In this week’s Cyber-crime guide the topic of Social Engineering & Phishing scam will be discussed.
“Phishing” tactics are usually the first port of call for many hackers that are attempting to access your business’s I.T. systems.
In the past two years, there has been an increase in fraudulent emails being sent to employees working remotely, leaving them in a much more vulnerable position.
These hackers take advantage of the fact that those working from home may be more distracted and likely to click or respond quickly to requests without checking with their colleagues.
Even though many businesses claim to educate their staff on cybercrime this still does not stop people from human error.
In fact, the “Terranova Security 2020 Gone Phishing Tournament Report” found that:
- 20% of employees are likely to click on a phishing email.
- 67.5% will then continue to enter their credentials on a phishing website.
More worrying is that Google has registered 2,145,013 of these phishing websites as of 17th January 2021!
Mistakes, complacency…. whatever you want to call it, is exactly what phishing relies on in order to gain the information they need to exploit individuals and businesses. Phishing is basically a means to enter an I.T. system to commit large scale damage.
This article will give a brief overview of how phishing works and the risks it poses to unprotected businesses.
What is Social Engineering?
Social Engineering is a term used to describe manipulative tactics used by criminals to persuade a targeted individual or group to perform an action or reveal information that will assist them to commit a crime. This can be done in person or using technology, it relies heavily on impulsive behaviour and complying with an authority figure.
By tapping into fear and curiosity the criminal will usually be successful in getting the target to divulge the required information.
Phishing is just one example of cyber-based social engineering. Due to the lack of face-to-face social interaction and the scope of online accounts, it is easier for criminals to exploit large groups by devising malicious campaigns.
In fact, 6,400,000,00 phishing emails are sent a day!
While we are familiar with some “catfishing” stories and have probably received some laughable emails requesting our bank details, we should never underestimate the professional planning and effort that goes into producing an effective Phishing email.
Think about the complexity of developing the malware that is used during an attack and the psychological aspect of ensuring that the email, text, or call triggers the desired response from the target.
The Stages of a Phishing Attack:
- Research: the attacker will identify a target, this could be an individual, business, or specific group. They will collect as much information about the target as possible from websites, social media, and other platforms that they can access remotely.
In terms of a large-scale business, they will attempt to learn about the organisational structure i.e., departments, employees.
Smaller businesses may not require the same level of investigation making them easier to attack and serve as a practice run for future lucrative endeavours.
- Planning: After collecting the information the attackers will consider their tactics and select the mode that is most likely to reap rewards.
- Execution: For example, in a Phishing email scam the criminal might choose to target an entry level employee or office junior who is more likely to follow instructions.
The Phisher will create a convincing email with all the hallmarks of a genuine email i.e. signatures, logos etc. accompanied by fraudulent invoices as supporting documents.
They will then send an email from a “senior” member of staff that is urgent in tone and requires immediate action on the recipient’s part, such as transferring money to pay an outstanding invoice to a specific account.
The office junior will automatically feel compelled to comply with the request and may not hesitate to question the credibility of the email. This can result in sums of money being sent into the criminal’s bank account.
This type of Phishing email is also referred to as a BEC scam (Business Email Compromise)
More advanced Phishing emails will feature an attachment containing malware/spyware which once clicked on will being to install itself.
The software will enable the hacker to access the I.T. system and monitor the business; its accounts, transactions, take note of suppliers and the behaviour of staff.
This will help the cyber-criminal devise a more elaborate plan using convincing material!
Understanding Phishing Techniques
- Link manipulation: Phishing Emails involve Link manipulation which relies on the recipient of an email to open and impulsively click on the content. This will either direct them to a fraudulent website or inject a malicious script into their browser which will give the criminal access to the website and the credentials stored on it.
- Use of Subdomains: If you look at a website link, the main domain name should be positioned at the end.
Phishing Emails will reorder the link, so the shuffled order is easily overlooked.
Authentic link: support@itsupport4U.ie
Phishing-link: itsupport4U@support.ie *note the subdomain is positioned at the end
- Hidden URLs
Sometimes the malicious link will be hidden under plain text e.g., “CLICK HERE” or “SUBSCRIBE”.
Advanced Phishing Emails or “time-bombing” may have a legitimate-looking URL but will ultimately redirect to a fake website once successfully delivered to the recipient.
Text-based image obfuscation is another technique used to disguise URLs, it is an image only email that is hosted by the phishing site. It appears to look like a standard text email when really it is just a large clickable link.
- Misspelled URLs, Website Forgery
Cyber-criminals will also purchase domain names that are similar to popular trusted sites in a bid that those mindlessly scrolling on their phones or tablets might enter their details on the fake website without realising they’ve clicked into a forged website.
The Phishing site might have a slight variation in the spelling, or an alternative character is used so that the differences go unnoticed.
e.g. www. itsupp0rt4U.ie
Once the individual enters the site, they will proceed to fill in their details and unwittingly give away their personal information and login passwords.
Website forgery can be carried out by using “cross site scripting”, which is when a hacker injects a malicious script into a link. The target will click on it and enter a legitimate site.
However, while the browser loads the website the injected script runs simultaneously and sends the data that is being accessed on the website back to the hacker.
Pharming is an advanced form of this technique by which the DNS server is compromised, and traffic is redirected to an alternative site controlled by the cyber-criminal.
- Clone Phishing
As well as BEC, businesses are at risk of “Clone Phishing”. This is a technique that is used if a Phisher i.e., the hacker has access to an individual’s work email.
Typically, the employee has previously fallen for a phishing scam, clicked on a malicious link and entered their credentials into a fraudulent webpage/website.
Once obtaining passwords the Phisher can work silently in the background to set about causing harm.
Clone Phishing involves using a legitimate email in the inbox of the employee to format a replicate email. The difference is that the links and attachments are replaced with corrupted files and links to a different bank account.
Usually, the cloned email will be sent as an “updated” version from the senior member of staff that will be acted upon by the employee.
- Spear-Phishing & Whaling are often terms to describe phishing campaigns that are targeted at specific individuals within an organisation.
Spear-Phishing refers to employees who may have control over I.T systems and accountants/finances. Time and effort are put into study the target’s online behaviour and role in the company before they are sent a fraudulent email.
Spear-phishing emails have an average open rate of 70% and 50% go onto click the link!
Whaling refers to targeting the CEOs/Directors/Financial controllers of large organisations or businesses by convincing them to make substantial payments to a third-party account. This is usually achieved when the Phisher poses as a member from Revenue or by spoofing an email from a business partner.
- Evil Twin Wi-Fi: is a technique used to gain access to individual’s wireless communications. It is like Phishing in that a fraudulent Wi-Fi access point is set up in a public space where victims are lured into connecting to it.
Once connected the cyber-criminal can intercept passwords and other information being communicated over the connection.
Think of how useful this tactic could be to a Phisher who picks a busy lunchtime spot near a business they have been targeting!
- Pop-ups/Email Alerts: A popular Phishing scam (that can be sent to the masses) is an email from a trusted institution, brand, or service. It notifies the recipient that they either need to update their profile due to suspicious behaviour or that they need to pay an outstanding fee/Invoice on the account.
A link will be provided to perform the request which will lead to the inevitable stealing of bank details or personal information.
An alternative version of this scam involves pop-ups that will appear alerting the potential victim that their online session is about to time out and they must resubmit their login details.
Most Impersonated brands used in Phishing Scams
- Vishing: Scam that is committed over the phone. The caller will claim to be from a financial institution or from a governmental department e.g., Revenue/Social Welfare and convince the individual to reveal personal information such as PPSN and bank details.
- Smishing: Scam performed by text message, this works like vishing except there is a link included to the text to lure the victim to the website where they will submit their details or make a payment.
Effects of successful Phishing Attacks on Businesses
Research conducted by ProofPoint found the main consequences experienced by businesses as a result of successful Phishing attacks were the following:
60% reported Data Loss
52% reported compromised passwords/account credentials
47% reported Ransomware Infections
29% reported Malware Infections
Protect your Business from Online threats
This is very troubling for businesses and staff, the financial cost of rectifying a situation that involves data breaches and malware infections can be detrimental to the survival of businesses in the aftermath of an attack.
In a period of steadily increasing cases of cyber-security breaches, it’s time that SMEs start to invest in protecting themselves from being left exposed to online hackers.
These individuals and gangs are professional and highly skilled in developing more sophisticated methods to exploit their targets. Businesses need to take the action to safeguard their data and finances instead of procrastinating.
This can be achieved by ensuring that employees’ devices are protected with enterprise-grade anti-virus and endpoint security and that all files are secure and have an up-to-date backup.
While many SMEs may feel under pressure over the past year in terms of budget, protecting all the data which your business collects, stores and works with on the daily basis is critical.
We want to highlight that this kind of security should be deemed as essential as insurance, so that if an unexpected incident did occur; your business has the means to recover quickly and get back working as soon as possible.
I.T Support4U offers flexible and affordable software packages that can provide that necessary layer of security. Once a business signs up for our package they will also have access to our I.T support services.
If you have any queries or concerns about your current I.T system or if you are a Start-up needing assistance, we can provide the help that you need to build up a secure and smooth running I.T. structure from scratch.