Most of us know what a phishing attack is. However, I think it’s worthwhile to define the term and all of the different attacks that fall under the umbrella of phishing. It is by far the number one attack vector. Despite billions of dollars of investment in cybersecurity technology, phishing will continue to be successful because these attacks take advantage of human flaws. The attack is often disguised as a legitimate company or personal message. The more aspects of the message that mimic the actual company, the more likely an attacker will be successful.

Phishing attacks are often disguised e-mail

Phishing scams do far more damage to organisations than most non-security folks realise. This attack vector has several variations hackers will use to spread malware and ransomware, along with stealing users’ login credentials. Phishing attacks also lead to the theft of intellectual property and personal information, including social security numbers and bank account information. Phishing and fake e-mail are designed to lure the victim into performing an act based on rogue instructions from hackers and cybercriminals.

Types of phishing attacks

Spear-phishing attacks — E-mail phishing campaigns specifically target an individual within an organisation. Spear phishing e-mail are often sent to employees’ personal and corporate e-mail.

Smishing — Attackers trick users into accessing malicious sites from their smartphones using SMS messages. Attackers send a text message to a targeted victim with a malicious link that promises discounts, rewards, or free prizes.

Vishing — Attackers use voice-changing software to leave a message telling targeted victims that they must call a number where they can be scammed. Voice changers are also used when speaking with targeted victims to disguise an attacker’s accent or gender so that they can pretend to be a fraudulent person.

Whaling attacks — Specific e-mail campaign target executives or persons in a leadership role within the organisation.

Social engineering attacks — This method demonstrates the hacker using publicly accessible information to lure the victim into e-mail conversations.

Barrel Phishing — This method uses two different e-mail messages. The first message is friendly and non-intrusive to the victim. The second message tends to be harsher and more direct, attempting to intimidate the victim into executing the hacker’s instructions.

Prevention and containment of phishing attacks

There are preventive strategies organisations should enable to help reduce the impact of a phishing attack and resulting malware and ransomware attack.

Security awareness training — Many organisations question security awareness’s cost and overall effectiveness. However, awareness is critical to educating the users on what to do if they suspect they have received a malicious e-mail mixed in with a legitimate e-mail. Many clients will install a plug-in into the e-mail client for users to click and move the e-mail in question to a quarantine inbox.

Simulation training — Leveraging simulated attacks also is an excellent method to help users see the difference between a phishing attack e-mail and just a regular scam e-mail message.

SecOps for a day — Many organisations have placed non-SecOps personnel in security operations for a day. This cross-section training sitting side-by-side with security professionals event helps give end users a real-world glimpse of security issues impacting the organisations when users click on the malicious link.

Adding SecOps resources to job descriptions — Many CISOs have asked HR to place the term “SecOps resource” in every job description. The goal is for everyone in the organisation to be part of the SecOps security team. CISOs are creating a broader culture defining cybersecurity as everyone’s responsibility, not just the SecOps and incident response teams.

Deployment of cloud-based e-mail security platforms — Enabling cloud-based e-mail security solutions, including inbound and outbound data loss prevention, e-mail encryption, antivirus, and anti-malware, helps prevent many phishing e-mail from getting to the end users.

Contributed by Robert Bond, on behalf of Hitachi Systems Security