is an endpoint detection and response (EDR) solution that goes beyond traditional endpoint security software like antivirus. Endpoint Secure stands ready to clean up malicious files that managed to sneak past the firewall and download onto the endpoint.
As with NGAF, Endpoint Secure is integrated with Engine Zero and performs AI-powered malware analysis on files loaded onto endpoints. However, Endpoint Secure has the added ability to detect malicious files based on their behavior and not solely on features. For example, malicious files downloaded from phishing links or attachments usually connect to the internet to download additional files, run automated commands, or create new files on the endpoint. These malware-like behaviors can be detected by the intelligent detection of Engine Zero. The perpetrating files will be blocked from running and quarantined.
Endpoint Secure is not only able to put a stop to malicious files but also correlates with NGAF to kill the chain of infection in one click. For example, Endpoint Secure can work with NGAF to identify and quarantine the malicious process that is making C2 communication.
Sangfor Cyber Command (NDR)
While NGAF and Endpoint Secure are great at detecting malware and threats, we understand that nothing is 100% foolproof. Sangfor Cyber Command provides a crucial layer of protection for a multi-layered defense against phishing and other cyber-attacks.
Sangfor Cyber Command is a network detection and response (NDR) solution that analyses real-time network traffic to detect hidden threats. To do this, Cyber Command uses machine learning to build and learn baselines of normal network activity. AI-powered behavioral analytics analyses real-time network traffic and compares results with these baselines to detect anomalies.
The idea is that the breach of one device is usually no good to an attacker. To achieve bigger objectives, attackers need to move inside the network and establish communication with their own infrastructure. These activities show up in network traffic. Given that malicious operations are different to normal network behavior, NDR solutions can detect them as anomalies and unearth the threat. Cyber Command further correlates with NGAF and Endpoint Secure to map the kill chain and instructs them to take remedial action, such as isolate compromised hosts.
When used in conjunction, Sangfor’s cutting-edge security solutions deliver a holistic multi-layered protection system against all types of advanced cyber threats.
Frequently Asked Questions
A phishing attack is a cyber-attack where an attacker crafts a fraudulent yet genuine-looking email to manipulate recipients into carrying out harmful instructions. This can be clicking on a link, opening an attachment, providing sensitive information, or transferring money.
In a standard phishing attack, phishing emails are sent indiscriminately to thousands of email addresses. The content of phishing emails is more generic and may be relevant or of interest to a large audience. Spear phishing attacks are targeted against specific individuals, organizations, or industries. Attackers typically conduct in-depth research on their targets to craft phishing messages that are highly realistic and relevant.
Phishing attacks can be prevented by best practices, such as checking the sender's email address, hovering over any URLs to check them, and contacting the sender that the email purports to be from through other means to confirm the email's authenticity. To prevent phishing attacks on an organizational scale, companies should provide phishing awareness training to all their employees to ensure that they are all equipped to spot phishing emails. For additional security, companies can arrange phishing attack simulations to verify the effectiveness of the training.
It's difficult to be vigilant against phishing attacks at all times, and someone may accidentally click on a link or open an attachment in a phishing email. But even so, a successful compromise is not a certainty. Various security technologies are available to detect and respond to attacks. For example, next-generation firewalls can block attempts to download malware from known malicious IP addresses. Endpoint detection and response (EDR) solutions equipped with AI-powered malware detection can catch any malware that manages to bypass firewall detection. Network detection and response (NDR) solutions uncover attempts to spread through the network.
There are various signs that may indicate that you have experienced a phishing attack. For example, a link that was supposed to direct you to another website turned out to download something on the computer or a login page that failed to log you in after you entered your login credentials. If you suspect that you have experienced a phishing attack, you should contact the IT or security administrator of your organization immediately. Any attacks that are properly dealt with can potentially escalate into a serious attack, such as a large-scale data breach or ransomware attack.