Companies leveraging the remote working model deal with widespread device management challenges. Employees use multiple devices, including both personal and company-owned devices. This mixing of personal and work devices creates a significant attack surface for phishing attacks to propagate and wreak havoc, leading to an increase in phishing attacks. According to a recent IBM report, phishing has emerged as the top threat vector in recent times and is quickly becoming a scourge of the modern, post-pandemic workforce.

Let us dive deep into the treacherous world of phishing, get a thorough idea of how it works and what its goal is, glimpse through some common examples that can harm your organization and how Unitrends Unified BCDR deploys multiple layers of defense to combat phishing.

What is phishing?

Phishing is a type of cybercrime where a fraudulent email or other communication is made to appear coming from legitimate sources and lure victims into sharing their sensitive data. This includes personally identifiable information (PII), banking and credit card details, and passwords. Sometimes, targeted victims are also manipulated to download malware onto their systems. Successful phishing attacks lead to identity theft, data breaches, ransomware attacks, credit card fraud and huge financial losses.

What is the goal of phishing?

Phishing involves the art of deception and aims to lure targets into acting in a way that benefits the bad actors. This involves sending money, handing over a password, downloading malware or giving the bad actors sensitive data.

The cybercriminals masquerade as an individual or an organization the victim trusts (coworker, boss, an organization the victim deals with). They obtain information from the dark web and other sources to sound authentic, not to attract suspicion. Phishing messages are often crafted to create a sense of urgency, forcing the victim to act rashly. Hackers widely use such tactics since it’s easier and less expensive to trick people than to hack a system or network.

What type of attack is phishing?

Around 90% of all cyberattacks involve some form of social engineering. Phishing is the most prevalent form of social engineering. Here, human error and fear are exploited via malicious emails, attachments and links to collect credentials, spread malware or commit other nefarious acts. Attackers involved in such incidents are very opportunistic and crafty. They engineer their modus operandi in ever-evolving ways to bypass security implementations. That’s why the malicious emails involved in phishing campaigns look legitimate and are harder to detect.

When did phishing originate?

Phishing hasn’t been around forever. Although the method originated on America Online (AOL) sometime around 1995, it wasn’t a widely known threat until the early 2000s when early attacks against banks, payment systems and consumers emerged. Phishing by nation-state actors became prevalent in the years following. During this time, specialized software emerged on a global scale that could handle phishing payments. Organized crime gangs were quick to implement this software into phishing campaigns. The inception of Bitcoin and other cryptocurrencies in late 2008 was a game-changer since it allowed transactions leveraging the software to be secure and anonymous. By the 2010s, phishing was widespread and became the major threat we see today.

Why is it called phishing?

Phishing scams involve using spoofed emails or websites as lures to entice victims into sharing sensitive information voluntarily. As scammers are essentially fishing for information, the name “phishing” is used to describe the process.

There’s another good reason for using “ph” instead of “f” in the term’s spelling. Some of the earliest hackers were called phreaks as they were involved in an old type of telephone fraud called phreaking. Since the phreaks and hackers were closely linked, the “ph” spelling was used to denote the phishing scams involving these underground groups.

How does phishing work?

Billions of records containing information about people and organizations are available in the dark web markets and data dumps. Phishing scammers get specific data about their targets from these platforms, and based on the extracted information, they create powerful, tempting lures. One wrong move from the organization or its employees enables the scammers to enter an organization’s network and get hold of credentials.

The scary part — you don’t even need tech skills to run a phishing operation. Everything from plug-and-play “phishing kits” to outsourcing the operation to freelance operators is available for a price.

What do phishing emails try to get you to do?

There are two ways by which phishing emails carry out their dirty work. A phishing email might sometimes contain malicious attachments, which, when downloaded, install malware into the victim’s network. In other cases, the email can include a link to a website through which cybercriminals can steal credentials or trick victims into downloading malware.

Generally, most phishing attacks try to get one of the following things to happen:

Click a link

Convincing emails are sent to the victims, which lure them to click on the link attached. This triggers malicious downloads that gives cybercriminals access to the victims’ data and systems.

Go to a website

Even if the phishing email doesn’t contain any link, the CTA present can redirect victims to a malicious website designed to steal desired data like passwords. These compromised passwords provide a gateway for cybercriminals to the victims’ devices or business networks to steal information or deploy malware.

Download an attachment

Phishing emails can contain attachments that can trigger malicious downloads or deliver unwanted programs. Since these emails seem to come from legitimate and trusted sources, the victims don’t suspect foul play and fall prey to the carefully laid trap.

Provide confidential information

Cybercriminals can also use an embedded form within a malicious website to access information. This form asks users to enter their credentials, which can launch an account takeover (ATO) attack.

Communicate directly

Hackers can sometimes impersonate trusted colleagues, business executives or regular correspondents to trick victims into revealing sensitive information. They can carry out conversation hijacking and throw themselves into an already existing conversation.

Perform an action

Perpetrators can, at times, pose as an authority figure, like an executive at a victim’s company or a government official and ask the victims to provide access to a system or send money. A sense of urgency is created in such instances where ample time is not given to the victims to check the sender’s authenticity.

What are some indicators of phishing?

Successful phishing emails are difficult to distinguish from real ones. They cover their track well, even including corporate logos and other collected identifying data.

However, there are a few telltale signs to look out for:

Conveyed urgency and threats

A common tactic is invoking a sense of fear or urgency, asking the victims to act fast. Sometimes, scammers will tell the victims that their accounts will be suspended unless personal details are updated immediately. Reliable organizations would give ample time before terminating an account and never ask patrons to update their details over the internet.

Unusual sender and requests

When there’s no clear idea about the sender’s origin, it’s better to consider a bit before sharing any information or clicking any links in the email. This is also applicable to messages including a request to verify personal information.

Poor spelling and grammar

Another red flag involving phishing emails is the rampant use of spelling and grammatical errors. It’s always ideal to look for such errors when scrutinizing a fishy email.

Suspicious links and attachments

Phishing websites are designed to look like the real ones, but the URL will have some spelling errors. Hovering the cursor will show the URL preview, giving an idea about the site that will open upon clicking. It’s always better to check the authenticity of an email before clicking on the links or attached files. The only file format safe to click on is a .txt file.  

Clunky formatting and style

Another obvious indicator of a phishing email is an unusually formatted subject line. The subject line here would contain a word or phrase that doesn’t sound right. The message would seem unprofessional, having weird punctuation and capitalization. It might also include unfamiliar things like unusual colors, formats or fonts.

Too good to be true

A huge red flag is an offer that seems too good to be true. Cybercriminals use lucrative offers and eye-catching statements to lure victims. Offers of free iPhones, iPads or a trip to an exotic location cannot be given away for free — any mail claiming to offer something like that is bound to be fraudulent.

What are the different types of phishing?

Phishing consists of various layers of attacks, and cybercriminals continuously hone their skills in making the campaigns more sophisticated and harder to detect. As a result, new types of phishing scams are coming up. Here are some of the common forms of phishing found these days:

Email phishing

The most common phishing attack is when scammers create an email that looks to come from a trusted, legitimate source and sent in bulk to victims. The goal here is to dupe the users into clicking on these spam emails and get their personal information like bank details, credit card numbers, passwords or even deploy malware into their systems. The compromised information is used to steal money from the victims’ accounts.

Spear phishing

These are directed at specific individuals or companies. Prior research on the victim (victim’s name, position in the company and so on) is carried out before launching an attack. The attacker then sends malicious emails to the victim and entices him/her to share confidential data. These emails too are made to look like coming from trustworthy sources.

Whale phishing

A type of spear phishing that explicitly targets senior executives within an organization. The attack here often aims to steal a large sum of money. Emails invoking a sense of urgency are sent to the executives, so they don’t have time to think and fall prey to phishing.

Smishing

Also known as SMS phishing, it’s basically phishing using mobile or smartphone text messages. Like email phishing, SMS texts are sent to victims containing links to malicious websites or entice the victim to call a number. The victim is invited to share their personal information, with which the attacker carries out nefarious acts.

Vishing

Voice phishing or vishing is another form of phishing that occurs over voice-based media, including voice-over IP (VoIP). Attackers often use ID spoofing to make their call appear to come from a legitimate source or local phone numbers. These calls typically scare the victims with warnings of credit card issues, overdue payments or problems with the IRS. If responded to such calls, users could end up providing sensitive data or even give remote control of their computers to the scammers on the other side of the call.

Angler phishing

This is also termed social media phishing and involves attackers employing social media platforms to phish people. Scammers use social media platforms’ own messaging capabilities (Facebook Messenger, LinkedIn messaging or InMail, etc.) to carry out their plan of getting sensitive information. They also send phishing emails that appear to come from social networking sites, asking recipients to update login credentials or payment information.

Business email compromise (BEC)

It’s a spear phishing attack designed to trick employees into sending large amounts of money or valuable assets to the attackers. These emails appear to be sent from the highest-ranking members of the organization or high-level associates of the business (attorneys, key business partners or large vendors) and contain enough details to appear genuine.

Clone phishing

Here, the attackers copy emails previously sent from trusted sources and alter the information by adding a link redirecting to a malicious website. This technique is used by attackers who have gained control of another victim’s system. Using the control of this one system within an organization, emails would now be sent to other employees known to the victim.

Pop-up phishing

It involves fraudulent messages that pop up for users surfing the web. In many cases, cybercriminals infect legitimate websites with malicious code so that these pop-up messages, often alluring ones, appear when people visit them. When clicked, they prompt visitors to download tools to fix the issue. In this way, visitors are tricked into sharing payment details or giving access to their computers.

How can phishing be prevented?

Although phishing is the most prevalent type of cyberattack out there, it can be defeated. Proper tools and precautions can help ward off phishing attacks before they hit employees’ inboxes.

Some of the most common security measures are discussed below:

Security awareness training

Employees are the first line of defense against any cyberthreats. As phishing scams exploit human emotions, there’s a need for continuous security awareness training. Employees must be trained to recognize phishing attacks to avoid clicking on malicious links. An affordable one-stop security and compliance training make the training module engaging and convenient for users.

Traditional email security solutions

There might be security issues when emails are constantly filled with phishing attacks. Then the onus is on the organization and its in-house IT security team to check the issue and enhance the layer of security.

Secure email gateway

Security layers like firewalls should regularly be updated and the latest patches must be installed. Organizations should continually monitor the status of all software and equipment.

Anti-phishing software

Organizations can use multiple tools to manage and mitigate phishing threats, like antivirus, antimalware and anti-phishing software. Choosing an automated, affordable and simple anti-phishing software can help organizations stop phishing emails in their tracks.

Backup and recovery

Phishing attacks can strike anytime. So, it’s always better to have data backed up as it minimizes the damage in the event of a phishing attack. Backup and recovery — a significant part of an organization’s business continuity strategy — is the ultimate defense that helps an organization recover from a cybersecurity incident and continue its operation in no time.

Protect your data from phishing with Unitrends

Organizations are opting for a defense-in-depth (layered defense) approach to combat today’s advanced phishing attacks. So, multiple layers of comprehensive security are needed to safeguard data from attacks.

Spanning Backup — our cloud-native protection for SaaS applications — is a key player in combating phishing threats with three layers of protection. Automated phishing defense deploys patented AI technology to defend company inboxes from threats like spear phishing, BEC, ATO, identity spoofing, malware and ransomware. Integrated dark web monitoring provides alerts on compromised or stolen credentials directly from the Spanning UI. Spanning’s advanced search capabilities can easily and seamlessly restore lost, corrupted or deleted data.

To get data protection no matter where it resides — on-premises, on remote endpoints, or within the cloud and SaaS applications — Unitrends Unified BCDR is the ideal solution. It comes with security integrations coupled with backup and recovery capabilities to help organizations minimize the possibilities of data loss. Request a demo today to see how Unitrends can provide best-in-class phishing defense.

About Adam Marget

Adam is a Technical Specialist on the Unitrends marketing team supporting digital and in-market events. Over the last 4 years with Unitrends, he has been delighted at the opportunity to work with customers, prospects, and partners alike to help solve challenges around data protection and business continuity. Adam joined Unitrends in 2016, bringing with him experience working with variety of manufacturers’ technology from edge to core as a coworker from national IT solutions provider CDW.