The ins and outs of Email Phishing Attacks.

Phishing attacks are a type of social engineering attack, wherein malicious attackers masquerade themselves as trusted persons or entities to dupe a victim or multiple victims into carrying out an action, such as downloading an email attachment, sending sensitive data or transferring funds to the attacker’s account or wallet.

The aim of attackers is usually to steal sensitive information (crucial business data), to get their hands on login credentials, to steal funds and to acquire credit card numbers.

What is an email phishing attack?

Phishing is carried out using various channels and mediums, namely, emails, instant text messages and calls. In all cases these attacks can have devastating results, such as unauthorised access to company data, unauthorised purchases, stealing of funds and in some cases of identities. In this blog post, our focus will be on email phishing attacks.

In simple terms, we can describe email phishing as an online scam where cyber criminals impersonate legitimate organisations or individuals via email in order to carry out a malicious action. This is usually carried out by including a link or attachment or instructions (that would enable the execution of the scam). The main types of email phishing attacks are categorised as deceptive phishing, spear phishing, CEO fraud and malware-based phishing.

Generally, phishing is a tactic used by hackers to gain a foothold inside an organisation, as part of an advanced persistent threat (APT). In such cases, employees are compromised (by the hackers) to bypass security barriers, distribute malware and gain privileged access to applications and data inside them.

The stages of a phishing attack

Email phishing attacks commonly use a three-staged approach. The stages being, bait, hook and catch. The first step is for the attackers to find out details about the target (victim!). They usually go into quite some detail to make the phishing email as realistic as possible. They analyse social media accounts and online behaviour and find out which services and business is transacted.

All these details are harvested to highly customise the message/s inside emails in their quest to convince the recipient that the message is a genuine and legitimate one. Following this initial phase, the attacker then moves ahead to ‘lay out the hook’. The goal here is to get the target to perform an action. The most common actions are to transfer funds or to click on a link that takes the victim to a fake website, say to reset login credentials. Following the initial close analysis (preparatory step) and the messaging phases, the malicious actors carry out the catch, that is, the attack.

The actual attack is for the ‘prey’ to fall for the carefully-crafted bait. The attack depends on the nature of the scam. In this day and age, such attacks are very sophisticated and attackers are going to long lengths to prepare emails that are difficult to detect as malicious.

How to defend your enterprise from Email Phishing Attacks

There are a number of ways to protect your organisation, your people, your data and your digital assets. Below are the main best practices.

Cyber Security Awareness Training

Cyber risks, attacks and trends are always becoming more and more advanced. In addition, there is no one-way to get attacked, so this makes it even more difficult to counteract. The risk factor is always there – this is why cyber awareness training is absolutely essential! There simply isn’t a technical solution that is able to (totally!) stop email phishing attacks, even AI-driven solutions are not enough.

All your workforce needs to be aware of the signs of phishing emails. When in doubt, always escalate it. CISOs need to communicate the procedures and protocols of what to do when suspicious emails are received. Cyber awareness Training courses help mitigate the threat of phishing emails.

Multi-factor authentication

MFA is crucial to protect your email accounts against phishing. Multi-factor authentication adds a layer of security – a second line of defence. In case an email password is stolen, this kind of factor authentication will stop the attacker from accessing the account, as an additional step in the authentication process would be required. The most common MFAs include personal identification numbers (PIN code), a token which is generated or is available on a smartcard and something that ‘you are’, such as biometric checks in the form of a fingerprint.

Simulated Phishing

Simulate email phishing attacks and test your own employees. Test your organisation’s awareness and preparedness against phishing emails. These tests emulate phishing attempts in a real-world context. These simulations help organisations measure employee performance vis-a-vis real-life email phishing attack scenarios. This is normally carried out without employees knowing about the drill.

It is suggested that such simulations be done hand in hand with awareness training. As with most things in life, employees are more likely to remember falling for a simulated phishing email than remembering the salient take-aways from a training course. It can be seen as the practical side to theory-based training.

Run a simulated email phishing exercise today! Test your employees. Get in touch with us to learn more