The Complete Guide to Phishing Scams
Phishing is an online scam where a cyber criminal (usually impersonating a trusted company or...
We've all heard of them by now, but do your end-users really know how to spot a phishing scam? Here, we look at the different types of attacks and employee phishing awareness training.
In short, phishing is an online scam where a cyber criminal (usually impersonating a trusted company) sends an email to someone, encouraging them to provide sensitive information. The objective often involves having the victim click a link within the email - which then directs the user to a fraudulent website waiting to harvest their information.
Although phishing emails are far from being the new kid on the block in terms of cyber threats, the latest phishing statistics are showing no signs of ageing.
"Only 3% of users report phishing email to their management"
Many of these scams are emailed in a “spray and pray” approach, with generic email templates sent out in their masses. This attempt of luring victims into its bait is where the term “phishing” was coined, due to its similarity to, well… fishing.
But don’t be fooled, not all of these scams are as generic as this. Social engineering and pretexting techniques offer much more personalised techniques of attack - with prior research of a victim being used in order to add some extra layers of knowledge and trust to the eyes of an unsuspecting victim.
You might still be wondering why phishing scams have been so successful for cyber criminals. I mean, what sort of information could they really obtain to do any damage? The answer is - a hefty chunk. Credit card numbers, account numbers and account passwords are just a drop of the data up for grabs in the old phishing pond.
As you'll find out in the next chapter, scammers aren't short on techniques. Unfortunately, this means they're also not short on designs and templates for their phishing emails, making life difficult for the average employee with low-security awareness knowledge. Take a look at our blog dedicated to the most common examples of a phishing email to gain an insight into what you should expect to see when being scammed. For now though, here's arguably the most common type of phishing email - 'the fake invoice scam'.
In typical phishing style, this simple yet sophisticated fake invoice request encourages an employee to "view your bill". As you've most probably guessed by now, there's no bill waiting - just fraudulent activity.
There's plenty of warning signs an end-user can look out for when they suspect an email isn't all it's cracked up to be, which you're about to find out in Chapter Two.
So, you're now familiar with phishing, but what about terms like whaling, smishing and vishing? These are just a few of the more modern types of phishing scams that are slowly creeping up on their original counterpart (and making in-house awareness training even more difficult).
Here are six of the most common types of phishing scams and the red flags that you and your employees should be looking out for:
Let’s start with the hugely simple (yet hugely effective) old-school phishing technique. This scam relies heavily on a “spray-and-pray” approach, where fraudulent emails are sent in their masses to a large number of recipients.
These emails often impersonate a known or trusted company or individual, with the aim of tricking an end user into parting ways with personal information - whether that be login credentials or banking information. Attacks can also encourage an unsuspecting user to download a harmful email attachment or a file from a fake website - opening the door to a damaging malware infection.
All of this is made possible by what’s known as ‘email spoofing’, where email headers and subject lines are forged to make the email look as legitimate as possible. It’s certainly worth reading up more on the ins and outs of an email phishing scam, as these emails can target absolutely anyone.
Rather than chucking out a huge level of bait and seeing who comes back to bite, a spear phishing attack often targets high-value employees and businesses. Although the phishing net is much smaller here, the handful of organisations and victims on offer can create some lucrative returns.
The success rate is also much higher with this technique, as the cyber criminals will spend a lot of time studying their victim and scraping personal details from social media accounts or company pages. These details can then be referenced during an attack as the cyber criminals will spend a lot of time studying their victim creating legitimacy - whether it be an upcoming work event or an upcoming merger.
In a technique not too dissimilar to spear phishing, attackers can commit a lot of research into their victims before carrying out BEC scams and CEO fraud. The difference here is that the criminal will often impersonate a financial officer or CEO, in order to con victims into completing monetary transfers into unauthorised accounts.
In this increasingly common phishing scam, attackers compromise the email account of a high-level exec of financial officer via an already successful spear phishing attack or previous infection. The criminal then patiently spies on the account’s email activity, while gathering valuable information on processes and procedures of the business.
When equipped with enough information to effectively impersonate the executive, the attacker will send an email - usually containing urgency or high importance - and requests that the victim transfer funds to a specified account. It’s a riskier scam, yet still a lucrative favourite in the world of cyber crime.
Another scam involving the bigger fish of the organisation, a whaling attack targets only an organisation’s top executives. The term whaling reflects exactly this - with a cyber criminal not wanting to waste time on smaller fish and, instead, targeting the ‘whales’ of the company due to the value of information they hold.
Prior research is also important for the criminal here, with social engineering techniques being deployed in order to obtain information that can later be used in the phishing email.
Smishing, otherwise know as ‘SMS phishing’, is one of the newer kids on the block. Although more modern, this attack still operates in the same way as a traditional scam, where fraudulent messages are received with the aim of persuading you to give up your personal information.
The scary thing with Smishing attacks is that employee awareness around any type of mobile scam is dismally low. The recent WhatsApp message scam has unfortunately proved that point, with many customers falling for fake supermarket vouchers that came from contacts already stored on their phone.
We’ve all had a number of dodgy unsolicited calls in the past, making our trust levels extremely low when companies or people we’ve never heard start to dial our number. But vishing (a combination of “voice” and “phishing”) can be very persuasive in the art of impersonation.
‘Vishers’ often pretend to call from a company you’re familiar with, such as your bank, whilst relying on urgency and fear to pressure you into making an impulsive decision. Expect to hear lines such as “we’ve just been notified that your account has been compromised” when getting these types of calls.
Whilst phishing emails can be convincing, there are a few red flags to help you determine the legitimacy of the email. The most obvious red flag is "If something seems to be good to be true, then it probably is". This phrase applies to all of the phishing attacks you many encounter.
In this section of the guide we will discuss the 6 red flags to look out for when identifying phishing emails.
The link in an email is one of the most common factors when determining the legitimacy of the phishing email.
To tell if the link is legitimate hover over it with your mouse and see what pops up.
Straight away you can determine if the link is authenticate or not due to the link. Phishing links often look dodgy. There's usually random characters and number put together or a misspelling of a legitimate company name. Here are a few a examples of phishing links:
This factor is probably the most common occurrence in phishing emails. It's usually the first thing you spot. Fraudsters are known to make spelling and grammar mistakes, if you do spot a mistake it is likely to be a phishing email.
Some phishing emails use bargaining tactics to entice victims into giving away their details. Some very common methods are offering freebies, telling the target they have won a competition, or exchanging their credentials for a "free download". These type of phishing scams are targeted at pretty much everyone.
Any emails that are offering rewards, vacations and cash prizes are probably phishing emails. As I've mentioned previously, "if it sounds too good to be true, it probably is". Remember, you have no idea who sent that email and there isn't always a way of verifying who is the sender. These type of deals and freebie phishing attempts encourage their targets to act quickly, because there is usually a time limit on the offer.
Pretty much any phishing email you receive will want some form of data from you. No company, not even your bank will request access to your accounts or financial information over email. Even if they say they are legitimate, don't trust them.
A common situation that many employees encounter is a CEO or a senior staff member asking for information that they should already possess or know. For example, finance details, pay roll accounts, business and customer data. fin
Another common situation is the scammer appearing as your bank and informing you your online account has been accessed without authorisation or you need to update your account credentials, therefore getting you to give away your details.
Some phishing emails will even try to threaten you into giving away your data.
If you or your employees receive an email unexpectedly that is requesting data or money, or other actions in such a short space of time then it is wise to ignore the email.
Some common threatening tactics used by phishers are:
These threatening phrases are becoming more common than ever. Never hesitate to call your bank or financial institution just to confirm the legitimacy of an email or call.
For scammers to appear as legitimate sources they will sometimes use letters that appear similar, such as 'rn' instead of 'm'. Always pay close attention to the sender's information and the overall look and feel of the emails you receive.
Different types of employees can be targeted by different techniques. So, let's take a look at some of the positions that are most likely to be lured into the bait of a phisher, and how you can protect them from the hook.
High ranking officials, such as CEOs and CFOs, are extremely attractive targets. Their access to sensitive information and authority to sign-off on high-value transfers gives cyber criminal a host of incentives. Phishing emails that target executives typically takes the form of sensitive information requests from a legitimate looking source. By creating a spoof email so that a credible sender appears, the attacker can make requests to executives that are far less likely to be denied.
* TIP* Raising phishing awareness for your Execs:
Make additional authentication or verification steps a requirement for any sensitive requests (such as wire transfers). Also, encourage executives to limit both what they are sharing and who they are connecting with on social media.
With their ability to multitask, an administrative assistant's behind the scenes work contributes to the business considerably. From scheduling to screening phone calls, they often have access to company and individual executive accounts. Their role in the front-line and their privileged relationships makes them an attractive target for attackers. They are seen as a more accessible target who might just give up the keys to the kingdom a little easier than harder-to-reach areas of the business.
Phishing emails targeting these assistants often come as a request from another executive, usually asking to review an attachment or to send across financial information. If the phishing attempt is successful, then eavesdropping software can be installed, meaning that the assistant's privileged information can be leaked.
Raising phishing awareness for your Admin Assistants:
Provide them with a clear procedure for dealing with phishing emails and make sure that there is a good spam filter set up. If the admin assistants come across a non-legitimate looking email, they should feel actively encouraged to report it to IT support and know exactly how to do so.
Business development managers, account managers, and internal salespeople constantly interact with prospective and existing clients. In person, over the phone, or via email, they’re eager for emails from potential customers and want to be as responsive as possible. An attacker can easily locate their name, phone number, and email address online, and the chances of the message being opened are high.
Stealing credentials from these sales people can provide access to customer lists, pricing sheets, and confidential deal information. Stealing their information will also allow for a new phishing attack catered towards members of the finance and account teams (here's a finance phishing scam to give you a clearer look).
*Tip* Raising phishing awareness for your sales team:
Consider email-alternative methods with your purchasing department on how to transfer invoices. Ensure that your sales team are encouraged to double-check any linked-text they receive in emails. Also, discourage them from opening attachments from unknown sources.
HR professionals are usually some of the most highly-connected people in any business. They regularly communicate with existing and potential employees - and phishers certainly advantage of this. That's why cyber criminals often pose as potential employees by sending malicious payloads disguised as resumes, or will even impersonate a high-level exec and ask for information regarding personnel. The tax season especially is full of phishing attempts on HR, with employee tax information being a big target.
*Tip* Raising phishing awareness for your HR department:
By investing in benefits software and employee portals, you can reduce the number of confidential documents that employees send via email. Your HR department should also be reminded that requests from an employee asking for sensitive information should be verified either face-to-face or over the phone.
"A single phishing attacks costs a business an average of $1.6 million"
The inconvenient truth is that anyone in your organisation can be targeted by a phishing attack. cyber-security awareness programs, mock phishing exercises, and security measures need to be addressed with everyone in the business, no matter what position or level they may be at. The more that employees are involved in security efforts, the stronger your security level will be.
Of course, time and money are two factors that need to be taken into account, but so too does the huge disruptions and financial loss of a data breach.
*Tip* Raising phishing awareness for your workforce:
Training for all levels of the business is vital here, regardless of whether it's the boardroom or the help desk. Third-party security awareness training platforms can significantly help your efforts of educating all of your users without falling short in other areas.
Also, utilising spam filtering solutions along with additional endpoint security will help cover the gaps in antivirus protection. Having security policies for responding to phishing emails and a company backup strategy can also mitigate the damage of attacks.
So, how can you start protecting your employees from such a widespread and increasingly sophisticated threat? Well, a security awareness training programme is the obvious starting point for creating a cyber-secure culture. But, whereas covering the simple ways to avoid a phishing scam and other key threats is vital, gathering metrics on their progress is also fundamental to assessing whether or not your training programme is actually working.
So how do you determine whether progress is really being made and that your business is growing in its resilience to phishing scams? We say... PHISH YOUR EMPLOYEES!
Now, we’re not suggesting that you scam your finance team for financial gain... we mean the opposite. Educate your users on real-world attacks to test just how effective their cyber education has really been. Here, we've compiled a small list that highlights the benefits of simulating a phishing attack on your users.
"92% of malware is delivered via email"
Phishing your users will firstly allow you to see who has clicked on the 'malicious' links, and who has acted appropriately. This can give you an excellent insight into just how exposed your workforce is. Not only is this useful for seeing where the weaker links are, but it is also extremely efficient for discovering which departments are more susceptible to a breach than others.
Many businesses are guilty of raising awareness of the perceived "higher risk" departments. However, all users have company-sensitive information and should all receive the same level of education and awareness. It is important, however, to follow the ‘engage, not enrage’ methodology when conducting this simulation, and give employees individual feedback, rather than in a name and shame manner.
Take a look at one of our recent phishing campaigns on behalf of a client, where we found the phishing template, technique and time that harvested the most credentials from the company's employees.
The more exposed your workforce becomes to these types of emails and their signs, the more likely they are to detect the red flags. There is also the opportunity of shocking the more complacent staff members into realising just how vulnerable they are to social engineering. As mentioned before, it can be difficult for an end user to envisage just how important they are in the security chain -- so targeting them with a mock phishing test can be an effective wake-up call.
Some individuals also believe that they are able to spot the obvious signs of such emails, such as domain names and the odd language and requests involved in them, but social engineering can increase the user's trust immensely. If they can already spot a phishing email, then great. If not, then at least the risks are mitigated before being targeted by a real phisher.
Once your employees have been exposed to these phishing emails and what they look like, you can educate your employees on how to avoid them, report them, and how to spot the other common signs and types of phishing attacks.
Try to avoid the previously stated method of irregular training. Keeping the training consistent, whilst also avoiding learning fatigue, is crucial. Make sure you are able to measure the results of how effective this training has been, and where there is room for improvement.
"45% of all emails are spam"
When thinking of launching your own manual phishing campaign, the words “do not try this at home” can rightfully flash up in the eyes of security professionals. That’s because, for starters, the time and effort you will put into to getting this up and running (with domains, web pages, reporting etc.) mean you're likely to start off at a loss. The easiest way is to just choose a partner to work with (and there are some really good phishing services out there).
A partner experienced in this area will be able to steer you away from some of the gotchas and make sure that you get the maximum value from the exercise.
A well-structured simulated phishing programme should sit alongside your security awareness programme, and tie into any compliance/auditory/regulatory requirements you have. Be warned, launching a programme without sufficient planning can be incredibly counter-productive for the business, and even put the employees at risk. But the initial benefits of an awareness campaign can be hugely valuable, with the ability to:
This is a fiery subject under the “best practices” of phishing tests. From our point-of-view, usecure always endorses an open and up-front approach to running simulations with your staff. Why? Because you need them to buy into your full security awareness programme!
If you don't inform them, you run the risk of making them feel that you are trying to 'catch them out' - which is certainly not the objective here. Our recommendation would be to put out a notice sponsored by the board highlighting:
- "This is what we are doing"
- "This is why we are doing it"
- "This is how it will benefit the business"
- "This is how it will benefit you"
- "This is what the business expects of you"
- "This is what you should expect from the business"
One of the biggest challenges with simulated phishing is ensuring the validity of results. If one employee spots your simulation and informs others, it could ruin your well-crafted efforts. A couple of ways that you could avoid this would be to:
- Mix up the type of attack you are doing (use different templates and spear phishing approaches);
- Target small representative samples of your workforce;
- Spread the simulation out with logical time between each;
** Remember, this is part of your security awareness programme and is an ongoing initiative.*
This might sound like an obvious one, but it’s SO crucial that it had to go in. Recording of your results will allow you to analyse them over time, understand where your risk areas are, and gives you easy-to-spot trends in data. The workforce is a moving target which makes it hard to quantify, so, the more information you have, the better understanding you will have moving forward.
Deliver bite-sized video and interactive training, tailored to each users' unique risks and achieved through intelligent automation.