Phishing – How to Recognise it and Avoid it?

Phishing is a social engineering attack or scam in which a malicious actor tries to trick an end-user into sharing confidential information such as login details, network information or payment card information. Usually, phishing emails are made to look like a legitimate organisation, email provider or bank by imitating the branding, design and communication style and pattern of that organisation.  

The simplicity of phishing, lack of expertise needed to pull it off, and high availability of required tools has made phishing the fastest growing form of cyber-attack, with some reports suggesting that a third of data breaches originate from a successful phishing attempt. 

Evolution of phishing 

When phishing was first used by malicious actors, it was as a social engineering activity using a shotgun approach, targeting a large group of users. Since then, it has become much more sophisticated, and attackers will target particular groups or individuals rather than sending out a mass spam email. These attacks are known as spear phishing when specific individuals are targeted, or whale phishing when the targets are executives, executive management, or other high net worth individuals.  

Forms of delivery 

Cyber criminals will vary their attack vector depending on the type of attack and the individual and information they are targeting. They will most frequently use:  

• Email 
• Instant messaging (including SMS) 
• Telephone. 

Email and instant messaging, in particular, are the most prevalent attack vectors as they are free, can target an unlimited number of individuals at once, and do not require significant technical knowledge or infrastructure. One of the first phishing attacks to be discovered was an email which appeared to originate from the World Health Organisation (WHO), containing a link which directed users to a fake WHO website designed to steal user credentials.  

SMS message attacks tend to be less successful, and usually require more resources than email-based attacks. Compared to other common methods of attack, there is a lower probability of a SMS-based phishing attack being successful, but they do sometimes receive a response.   

Telephone calls are a less frequently used vehicle for phishing attacks as they are easier to trace back to the attacker and are more complex than an email or message-based attack. However, ‘vishing’ attacks do still occur and may be used in conjunction with another vector. ‍ 

Vulnerabilities exploited by phishing  

Phishing is dangerous (and so often successful) precisely because it is simple and relies on basic psychology and human behaviour rather than complex technology. It preys on individuals’ desire to help and cooperate, as well as natural human fear and greed.  

Identifying phishing emails 

Your organisation’s email provider and technical controls will (hopefully) have filtered or flagged spam emails before reaching users’ inboxes, but malicious emails may occasionally still get through. It is important that your organisation regularly provides phishing awareness training, which encourages staff and other users to question why they have received a particular email, whether they are expecting it, what will happen if they don’t comply and if there is anyone they can reach out to for help. 

Ultimately, users of your systems will always be a step behind attackers – while they have been caught off guard by a phishing attempt, the cyber-criminal has taken the time and effort to plan the attack and will, therefore, be better prepared. Users should always be vigilant and have a strong understanding of the fact that, if something seems too good to be true, it probably is. It is their responsibility to report suspicious communications they receive in line with organisational policy, however, to ensure they are able to recognise a suspicious communication, it is down to your organisation to educate them.  

To help you do this, URM has produced a video with advice and guidance on how to differentiate a phishing email from a genuine one.  

Is your organisation susceptible to phishing?  

The safest and most effective way to establish how susceptible your staff and users are to phishing attempts, and identify areas where they may need further awareness training, is by simulating a targeted social engineering attack. Alongside our other penetration testing services, URM can offer social engineering pen testing, using our expertly designed methodology which imitates genuine phishing attempts. Following the simulated attack, we will use our tracking software to report back on how many users potentially exposed your organisation to malicious software or a data breach.