Aug 24, 2021   |   Tom Barton

The human attack vector: Phishing

Go back

What is phishing?

Phishing occurs when an attacker uses fraudulent communication masked as a reputable source to trick a user into performing a risky action. This attack can download malicious software or harvest sensitive data such as login information or personally identifiable information.

Cybercriminals can conduct phishing through various channels, text messaging, social media, but more often than not via email.

What is spear phishing?

Spear phishing attacks have one big differentiator from a standard phishing attack: the targeted and personalized nature of the activity. The attacks will target a specific victim and purportedly come from a known or legitimate source; this disguise will often result in the victim reacting in favor of the attacker. They are less likely to question the email’s authenticity.

Spear phishing often targets an organization and begins with extensive investigation and pretexting to understand who’s who within the business structure. The attacker will then try to gain access via sharing an infected file, or posing as a supplier requesting an invoice payment, or in some cases, impersonate the CEO or executive requesting an urgent transfer of funds.

Why is phishing so difficult to prevent?

Phishing is difficult to prevent as it preys on the human element of an organization and is most often initiated through email communications. The best line of defense is to train your employees to recognize the telltale signs of a malicious email. Employees are often not educated enough and will often fall for something that even a mild understanding could have prevented.

There are some key indicators that an email is a phishing attempt rather than a legitimate communication.

  • Emails requesting any kind of urgent response. Phishing emails will create a sense of urgency, especially if targeting employees lower down the org chart. Fear of reprisals and having to say yes to the boss can put your company's sensitive data at risk.
  • Spoofed links and envelopes. Hackers will attempt to disguise URLs, always hover over and never click to see if the URL is from a secure source. Some hackers may change the email address by a character or two or change the sender’s name to hide a malicious email address - always check to see who the email is from.
  • Emails requesting personal or company information to be sent or exported is often a red flag and worth checking before hitting the send button.

Ultimately if there are any concerns about the origin of an email, it’s best to call and check with the sender. This simple step will mitigate any risk of accidental loss of data or information.

How to prevent a spear-phishing attack?

Anti-spam goes some way to eliminating random phishing attacks. But this is not a single line of defense, especially when attacks become more sophisticated and targeted.

Gartner recommends three key steps:

  • Create and implement internal procedures for dealing with data and sensitive business information.
  • Adopt capabilities and technologies to detect suspected attacks
  • Upgrade your email gateway security and controls

Besides these elements, staff education remains essential to the protection of data and defense against phishing attacks.

What's the difference between spam and phishing?

Since the dawn of email, spam has been around - bulk junk mail from mass mailing lists that aim to fill up your inbox—companies gaining access to large email lists for individuals or organizations potentially interested in a product or service. Over time legislation, such as CAN-SPAM Act 2013 and the EU’s ePrivacy Directive, has put the brakes on, but Spam is still around to this very day.

While Spam is a nuisance, it’s normally fairly harmless, whereas phishing is directly trying to steal or compromise your sensitive business or personal information.

What's the difference between phishing and vishing?

Phishing and vishing have some distinct differences despite both being similar forms of cyber attacks. The main distinction is that phishing operates almost entirely via email, with attackers attempting to trick the individuals into clicking malicious links or responding with sensitive data via spoofed emails and impersonation. They are often praying on the human element and leveraging an organization's hierarchy.

Vishing attacks, however, take place via voice and verbal communication. This communication can come through phone calls and sometimes directly through desktops and laptops. Voicemails and messages are often used to prey on the target and generate a sense of urgency, masquerading as IT support or a supplier chasing an invoice in some cases.

One of the key defenses, as with most other phishing attacks, is education. Educated staff and employees aware of these forms of attacks will become vigilant and reduce the organization's risk.

See how Next DLP protects your employees and prevents data loss