Understanding Phishing Attacks – And Avoiding Them
Phishing is one of the most commonly used attack techniques by cybercriminals because it has proven to be so effective. The basics of a phishing attack are pretty simple (which may be the reason they are so popular). They focus is on using social engineering techniques that trick people into opening a malicious message or to click on links that they shouldn’t.
While phishing attacks are quite prevalent, and awareness about these attacks is also increasing, these are still surprisingly effective. To understand why such attacks are so effective, it is important to know about the work that goes into creating phishing emails.
How do phishers create emails that convince even the most pragmatic people to fall for them?
Creating the perfect phish
Here are the steps that are the key to fashioning the perfect phishing email, one so convincing that recipients throw all caution to the wind and proceed to do the email’s bidding:
1. Choose your target
Not everyone falls for the same trick. Phishers realize this fact and therefore begin by getting a thorough understanding of their targets to craft the perfect phishing lure. If you are a phisher, you need to pick your audience with care and attention. It can be a broad audience – all employees in a particular organization, employees that belong to a particular department in an organization (e.g., finance department), users of a specific bank, and so on and so forth.
Phishers zero in on a specific target audience that they will then proceed to go after.
2. Bait the audience
A social engineering attack is a play on your emotions. It’s a potent messaging cocktail that entraps you by mixing emotional triggers to improve the chances of success. A trifecta of curiosity, hope, and necessity are used to trick the target into opening/clicking something that has the potential to wreak havoc in their lives.
Curiosity: The need to know what happened next makes you want to click a link or open the email attachment.
Hope: This emotional trigger is abused by phishers when they send out phishing emails related to job offers, prize wins, and more.
Necessity: Here, a lure is exploited that highlights the need for taking immediate action on an event, e.g., cybersecurity lapse in your computer.
3. Creating the email
Emotional triggers are extremely effective, and phishers spend a lot of time on weaving these triggers into a well-crafted email.
This is why people get tricked into taking action on a phishing email. The answer is email finesse.
Phishers emphasize on writing a phishing email that convinces the target to take the action they want them to take. The messaging is such that the reader takes action almost immediately upon reading the mail, without giving it a second thought. This is important because if targets take their time think or analyze that action, they probably won’t fall for a phishing email.
Typically, phishing emails guide you towards an inevitable call to action. This may not necessarily obvious – for example, a phishing email will land in your inbox that contains information about a newly launched credit card and it has the usual clickable links. The attacker also includes an ‘unsubscribe’ link at the bottom of the email, as a means to improve email credibility. Here’s the catch, though: clicking on the “unsubscribe” link will take you to the same place (malicious website) or trigger the same action (malicious payload download) as clicking any other link in the email.
In this particular case, you were given an illusion of choice, but in reality, you didn’t have a choice at all.
4. Sending the email
After all the “hard work” of crafting it is done, the email must be sent to the target. Attackers can create a new email account on a generic service like Gmail for this purpose, or purchase unregistered domain names that are similar to reputed domains. In the latter, spellings are tweaked slightly, in a manner that is not obvious to recipients.
There are also advanced phishing attacks wherein attackers infiltrate email accounts that belong to a legitimate source and commandeer it to send a scam message. In cybersecurity terms, this is called Business Email Compromise (BEC); in such cases, it could be your business email address that is compromised and which is used to send phishing emails to your co-workers.
On guard against phishing attacks
Phishing attacks are becoming more sophisticated, but this doesn’t mean you can’t spot them and protect yourself against such attacks. The key to stopping phishing attacks is knowing what to look for – the telltale signs that raise your suspicious that the email is a scam (your Spidey sense should start tingling).
Here are a few steps that can keep you safe from phishing risks:
- The zero trust approach: Don’t blindly trust emails reaching your inbox, even if they are from domains you recognize or people you know. Take a good look at the domain, and the mail copy. If the email asks you to download an attachment or click on a link, take action only when you are absolutely sure that it is the real deal.
- Build continuous awareness: Organizations who take their cybersecurity seriously have security awareness programs in place that educate employees through safe exposure. They use tools like Sophos Phish Threat to simulate phishing attacks and expose employees to attack safely and foster a strong security culture. This awareness is important when you are using your personal computers as well.
- Deploy antivirus solution: Sophos Home is an advanced cybersecurity solution purpose-built for home computers. It uses the same award-winning security that keeps enterprise organizations safe. It’s superior web protection blocks compromised websites, including phishing sites to deliver a safer browsing, banking, and shopping experience. It also tracks virus behavior and leverages extensive SophosLabs database to protect your PC from viruses, malware, trojans, worms, and other cyber threats, in real time.
The purpose of phishing is to trick you into making a wrong decision. In order to avoid phishing risks, you need to be aware of the kinds of phishing emails that can land in your inbox. Awareness is the first step towards risk prevention. Phishers exploit emotional triggers and also the perennial lack of time that we suffer from, which makes us take certain decisions in a hurry. Let’s not get sucked into making such uninformed decisions.