Skip to main content

Understanding the art of phishing

(Image credit: Image Credit: wk1003mike / Shutterstock)

Using cyber-attacks to steal sensitive information from businesses is nothing new. In fact, building and updating defences against data breaches is a standard requirement for IT departments around the world. However, as the methods of cyber criminals grow more sophisticated and persistent, the number of businesses being targeted is on the rise, with three quarters of organisations hit by phishing attacks in 2017 .

This form of data theft can be financially disastrous for businesses and their customers. Research by Accenture found that a successful cyber-attack costs businesses an average of $2.4 million and takes around 50 days to resolve the issue. In an environment where regulation such as GDPR is intent upon strengthening the protection of personal data, it is therefore vital that businesses protect against these threats.

What is phishing?

One of the biggest challenges facing businesses in their fight against cyber threats is the breadth of phishing scams used. But if there is one common denominator that binds all phishing attacks, it is the lengths that scammers will go to disguise their true intentions.

One of the most common forms of phishing is sending emails that purport to be from a reputable site. It may be one of the oldest methods, dating back to the 1990s, but the fact that it remains one of the most widespread phishing tactics is testament to how effective it can be.

The goal is to trick the recipient into believing the email is genuine, with the intention of getting the target to either download malware, which breaches the system, or worryingly, hand over personal information - often a username or password the scammer can then use to access other data.

While improvements in antivirus technology and filtration systems have helped to combat the threat of malicious attachments, the same cannot be said for emails. Phishers can easily identify their targets, often through information contained online and on social networking sites, and send emails that appear to look like they are sent from co-workers, suppliers, clients, and other reliable sources

The growing popularity of this form of ‘spear phishing’ is alarming for businesses, as the only obstacle standing between phishers and the information they want is generally the employee. No matter how advanced a company’s security measures are, they remain vulnerable if their human defences are not adequately aware of the risks.

However, businesses must not be fooled into thinking that phishing tactics are reserved for online channels only. Phone calls from unknown contacts asking for company details is another method used by criminals and should raise red flags. The intention of this type of phishing is to get beneath the skin of the business, build a picture of how it operates and learn what processes are in place. As a result, scammers are able to infiltrate a company’s systems and access vital information.

Even something as simple as a company website can prove to be a source of useful information for phishers. Access to certain details about the business can allow them to better impersonate potential colleagues and business contacts, making it easier to dupe their intended victims.

Yet, regardless of what form it takes, the end result of phishing is always the same: phishers use the information they collect to access confidential information which can comprise a business’ entire system and threaten its reputation.

Two sides to the technology coin

As with everything related to IT, innovation is the name of the game. The speed and ease of modern day technology brings with it many benefits to businesses, including stronger defences and more sophisticated software. Unfortunately, scammers are equally quick to leverage developments in technology to drive their criminal activities, making it even harder for businesses to detect. 

An example of this is steganography – the act of hiding something such as a file or image inside another perfectly innocent file – an old threat which is still used. The worrisome advent of ‘hiding in plain sight’ is hugely problematic for businesses, as it makes spotting fraudsters extremely difficult.

In today’s digital world, where employees think nothing of circulating internal emails, photos or memes, steganography can be relatively simple for scammers to use and create an opening in what may otherwise be a robust defence system. In short, providing the perfect backdoor into the business.

Phishing tactics have also adapted to meet the changing dynamics of businesses. An increase in remote working prompted the emergence of a technique known colloquially as ‘Evil Twins.’ This method allows scammers to create fake wireless networks, resembling that of a legitimate public network found in communal spaces such as cafes, airports and hotels. Whenever an employee attempts to log on to this false network, fraudsters will have the opportunity to steal passwords and other useful data. 

The additional issue facing businesses with ‘Evil Twins’ is that users will have no idea their data has been stolen until it is too late. To the employee accessing these false networks, everything appears normal as the twin simply proxies the connection but can view a good deal of data passing through it.

High-value targets

One of the biggest mistakes a business can make is believing phishing attacks will only affect frontline staff. A surge in ‘whale-phishing’ shows that cyber-attacks are a company-wide issue and should be dealt with as such. Whaling, whereby scammers target senior, prominent members of staff, has become a go-to tactic for accessing sensitive data. In much the same way spear phishing works, scammers will often replicate or exploit the email addresses of figures in authority.

What makes them difficult to detect, and thus a concern for businesses, is their highly personalised nature. Cyber criminals will invest a lot of time and effort into identifying key targets and constructing a legitimate attack.  Often, scammers will hope that by virtue of senior figures typically being slightly older, or a board member being based outside of the company, there will be a greater degree of ignorance towards cyber threats.

Attempting to infiltrate the top level within a business is a bold move, but it can have a surprisingly high pay off. If successful, it can provide scammers with direct access to valuable information. This does not necessarily have to be about data; targeting influential individuals may provide information on future business plans or acquisitions that could be used for insider trading.

Not surprisingly, many companies from a wide range of sectors have fallen victim to this tactic. Toy maker Mattel lost $3 million due to a CEO fraud phishing scam in 2015, while tech firm Ubiquiti previously disclosed that it suffered a huge $46.7 million hit as a result of a whaling scam.

Education is key

The prevalence of phishing attacks begs the question – what can businesses do to protect themselves against potential threats? While the different tactics used by phishers can make for sobering reading, what is clear is that employees have become the frontline of cyber security. Reducing their vulnerability to attack is critical – and this requires education.

Unfortunately, with the majority of people now understanding what phishing means, employees can often feel overconfident in their ability to identify an actual phishing attack.

For example, most employees recognise that numerous spelling mistakes, strange formatting or an aggressive tone could suggest a phishing attack.

However, they may still be fooled by a false sender name, as they may instinctively react when they see the name of a particular sender, without investigating further. Equally, requests by phishers may appear innocent, from requesting an update on certain activity or requesting confirmation of details.

Businesses need to make sure they educate their staff, from senior members all the way down to junior levels, about the effects of phishing and how to spot them. This includes regular training and testing employees on the more typical characteristics of phishing attacks. It needs to be second nature to double check the domain name of the sender, question unsolicited requests/attachments and recognise false hyperlinks.

When it comes to the more challenging phishing tactics used, businesses should implement a clear set of criteria for staff to follow. This includes understanding the importance of avoiding public networks, keeping an eye on the sender of internal emails, and checking to see if certain data can be shared. This type of double-checking needs to be engrained in every member of staff to be truly effective.

On top of this, it is key that management buy-in to all the defence practices in place. They are not exempt from the security of the business, so it is important that efforts to tackle the issue are company-wide. Not only should senior management be educated on how to identify and respond to potential phishing attacks, they also need to show engagement with these practices to ensure the wider business follows suit.

The role of IT is no longer confined to one specific department, especially when it comes to tackling cyber threats. Ensuring all employees are trained, testing regularly, use good cyber security behaviours and report any suspicions is crucial if businesses want to succeed in repelling phishing attacks.

Robert Rutherford, CEO, QuoStar (opens in new tab)
Image Credit: wk1003mike / Shutterstock

Robert Rutherford is chief executive officer of QuoStar, a consultancy specialising in business technology. Founded in 2005, it offers business improvement and technical consulting, outsourcing and cloud services.