Phishing - Prevention, Detection & Mitigation

What is phishing?  

Phishing is a technique used by malicious actors to trick people into sharing sensitive information or clicking on malicious links/opening files containing malware. While the term phishing is most commonly associated with email-delivered messages and lures, these messages can also be sent via SMS, voice calls and, increasingly, social media.  

Attackers pretend to be well-known legitimate businesses or individuals known to the victims to craft messages that appear authentic and convincing.  

Phishing is one of the easiest ways for cybercriminals to launch attacks against organisations and individuals and gain initial access into enterprise networks.  

Notable phishing stats

• Phishing incidents in the US more than doubled in frequency from 2019 to 2020, up from 114,702 incidents in 2019, to 241,324 incidents in 2020. - US Federal Bureau of Investigation (FBI)
• In New Zealand, phishing and credential harvesting was the top incident category in 2020, with 3410 reports received by CERT NZ over the year (almost 10 each day) - up 76 percent over the previous year.  - CERT NZ Annual Incident Report, 2020 ‍
• In 2021, phishing was present in 36 percent of all reported data breaches - up from 25 percent in 2020.  - Verizon Data Breach Investigations Report, 2021 ‍
• Apple, PayPal, Amazon, Chase, Facebook, Google, Twitter, Netflix, Microsoft and Wells Fargo were the top ten brands impersonated by attackers in phishing campaigns in 2021.  - Jamf Phishing Trends Report, 2021  ‍
• Phishing messages are increasingly being delivered outside of emails. New distribution platforms popular with attackers are  SMS, WhatsApp, Messenger, Instagram and LinkedIn. - Jamf Phishing Trends Report, 2021

Attacker motives

Attackers can have one of many goals when they launch phishing campaigns. These include:

Data theft and credential harvesting

• Stealing sensitive data or account credentials that can be used for other attacks - This can be done by directing the user to a fake webpage that closely resembles a legitimate site and getting them to enter their login credentials or personal information in a form. Attackers can also use persuasive means to get victims to respond to the email with personal or financial information.  

Immediate financial gain

• Persuading the victim to make a direct financial transfer to an attacker’s account - Again, attackers may steal bank account information via a form that the victim fills in or use information they share in response to the email. They may even be convincing enough to get the victim to make a direct financial transfer.  

Initial access for a bigger attack

• Getting initial access to the victim’s device and using it to get a deeper foothold into the company’s network to carry out a bigger attack (example – ransomware) - Attackers do this by either getting users to click on malicious links or persuading them to download infected attachments that install malware on the device being used.  

Types of phishing

Email phishing

Phishing messages are typically sent via email, with the criminal impersonating a legitimate business or an individual known to the recipient. The most common type of phishing email is generic, i.e., the same email is sent to a large number of email addresses from a database in the hope that some of the recipients will click on the malicious links or attachments contained in it.  

Spear Phishing

Spear phishing is a targeted form of phishing in which the attacker conducts some preliminary research on specific groups or individuals before crafting carefully worded emails. These emails are meant to appear more convincing in their tone and content than the more generic phishing emails that are untargeted. Attackers may use information like an individual’s place of work, designation, personal contacts and the businesses they interact with to create a spear phishing email.  

Whaling

Whaling goes a step further than spear phishing to target higher management executives in large organisations. Attackers collect a considerable amount of personal information about targeted individuals from their social media accounts, media mentions, company profiles and any other information they can find, to plan the campaign and create a personalised message for maximum effectiveness. These emails are significantly different from generic phishing emails in their tone and content quality and often reference company information, transactions or tax returns. They may talk about the legal consequences of specific events or actions to create a sense of fear or urgency.  

Smishing and Vishing

Smishing and vishing are similar to phishing in their goals and wider tactics except that the message is sent via SMS in the case of smishing and delivered over a voice call in the case of vishing. In vishing calls, the attacker often claims to represent a bank, a technology or security company, or a government entity.  

Commonly used phishing lures  

• Account compromise warning  
• Illegitimate activity detected – threat and blackmail  
• Urgent message from your bank requiring immediate action  
• Urgent message from your organisation requiring immediate action  
• Alert from a government service urging immediate action
• Promise of a big reward or limited time offers  

Why you should have a phishing awareness program for employees  

A basic phishing awareness program for employees can go a long way towards preventing successful phishing attacks against your organisation. At the minimum, company teams must know how to spot a phishing email/SMS/or voice call and what to do if they suspect they have been targeted.  

• A training and awareness program – A simple training program that educates employees about phishing and how not to fall victim to an attack must be instituted.  
• Phishing simulation – Regular phishing simulation exercises and drills can help drive home the ease with which attackers sometimes get people to click on malicious links or open attachments containing malware. Employees are more alert to phishing attempts if they have been through some phishing simulation exercises and training.  
• Reporting mechanism – Easy mechanisms to report suspected phishing attempts must be put in place so employees know what to do if they think they’re seeing or have responded to a phishing email. They must know who to get in touch with and where to report such attempts, with as little effort as possible. Some email providers have plugins within email software that employees can click on to report phishing attempts.  

Creating a culture for employees to report phishing attempts without the fear of negative consequences (such as punitive action or blame assignment) is critical. No one - not even security professionals with years of phishing handling experience - can spot 100 percent of phishing attempts or remain vigilant 24/7. Organisations must, therefore, encourage everyone to report all suspected phishing emails, regardless of whether they opened or responded to the email or not.  

Phishing tell-tale signs  

Some tell-tale signs of a basic phishing email are:

• The use of generic greetings  
• Promises of rewards, prizes and discounts  
• A tone of urgency  
• A tone that creates fear or anxiety in the reader and urges immediate action to prevent reputational damage or financial loss  
• Multiple spelling and grammatical errors  
• Familiar but misspelled domain names  
• Unexpected attachments and links directing users to credential harvesting sites  

While these warning signs may help recipients spot more generic phishing attempts, we must reiterate here that cybercriminals also use much more targeted forms of phishing for greater effectiveness. Spear phishing attempts, or instance, greet recipients by name and include information specific to an organisation or the people or services the user interacts with on a regular basis. This makes the fraudulent emails harder to detect.  

Blocking phishing emails before they reach the user’s inbox  

A critical piece of phishing prevention that we haven’t talked about so far is what you can do to detect and block malicious emails before they reach the victim’s mailbox.  

• All incoming emails must be checked for spam, phishing and malware using filtering or blocking tools either on the email server (this is ideal) or on end user devices, or both.  
• For effective balance between filtering, which sends suspected emails to the junk folder, and blocking, which ensures that the email doesn’t get into the user’s inbox, your IT security team may need to finetune the rules used in the blocking service. These rules could be based on IP addresses, domain names, email address block/allow lists, attachment types or malware detection.  

Cloud email providers, too, usually have a filtering/blocking service built in. This needs to be switched on by default for all users.  

Managed Security Services to handle phishing attacks

In case you don't have the skills or capacity to manage email protection internally, you can engage a cyber security service provider like LinearStack to look after your organisation's email security at an affordable price point.

1. For ongoing email security management and support, along with overall security monitoring, threat detection and incident response, you could consider working with a Managed Detection and Response (MDR) provider.  
2. For help with potential incidents that you may face, you could sign up for a phishing incident response retainer service with a cyber security provider so you know the exact steps to take if you're hit by a phishing attack. Being prepared and knowing whom to contact when an attack hits is critical to efficient incident handling.  

Visit our website or contact us at 0800 008 795 to know more about how we can help you detect and respond to phishing attacks.