0161 726 5997 Info@FoxSecurity.co.uk

What is phishing?

It’s a effort to glean sensitive information from a target, often for a malicious reason, such as to enable fraud or unauthorised systems access.  Usually the information that is sought contains passwords, or credit card details.  It’s carried out most often via email, where the malicious sender conceals their true identity and pretends to be a trustworthy individual .  It’s not limited to email though, and some other avenues of attack include websites or telephone calls.

The most common approach is to imitate a popular website, bank or IT administrator, and to either directly request the information, or to infect the recipients computer using either an email attachment which contains malware, or to direct them to a fake website which looks like an exact replica of the real thing.  When they enter their username and password into this spoof site, the details are immediately passed to the criminal, who can then use them to access the real website.

Password Reuse

If people use the same password on multiple websites, then the impact is greatly increased as the hacker may now be able to reuse these credentials across other internet sites.

How common is it?

It’s very common.  Much of it may be filtered out by your email’s junk mail service, but it’s highly likely that a certain percentage still manages to get through.  And this is just for home users.  In the corporate world, where higher values are at stake, there is much greater reason for hackers to try to compromise in this way.  The payoffs could be significant for a successful phishing expedition.

Why is it being done?

As technology progresses, it’s becoming more and more difficult to break through company defences from the outside.  Phishing allows much of this defence to be circumvented – rather than trying to force their way in, once they’ve successfully phished a victim it’s more like having a secret tunnel dug for them from the inside of the target to the outside world.  The tunnel may take a long time to be discovered, and even the victim may never know that they’ve been successfully targeted.  Once an attacker has an advantage like this, they can traverse through the network at their leisure, and further exploit any internal weaknesses to get what they’re after.

What is the impact?

The impact can be catastrophic.  This example shows a company who lost more than 46 million dollars through such an attack.  And they won’t be the last, simply because it’s so successful.  People want to help, and when a phishing email approaches a person asking for their help it’s much more likely to succeed.  The other approach is to use an element or urgency – claiming an account may be shut down if the user doesn’t verify their password immediately.  Again, the attack is pulling emotional strings to gain control over the victim.

What is Whale phishing?

This is an attempt to phish a big catch – such as a company’s CEO or Chief Financial Officer, as the possible gains can be so much greater.  If they manage to dupe a staff member at this level, they could possibly gain access to much larger sums, and this could lead to a much greater loss for the victim company.

How can it be prevented?

There are a number of clues to look out for, and these include:

  • Email address anomalies
    • Imagine you work from widgets.com.  The attacker may set up an email address from a similar-looking domain, such as w1dget.com, and send you an email pretending to be from your IT department, asking for your password so they can “fix your account”.
  • Requests  for information
    • Sometimes, the information requested might not seem suspicious, but when the hacker pieces it together with some other data gained through deception, it might add up to something significant.
  • Requests for assistance
    • They might contact your IT department claiming to be the CEO who needs his password resetting.  Once they have the newly reset password, they can log into the account.
  • Urgency
    • Sometimes they will try to deceive by adding an urgent tone to the communications – such as claiming your account will be disabled, or money will be lost if you don’t carry out X within a certain time period.
  • Seniority
    • By claiming to be from a senior position within your company, or as an auditor, they might be able to bully a staff member into an action that they would otherwise question.
  • Check links in emails
    • Hover your mouse button over any links you are urged to click on.  It will show the real address that the link takes you to.

In Summary

Always check the points above before taking any action send to you from an unknown source.  It could save not just your bacon, but prevent the entire company from being at risk.