What Exactly is Phishing?

The term "phishing" is derived from "fishing," symbolizing the act of enticing victims into revealing sensitive information. According to the IETF RFC 4949 Ver 2, phishing is:

A method employed to obtain confidential data, such as banking information, through fraudulent solicitations via email or websites, where the attacker poses as a legitimate entity or trustworthy individual.

For instance, phishing emails often feature enticing subject lines like "Win a New iPhone!" or "Important Security Alert." They may include legitimate-looking company logos and contact details to appear credible. Another common strategy is to disguise the email as a personal message from a known acquaintance, making it more likely for the recipient to engage. Ultimately, the goal is to "hook" the victim, similar to traditional fishing, where only a small number of individuals need to bite the bait.

What Contributes to the Success of Phishing?

While many individuals can identify phishing attempts, scammers are continually refining their tactics to exploit our vulnerabilities. Unfortunately, by the time we recognize a phishing scheme, it may already be too late for some.

1. Human Vulnerability in Cybersecurity

Social engineering plays a pivotal role in phishing attacks, manipulating psychological tendencies to gain access to sensitive information or financial resources. Phishing emails are a common method hackers use to execute social engineering.

As defined by NIST SP800–63–3 — Digital Identity Guidelines, Social Engineering is:

The act of misleading an individual into disclosing confidential information, gaining unauthorized access, or committing fraud by building trust with the victim.

Unlike software updates or firewalls, there are no immediate safeguards against these psychological manipulations, making phishing an appealing avenue for cybercriminals.

2. Remote Work and BYOD Challenges

The ongoing COVID-19 pandemic has normalized remote work and the use of personal devices for professional tasks (BYOD). This shift can expose corporate networks to threats if cybercriminals compromise an employee's personal device.

Remote workers often lack direct oversight from IT security teams, making it easier for them to overlook suspicious emails. When working from home, employees may be less vigilant about reporting potential phishing attempts.

3. Lower Barriers to Entry for Cybercriminals

The proliferation of user-friendly hacking tools has lowered the entry threshold for aspiring cybercriminals. Phishing kits are widely available and affordable, enabling amateurs to engage in cybercrime.

The accessibility of these tools, coupled with the rise of ransomware-as-a-service (RaaS), has led to a surge in attacks from less experienced perpetrators.

Special Types of Phishing

To enhance awareness, let's explore several emerging forms of phishing.

Advanced Malware Phishing

Proofpoint researchers recently identified a new variant of the Buer malware loader disguised as DHL shipping notifications. This tactic affected over 200 organizations across various sectors. The phishing email contained a link to a malicious Word or Excel document that employed macros to introduce the new malware. Notably, this strain is developed in a coding language called Rust, making it harder to detect and more damaging.

Spear Phishing

Unlike conventional phishing that targets a broad audience, spear phishing focuses on specific individuals or organizations, crafting emails tailored to the victim. This targeted approach often involves documents with malware or links aimed at stealing sensitive information or compromising payment systems.

QRishing

Combining "QR Codes" and "Phishing," QRishing exploits the growing use of QR codes, especially during the pandemic. Attackers may send fake emails urging recipients to scan a QR code to access services, which actually leads to malware-laden websites.

Kaspersky reported an incident where clients of several Dutch banks received a fraudulent email asking them to "unlock" mobile banking via a QR code, which redirected them to a malicious link.

Smishing

Smishing, a blend of "phishing" and "SMS," involves phishing attempts sent via text messages. The rise in online shopping during the pandemic has made smishing more prevalent, with common themes including missed deliveries and urgent notifications.

Vishing

Vishing, or voice phishing, involves scammers using phone calls to extract personal information. Attackers often impersonate government officials or bank representatives, employing fear tactics to coerce victims into compliance.

Final Thoughts: How to Defend Against Phishing

It is crucial to understand that while phishing can never be entirely eliminated, companies can implement various anti-phishing measures. Staying informed about contemporary phishing tactics is essential for developing effective security policies.

Education plays a vital role; employees must recognize the risks associated with opening unfamiliar emails or clicking on unknown links. Comprehensive training programs should illustrate the characteristics of legitimate and fraudulent emails, empowering users to verify authenticity.

To gauge the effectiveness of this training, organizations can conduct phishing simulations to assess employee readiness in handling real attacks.

In the unfortunate event of a successful phishing attempt, take the following steps:

• Notify your IT department immediately.
• Change passwords for affected accounts.
• Avoid using the same password across multiple accounts.
• Monitor the affected accounts closely for 30 days.

For further insights, NIST has developed a method to analyze why users fall for phishing emails:

Thank you for your attention. Stay vigilant and may cybersecurity be with you! 🖖

This video deconstructs sophisticated phishing attack techniques, providing insights into how these attacks are executed and how to defend against them.

In this video, the presenter demonstrates how easy it is to carry out phishing attacks and shares valuable tips for improving your security awareness.