Phishing attacks have become so common today that almost every day each one of us gets phishing emails, that are either delivered directly to our inbox or filtered out and put in the spam folder. Phishing emails come seeking every single internet user today; most of us have started recognizing them and ignoring them. Yet still, there are many of us who get duped and click on the link or download the file that comes with a phishing email, thus triggering a cyberattack. Yes, most cyberattacks today start from a phishing email.
Phishing: An introduction
Phishing is almost like fishing; in both cases you need a bait, which lures the unsuspecting victim to bite on it. An unsuspecting fish that bites on a worm tied to a hook gets caught- fishing is as simple as that. An unsuspecting email user opens a mail, clicks on a link that comes with it or opens the accompanying attachment and gets hit by a cyberattack- phishing is as simple as that.
So, in a phishing attack, the bait is a compelling email, which appears to be a legitimate, genuine email. Once the victim opens the email and clicks on the link or opens the attachment, he is mostly directed to a website that’s controlled by the hacker and which delivers malware or intercepts credentials of the unsuspecting victim. It’s the naivety or the gullibility of the victim that this social engineering attack seeks to exploit. Phishing attacks are primarily classified into two- standard phishing attacks and spear phishing attacks.
Standard phishing attacks are executed with a scattered approach and target large numbers of individuals. It’s one general bait, but it’s a wide section of internet users that are targeted. Such emails can be sent worldwide, to millions of internet users and very few of them would be clicking on them. But that’s enough for the attacker(s) to gain a foothold and for triggering the attack. Standard phishing attacks can also be targeted at users within an organization or a network.
Examples of standard phishing attacks are many. An email sent to users all over and promising offers or trying to lure them with tempting links/attachments could get at least a few internet users to take the bait. Similarly, an email supposedly coming from the IT department of an organization and sent to all employees, comprising a fake notification about some training module is also a standard phishing attack. An employee or two, or maybe a handful of them, may take the bait; they would even be lured into entering their employee credentials, which are then stolen and exploited by the attacker.
Spear phishing attacks happen in a more targeted manner and with fewer individuals being targeted. The attacker spends more time and effort and plans a carefully manipulated email, which seeks to build trust with the targets and then get some of them to open the mail. Such attacks are mostly used to place malware on an internal network.
An example of a spear phishing attack is one in which the attacker would spoof an insider’s email address and use it to send the phishing emails to the employees of an organization. It could be about a sensitive internal project with a subject line that would seem very genuine. The legitimate-looking email could make even the most tech-savvy professional trust it and click on the attached link/document. The attacker could thus gain access to the internal network of the organization and access real sensitive information. Unlike the standard phishing attack, a spear phishing attack is more focused, and the compromise happens deeper within an organization or a network. The objective would mostly be to gain specific information or get access to an internal, critical network.
How phishing attacks impact organizations
Attackers use phishing attacks to sabotage organizational networks in many ways.
As we know, it’s the human component that phishing attacks target. The attackers thereby manage to bypass even the security systems in place and gain a foothold into an organization’s network and systems. They would begin by gaining control of a victim’s system or the computer systems of a handful of victims who have fallen prey to the attack, and then gradually gain access to the whole network. All this happens while the organization remains unaware of it. By stealing user credentials, the hacker(s) would even get access to restricted systems or data. Such privileged access helps the hackers bypass most technical security controls and eventually escalate their access to other systems and data as well. Thus, they would even succeed in effecting a complete compromise of an organization’s network and the organization itself.
While phishing attacks targeting an organization could lead to the breach of customer and employee data, source code leaks, website defacing etc, it could also lead to the total sabotage of the enterprise network. And if it’s a ransomware attack that the phishing attack triggers, the organization might even end up losing access to all its systems and data.
So, remember! A single phishing email would be potent enough to cause a big organization to collapse.
Preventing phishing attacks
Preventing phishing attacks is very important; as mentioned earlier, most cybercriminals today resort to carrying out cyberattacks using phishing scams. Hence, for an organization and for an individual as well, it’s very important that phishing attacks are prevented.
Let’s begin with the organizational level. Spam filters and some kind of IDS (Intrusion Detection System) would definitely work towards blocking illegitimate emails as far as an organization is concerned. But this isn’t enough. Since it’s the human component that’s targeted, utmost importance should be given to educating and training employees on how to prevent falling prey to phishing scams.
Similarly, properly configured domains and user accounts too help in avoiding penetration of the network by an outsider. Restricting user access to critical systems also works.
You can’t come up with a general formula that works as a solution for all organizations. Every organization should plan its security posture in accordance with its business needs.
Coming to individuals, they should always be careful about emails that come from unknown sources. Moreover, when they get emails from known sources and if it seems suspicious, the best thing would be to contact the sender directly and confirm the genuineness of the email before opening it. Having antispam software is definitely good.
An effective antivirus tool is necessary for fighting all kinds of spam; this is applicable to individuals as well as organizations.
A very important thing, which applies to overall security management, is having regularly updated backups. Don’t forget, even the cleverest of people could be duped into opening a phishing email and then, even before they know, they would be victims of a cyberattack. So, as part of the response and recovery strategies, they must definitely pay attention to having backups.