To promote awareness in this CyberSecurity Awareness Month, we at Technoxi believe each employee, individual, and organization must work “Together” to keep cyber-attacks at bay.
In a world where every other organization suffers from a security incident, Phishing Attacks pose a security concern for an organization with an attack rate of more than 80%. It makes phishing one of the most effective avenues of attack for cybercriminals. One major factor is how sophisticated these types of attacks have become. Attackers are now using techniques to trick employees into compromising sensitive data or downloading malicious attachments.
Let’s see what Phishing is
Imagine for a moment that we’re a fisherman. As per our livelihood, we will hunt down the fish by hooking the food in the hook and providing it as bait for the fish to trap. That fisherman made the fish its victim.
Similarly, we need to replace the fisherman with a bad actor, the fish with the end user, and the food with something luring end users like, “your bank account has been credited with the xxx amount. Claim now!”.
So Phishing Attack is an act of sending an email to a victim with the malicious intent of obtaining sensitive information, downloading a malicious file, etc.
Now, this malicious file when opened on the end user’s system will start acting on a system, such as like encrypting all the files on the system, asking the end users to pay a certain amount of ransom, or it may give complete control of the system to the attacker.
Looking at the Threat Landscape
Nowadays, the attempts of phishing attacks to trap the end user, employees, or individual has become common. Attackers always try to gather information about a specific employee of an organization to make them their victim by sending these phishing emails. The phishing attacks seem to be getting more frequent into 2022, as in the first quarter of 2022, the Anti-Phishing Working Group observed 1,025,968 total phishing attacks, making it the first time and the worst quarter to exceed one million.
More than 90% of all cyber-attacks begin with phishing. Source Deloitte.
We know what phishing attacks are, but let’s learn the mechanics of Phishing Attacks, how they work, and how the attacker hooks the victim.
Phishing Attacks start with an attacker gathering information about an employee of an organization. They are trying to find a way into an organization. Now, after gathering enough information about an employee, they start crafting an email that looks legitimate and convincingly enough containing the malicious link or executable, unknown to the user, letting the user open that email. Now, that employee will either be taken to the website controlled by the attacker or download the malicious attachment, both of which lead to serious consequences as explained below.
Real-World Phishing Attack Example 1
- Here, an attacker will send an email containing a malicious link unknown to the end user.
- The end user will click on the link — and be redirected to the website controlled by the attacker with login functionality, which looks like a real website such as your banking or ecommerce site. The end user enters credentials in the login area.
- Since the website is controlled by the attacker, the end user’s credentials will be visible to the attacker as plain text.
- Now that bad actors have your username and password, they can obtain access to all sites that you generally visit, with malicious consequences.
Let’s talk about the impact of this attack — suppose a user uses PayPal for their transactions, and the attacker gets to know that the user uses PayPal, then the attacker will try to send a link that will take the user to the fake PayPal login page, which the attacker creates. Now, the user logged into the website, eventually leaking the credentials. Then, the attacker will use these credentials to log in to the victim’s PayPal account and start transferring the amount to their bank account. This incident results in the end user being a part of financial fraud. Not only is there a monetary loss, but your private personal data may be stolen, and used in other fraudulent activities.
Read more about The 5 Most Expensive Phishing Scams of all Time.
Real-World Phishing Attack Example 2
- An attacker will send an email containing a malicious attachment without the end user’s knowledge.
- The end user will open the attachment by executing it on their workstation.
- Since there is no knowledge of what’s inside the attachment, say ransomware, start encrypting all the files on the system when executed.
The impact — After encrypting all files, the end user is told to pay some amount (the amount can vary) before the deadline created by the attacker. If the user denies paying the amount or doesn’t pay before the deadline, all of their encrypted files are deleted forever. Furthermore, if a hospital or any public service is attacked by ransomware, it can cripple crucial services.
Read more about Ransomware.
Common Examples of Phishing Emails
You can check your Spam Folder in your Gmail or Outlook Application, and you will see plenty of emails that are either scams or malicious.
Let’s look at this phishing email which is a fake invoice technique. This scam tactic relies on creating a sense of urgency and fear among the end user to make them click on the mentioned link or open the attachment.
Here, the sender creates a sense of urgency and pressurizes the end user to view the bill by clicking on the link, and a PDF version of the bill is attached, which they have to open.
Another common theme of phishing emails evolves around PayPal. With around 200 million users, PayPal is an incredibly lucrative tool for cyber-criminal. Generally, these emails often include the PayPal logo, along with a body. This scam tries to enforce panic mode into its victims, often with a “There’s a problem with your account, please click here to fix it” kind of message,
Recent Uber Hack
Everyone was talking about how Uber got hacked, right? But the fundamental start was from a phishing attack, where an employee leaked their ID and password, letting the attacker into the company’s environment. From there, the attacker got access to the company’s other areas as well. It is not sure if the attacker gains access to sensitive information of users like credit card numbers, bank account information, trip history, etc.
The mistake made by the employee that devastated the company was leaking the credentials, and accepting the verification request (MFA) from the attacker.
And this is not just about the Uber hack, whenever an employee leak the credentials, it can cause devastation on the company as it would make the attackers totally own the system and network of the company, or there may be data breach that we hear in the news.
Educating End-Users about Phishing
There are some easy points to play your part in CyberSecurity while being aware about Phishing Attacks:
- Don’t open any attachments. Never open any attachment unless you know it is legitimate. Confirm it with the real person before opening it.
- Limit sharing too much information. Never reveal information when working because that could reveal too much about you and your company.
- Never click on suspicious links. Maintain a healthy habit of never clicking on a suspicious link. If you don’t know if the link is suspicious or not, confirm it with the legitimate party.
- Phishing emails can appear legitimate. Attackers can masquerade as a senior employee, a manager, or a CEO to send emails to junior employees. Confirm identities before taking action.
- Enable MFA. Always ensure that your Multi-Factor Authentication is enabled. MFA is an authentication method which grants a user access to something after they proved that “they are who they say they are”.
There’s a lesson to be learned there on how to really do cybersecurity awareness — it’s about ensuring that your employees are aware of the threats that are out there and that they’re being protected from them. Scaring people into being aware about cybersecurity issues for one month a year isn’t going to work — but providing guidance and advice all year round will improve cybersecurity for everyone.
Reference Source:
— https://www.proofpoint.com/us/threat-reference/ransomware
— https://www.egress.com/blog/phishing/phishing-statistics-round-up
— https://blog.usecure.io/the-top-phishing-statistics-to-know-in-2022
— https://www.cm-alliance.com/cybersecurity-blog/how-will-a-ransomware-attack-affect-your-business
— https://www.digintrude.com/malwares-and-its-impact-on-business.html
— https://blog.usecure.io/the-most-common-examples-of-a-phishing-email
— https://www.cisco.com/c/en_in/products/security/advanced-malware-protection/what-is-malware.html
— https://www.it.ucsb.edu/news/cybersecurity-awareness-month-phishing
— https://www.wired.com/story/uber-hack-mfa-phishing/
— https://thenewstack.io/uber-hack-its-the-simple-things-that-kill-your-security/
