Like your classic con man, an email phishing attack can wear any number of faces. No matter if you’re a small, mid-size or large company, phishing protection is increasingly critical as cybercriminals grow smarter and smarter.
While anti-phishing software like Cloudphish and other email security solutions will greatly reduce the risk of a phishing attack, phishing protection is a multi-pronged, team effort. It’s more important than ever that employees understand the nature of the particular threats, and what a phishing email may look like should it land in their inbox.
Let’s look at three of the major types of phishing attacks and the signs that should raise a red flag.
Employee Impersonation Attacks
While they can read crude or obvious at close inspection, 97% of people can’t correctly identify a phishing email. Email phishing attacks are made effective by playing the numbers game: if you send a malicious email to a couple of thousand employees, a handful of them falling for it is all it takes to land one big phish.
A hacker will use an email domain that closely resembles the one used by their target organization or trusted third party, which is then used to gain trust and access from an unsuspecting employee.
Let’s examine a fictional company that we’ll call Made Films. The company owns imadefilms.com and has several thousand employees that communicate under that domain’s email.
To get a passing resemblance, a clever hacker might employ any of several homoglyphs–characters that, either by themselves or in combination with another, closely resemble another character that’s used in the domain of the target company.
For instance, at a glance, combining the lowercase letters r and n will resemble a lowercase m: rnadefilms.com.
The same tactic can be used for lowercase c with a lowercase l or uppercase i: maclefilms.com. Additional examples include v + v = w, c + i = a, etc.
Another effective phishing scheme exploits corporate psychology to infiltrate the trust of an unsuspecting employee.
When attempting CEO fraud, a phisher will imitate any C-Level member of an organization and make a request from an employee that otherwise wouldn’t raise suspicions, such as a fund transfer or divulgence of critical information.
CEO fraud relies less on the numbers game and more on using accurate company terminologies and protocols against specific players, often targeting employees in the financial department. Impersonating a senior team member instills a sense of urgency and importance which can cause employees to overlook suspicious email characteristics.
With CEO fraud, phishing protection means equipping all employees (especially the finance team) with threat-specific training and by implementing robust and consistent protocols, such as requiring verbal confirmation from the CEO before making a wire transfer.
Similar to CEO fraud, a successful spear phishing campaign is founded on sound and reliable intelligence, rather than relying on the careless few that become ensnared from a widely-cast net. Social engineering tactics like this are often employed to craft a convincing forgery which may include personal details like email signature, company logo, and terminology.
Employees have their own key information such as name, email, and job description used against them to gather the info the malicious actor does not have, such as a password.
The targeted, ‘long game’ nature of spear phishing is deviously effective. However, a diligent, well-trained employee can protect themself by spotting anomalies or deviations of their normal business communications, i.e.: Why am I receiving a personal message instructing me to change my password, when I’m already required to change it regularly?
Protect Your Organization
Educating your employees about the dangers of phishing is critical. But if you really want to \ prevent phishing attacks there’s many tools that can help. Learn more about how Cloudphish can help your employees eliminate the blind spots in your email security.