What is a Phishing Attack: Examples & Action Plans

What is a Phishing Attack: Examples & Action Plans

In this article CyberLab CEO Gavin Wood covers: 

• • The types of Phishing 

• • How a shift to a hybrid workplace has impacted attacks  

• • What can be done to help halt this rise 

Email, businesses depend on it, and regardless of whether you love it or hate it, it’s here to stay. Even with the seemingly unstoppable rise of teams/zoom (other collaboration tools are available), email remains the primary business communication tool in most organisations. Cybercriminals are fully aware of this and are able to use email as a gateway into a business. This is known as Phishing.

Today, I will deep dive into what Phishing is and how you can ensure you and your business are better protected.

What is Phishing?

Phishing is a type of social engineering attack, where an attacker sends a fraudulent email to a victim with the aim of triggering a response, such as revealing sensitive information, trigging a malicious payload such as ransomware, or even voluntary transferring funds to the attacker’s account. 

There are several types of Phishing: 

Bulk Phishing: Bulk sending emails that are not personalised or targeted. A spray and pray approach.

Spear Phishing: Directly targeting a person or business through personalisation of the email message and content, with the aim of increasing the effectiveness of the attack. The attacker may be looking for the credentials of someone with poorly configured privileges, such as domain admin. 

Whaling: Spear Phishing through targeting the senior/executive team or other high-value targets within a business.

CEO Fraud: The opposite of Whaling, by sending a Spear Phishing attack to someone in the business from the CEO with the aim of getting that person to do as asked. 

 

How a shift to a hybrid workplace has impacted attacks

So why has the shift to hybrid working been the focus for cybercriminals?

One of the main factors is the global COVID pandemic, which forced businesses to adopt new ways of working very quickly. This rapid transition to new technologies lead to many businesses not fully assessing the impact, especially on IT security. For example, has your new hybrid working model been through the same level of security sign off as your previous office-centric approach? Have you tested this new setup with an independent third party to verify your security assumptions? These scenarios and security stages were evidently missed in large due to the speed of transition.

Secondly, cyber attackers are capitalising on people. No matter what technical controls are in place, the human element cannot be underestimated. According to Tessian, 43% of people admitted to making a mistake at work that had security repercussions. Phishing works because people can be hacked. Hackers take advantage of our natural phycological tendencies to trick us into behaviours that allow them to be successful. 

The new hybrid working approach is a factor in this. However, remote working and all its advantages can bring new stressful elements, from household distractions such as childcare. Being “always available” can cause us to be more vulnerable to clicking that email. Tessian reported that, 57% of their survey respondents feel more distracted when working from home. 

So what can be done to help halt the rise of Phishing? 

I don’t think anything we can do will stop criminals; it’s just too easy and profitable for them to stop. The main way to combat attacks is to have a strong set of technical controls in place to remove the possibilities of a Phishing email reaching a person’s inbox.

Adopting a layered approach to security is useful to ensuring you’re protected. Filter the mail using a trusted provider before it even hits your infrastructure and have appropriate filtering rules in place for your mail processing system. Also make sure to ensure that DKIM, SPF, and DMARC configurations are in place and working correctly.

Ultimately, use an industry leader in endpoint technologies that can block any threats that do make it through! Test your defences and use a trusted provider to assess your security. 

Finally, and most importantly, educate your people. If Phishing works because it takes advantage of our behaviour, train your people to be aware and know what action to take if they suspect they are being Phished.