What is Phishing and how does it work?

What is Phishing and how does it work?

Phishing attacks, which involve fraudulent methods, have long been employed by "threat actors" with malicious intent. These deceptive tactics are used to acquire sensitive credentials, session cookies, personal information, and even to distribute harmful malware. 

The main goal behind these malicious activities is often to extort funds from unsuspecting individuals, companies, or organisations. It is crucial to be aware of these threats and stay vigilant to protect ourselves and our sensitive data.

What is a phishing attack in cyber security?

In the realm of cyber security, a phishing attack entails a deceitful scheme whereby malicious "threat actors" impersonate trustworthy entities. Their objective? To acquire sensitive information, such as passwords, a credit card number or numbers and other financial details, from unsuspecting individuals. 

In more sophisticated types of phishing attacks, threat actors employ a multitude of techniques, such as phone calls, suspicious emails, malicious websites, text messages, and other methods, to illicitly acquire confidential information for their benefit.

Phishing campaigns have been evolving with ever-increasing sophistication. These deceptive tactics now encompass the use of legitimate services or websites, accompanied by the tailoring of phishing links, to specifically target individuals or organisations.

Centrality - Cyber Security Conflict Graphic 600pxHow do hackers do phishing? 

Recognising and avoiding phishing scams has become increasingly challenging due to the myriad of attack types, employed by diverse threat actors, all with the goal of accessing confidential data. Listing every tactic used by cybercriminals is impossible, but the following examples offer valuable insights.

Business Email Compromise (BEC)

Business Email Compromise (BEC) is a sophisticated scam that specifically targets individuals and businesses involved in fund transfers. It is just one method of phishing attack among many. Shockingly, in the past year alone, the occurrences of BEC attacks have skyrocketed to an astonishing 156,000 daily attacks.

Domain impersonations are commonly used in attacks, making phishing emails requesting payment seem genuine, as they appear to come from a legitimate domain and genuine third party emails.

Internal phishing campaigns often employ 'legitimate senders' to deceive recipients into mistaking the payment requests as genuine.

Mass spam mailing activity is also deployed, to disrupt users through denial of service strategies, so that users often miss legitimate warnings through the frustration of having an overwhelmed inbox.

With the rise of BEC attacks, it's crucial that we stay ahead of the curve. These attacks are becoming more prevalent, advanced, and widespread, demanding effective detection and prevention methods. 

To combat this evolving threat landscape, we are constantly upskilling ourselves – both as individuals and as an organisation, to serve our customers better. Just as threat actors are honing their skills to carry out more sophisticated attacks, we too must enhance our knowledge and defences. 

Password Bots

One Time Password Bots (OTP’s) are often deployed by cybercriminals to gain access and perform account takeovers.

Multi-Factor Authentication (MFA) adds an extra layer of security, but cybercriminals can still find ways to bypass it. While robocalls are a common method used by OTP bots, email phishing for authentication codes is also employed.

OTP bots manipulate users into disclosing authentication codes by deceiving them into sharing the OTP received through SMS, authentication apps, or email. The cybercriminal loads the victim's phone number into the OTP bot, which subsequently contacts the victim, posing as a legitimate service provider. 

By claiming suspicious activities on the victim's account, the bot persuades the victim to provide the OTP for "security verification." Once the victim enters the password, it is transmitted back to the cybercriminal, thereby granting them unauthorised access to the victim's account.

Due to the short-term lifespan of one-time authentication passwords, cybercriminals must promptly seize the opportunity once victims enter their login credentials and OTP on the phishing webpage. Acting swiftly is paramount for the perpetrators to exploit this window of vulnerability.

MFA Fatigue Attacks

As the significance of Multi-Factor Authentication (MFA) continues to grow, especially in password-less sign-ins, malicious actors have evolved their tactics. They attempt to bypass security measures by sending MFA or password-less sign-in prompts to potential targets. 

Their goal is to deceive individuals into unintentionally approving requests through a phenomenon known as MFA fatigue or MFA bombing. Once the victim falls prey to this scheme, the attacker gains unrestricted access to the customer's account and can alter the MFA settings, granting them the ability to sign in whenever they please. Instances of cyber security attacks against MFA authentication and password-less sign-in are increasing rapidly.

Approximately 6,000 MFA fatigue attempts were observed per day by the end of June 2023.

Hence, we highly recommend customers, companies and organisations to meticulously evaluate and authenticate MFA/password-less sign-in prompts before granting their approval.

Action you can take:

Despite these risks, MFA remains an effective security measure. Here are some guidelines to enhance your security while using MFA:

  1. Use authenticator apps like Microsoft Authenticator instead of relying solely on text message codes. 
  2. Never share your security codes with anyone.
  3. Create strong and unique passwords using password generators and use a password manager.
  4. Avoid reusing passwords across multiple accounts.
  5. Educate yourself and your employees about common social engineering tactics to recognise and avoid interactions with OTP bots.

Can a phishing attack harm your computer or mobile?

In addition to the potential reputational-harm that can result from a security breach, especially in financial institutions or healthcare organisations - high profile examples of which we have seen recently, a phishing attack can also wreak havoc on your computer, mobile device, or network. 

For instance, if attackers manage to install malware successfully, they will have open access and can collect confidential information such as usernames, passwords, and financial data, at will. They can also use your network, system or devices to launch further malicious attacks against others.

How to prevent phishing attacks

As malicious tactics continuously evolve, it's crucial to recognise that technical systems alone cannot entirely eradicate social engineering attacks.

Human behaviour remains a vulnerable aspect that attackers exploit.

While security awareness training programs are designed to educate users about identifying and responding to social engineering attacks, it is important to note that users' susceptibility to phishing is not solely a result of their lack of knowledge.

Unfortunately, users have not consistently shown the ability to modify their behavioural risk tendencies to a sufficient degree, which hinders their improvement against the ever-evolving threat landscape. 

A specific vulnerability lies in users' susceptibility to drive-by URL attacks.

These attacks require only a single click, leading victims to websites that either gather telemetry or lure them into downstream attacks. Although drive-by URL attacks may have a lesser impact, many organisations use them as a metric to gauge their employees' susceptibility to clicking on malicious links.

Addressing the challenge of phishing attacks requires a holistic approach that combines technical solutions with ongoing education and awareness. By continuously enhancing knowledge, reinforcing best practices, and promoting a security-conscious mindset, individuals and organisations can better protect themselves against these evolving threats.

Tailored Approaches Required

Centrality, along with the security awareness and training industry, is embracing objective behavioural measures and contextual experiences that prioritise changing behaviour, rather than just delivering information. This approach involves tailoring strategies to individual users. 

We strongly believe this approach has immense potential for reducing behavioural risks posed by modern social engineering attacks. Companies and organisations must adopt a new perspective and actively involve their users in countering attacks. 

It is crucial for organisations to conduct innovative experiments with user engagement strategies to ensure effectiveness in thwarting attacks. This is something, as a Microsoft Solutions Partner with a specialist certification in Security, we can help you with.

To effectively combat the issue of phishing, it is crucial to acknowledge the individuality of each user and their unique behavioural tendencies. We recognise the importance of tailoring the learning experience based on personalised factors such as job function, security posture, and past actions.

For instance, we use phish simulations meticulously customised to reflect each user's performance, taking into account insights gathered from previous simulations. By providing personalised learning experiences that align with each individual's specific behaviour and profile, organisations can make a substantial impact in significantly reducing susceptibility to phishing attempts.

Choosing inaction and report

The reporting of phishing attempts is absolutely crucial to prevent cyberattacks.

Users play a vital role in helping security teams identify and block malicious emails, websites, and other threats. Rather than deciding to click on a link, when employees receive a suspicious email from what they believe to be either a trusted source or untrusted source, employees should be encouraged to report them.

Only 11.3 percent of users who receive phishing emails actually report them, despite the fact that 89 percent refrain from clicking on suspicious links or opening attachments.

To address this challenge, administrators can implement effective awareness campaigns, provide comprehensive teaching guides, and even offer incentives to foster a culture of reporting and vigilance against phishing campaigns. 

Employees must also be equipped with the skills to recognise and respond to evolving phishing techniques. 

It's essential to prioritise enhancing organisational resilience, for instance, by implementing robust Zero Trust strategies that effectively isolate and contain the potential impacts of phishing attempts. Working with Centrality as your trusted cybersecurity partner, together we can strengthen our defences against cyber threats and safeguard our digital ecosystems.

For more Information

Visit our cybersecurity web page to discover more about cybersecurity services available from Centrality, or get in touch to speak to one of our security experts.