The pandemic drove quite a few organizations to shift to a remote work setup. This also led to disappearing perimeters and an expansion in the threat landscape. Cybercriminals took advantage of organizations’ vulnerabilities and leveled up their game. They sent out deceitful communication that appeared to originate from a reliable source. They carried out such phishing attacks with ease and unprepared employees fell victims to these attacks.
Why are Cyberthieves Finding it Easy to Plan and Execute Cyberattacks?
Phishing attacks rely on deception to steal confidential information from users. Usually, they are tricked into sharing personal information. The blind TRUST in the source of information and users acting on the information without a second thought helps scamsters and attackers. They steal critical information that can further be used to impersonate and commit cybercrimes. They take advantage of information such as the user’s address, phone numbers, identification numbers, one-time passwords (OTPs), credit card details, and login credentials such as user ID and password.
Implementing Phishing Attacks
E-mail is not the only way to deceive an individual. A variety of ways are used to steal information or deceive individuals into sharing information, including sending voice or text messages, duplicating websites or hotspots, hacking websites to redirect users to fake websites, and embedding macros into legitimate documents.
On smartphones and personal devices
Cybercrime and phishing attacks are becoming increasingly sophisticated. Attackers can install malware through advertisements on popular web pages. They compel readers to click on valid-looking hyperlinks within such advertisements.
Despite mass awareness campaigns on cybersecurity, many people still do not hesitate to accept social media friend requests from strangers. Then, the fear of losing access to one’s account on a favorite or important platform could drive users to immediately click on the “password reset” link before verifying the link’s authenticity.
At public places
Free Wi-Fi hotspots too can be irresistible. Quite a few unsuspecting users hop right into a fake Wi-Fi hotspot set up by an attacker at their favorite coffee shop. Without the users’ knowledge, all of the information on the connected devices could be stolen with the devices being under the control of the attacker indefinitely.
At the workplace
It is extremely important to promote a culture of cybersecurity across the organization. When such a culture is missing, it is not unusual for employees to accidentally open an attachment that appears genuine. Most employees may even click on links that look similar to real, popular website URLs in an unsuspicious e-mail. Many people would not suspect the authenticity of e-mails or messages that appear to have been sent from the desks of the organization’s senior managers asking employees to update information, transfer money, or install applications.
Attackers even hide macro malware in Microsoft Office files. An e-mail attachment or ZIP file that mentions phrases such as invoice, urgent, legal document, or password expiry can be hard to ignore. Unfortunately, attackers use a sense of urgency and the emotion of fear to entice or scare people into opening harmful attachments. In a hurry, users tend to be less careful and become victims.
Attackers also abuse users with e-mail bombs — overflowing a user’s mailbox with a huge number of e-mails. Such instances are usually planned to divert user attention from critical e-mails that suggest a security breach. Logic bombs too are becoming common where cybercriminals deliberately embed harmful code directly into the software. Logic bombs trigger based on a pre-determined situation, event, circumstance, or time and are usually deployed on commonly used trusted applications or applications used on occasions.
Identifying Phishing E-mails
If you receive a blank e-mail from an unknown sender or domain, it could potentially mean a business e-mail compromise (BEC) attack will soon follow. When you receive the email, it actually means that your e-mail ID has been validated by the attacker, and once validated, your e-mail ID can potentially be used by the attacker for the next attack. Attackers gain access to a business e-mail account, take over the owner’s identity, and can now plan attacks to defraud the organization, its employees, clients, or vendors.
The most common topics used for phishing are password update or change, shipment, verification e-mails, account activation or deactivation, credit card updates, request for document sharing, tax communication, ways to increase money, receipt of funds, and technical support. Be doubly sure before acting on such communication and report it to the concerned team or person to create awareness.
Wouldn’t an organization you interact with for your official or personal transactions address you by your name? That can be a good indicator to identify a phishing e-mail. Such e-mails generally address target accounts with generic salutations such as dear member, dear customer, or dear account holder. Stay alert when you are greeted differently even by known senders — your full name instead of your first name or your name spelled incorrectly.
Grammatical errors and spelling mistakes in the sender’s name, domain, e-mail content, etc., are also an indicator of phishing attacks. It’s always important to verify the domain in the e-mail address. Check if the e-mail ID is fake, if it is indeed the official domain, or if the name is familiar while the e-mail ID isn’t. When an e-mail requests for confidential information or forces you to take an impulsive action, pause and validate its authenticity.
If links in an e-mail point to a different domain or unfamiliar pages, it could be a potential phishing attack. Stay vigilant even when you receive e-mails with unsolicited, unwanted, or irrelevant attachments.
Phishing E-mail Identified! What Next?
When you believe you have spotted a phishing e-mail, first validate the sender and the sender’s domain. Check if there is a demand for money, a request to share credentials such as your password, or an application to share confidential information. Validate hyperlinks within the e-mail and their domain. Ensure any attachments are relevant to the content of the e-mail.
It is wise to reach out to the real sender via other channels of communication before you transfer money or share any confidential information. At work, reach out to your immediate supervisor or your IT support team so they can help you verify the authenticity of the sender and the e-mail.
Phishing attacks work because they primarily rely on three factors: trust, urgency, and e-mails from a known or authoritative person. Most people think e-mails that they receive in their inbox are valid and attackers usually impersonate people in authoritative positions or known people to make it seem more genuine. Content in phishing e-mails also makes most people act on impulse.
Multi-factor authentication, secure organizational practices, and awareness campaigns are helping reduce the risk of phishing attacks. However, it is the responsibility of every individual to stay alert and contribute toward reducing the impact of phishing attacks.
(This article has been written by Sajith S Kumar, Senior VP & CIO, Happiest Minds Technologies)