Long-logo-c

Hooks, Lies and Thinkers: A deep dive into phishing attacks and how to avoid them. 

Hooks, Lies and Thinkers: A deep dive into phishing attacks and how to avoid them.  

People say “You’d have to be an idiot to fall for that…” when referring to phishing attacks, and that they exclusively target people with lower intelligence, therefore we should not be worried about them. However, the State of the Phish report shows that in 2021, 83% of organisations suffered from a successful phishing attack, in which an employee was coerced into performing a risky action through deception, usually via email. These actions can very quickly lead to further attacks, such as ransomware or credential theft, eventually leading to a data breach.   

Since it is Cyber Awareness month, our IT Support Technician Connor Curran has decided to delve into the most common threat businesses face in the modern era: Phishing. Most of the claims made about those who are deceived by attacks are very misleading and do not consider the real reasons why these attacks are successful, especially in organisations. It is important that businesses realise the correct methods of teaching their employees to be resilient to these attacks. 

Deep Dive into Phishing
At the base level, phishing can be defined as: “Sending messages to people using false pretences to induce an action, such as clicking a link or providing personal information.”  Every other type of phishing attack builds on this, usually with targeting or deployment methods. Some attacks may target specific individuals (Spear Phishing), or other attacks may be conducted via SMS texting (Smishing), but they all use the same principles to successfully engineer the situation, two of the main ones being: 

Impersonation
These attacks rely on familiarity, if we recognise the name or organisation in our inbox then we are more likely to believe them. Popular options for this include big corporations such as Google, but can also include specific individuals, sometimes impersonating our closest friends and family.  

Urgency
Phishing attacks prey on our innate naivety, if someone is in need urgently then it makes us more likely to help without thinking. If a message reads “This task needs completing immediately” then we presume there is time-pressure, causing distress and clouding our judgment.  

If you hear the bullet 
People think that spotting a phishing attempt is easy, just look for some spelling mistakes, odd formatting, pixelated logos, or suspicious email domains. These features usually indicate the audience of the attack, meaning that if you spot them, it was not meant for you. Actors contour their attacks to fit their specific target (or audience), meaning that if someone wants to target you, they will find a way. Spear Phishing attacks are typically more sophisticated because they are targeting specific people, making the signs of a phishing attack much less obvious. In these situations, it can be exceedingly difficult to know what to trust, so here’s a couple of things to consider when clicking your next email. 

Question the context
We always read our emails and trust that it is necessary information, but sometimes simply checking whether the content actually ‘makes sense’ can expose a phishing attempt. If your “Manager” sends you an email asking for your bank account details to process payroll, you should contact the HR department. 

Double checking
Most businesses use multiple forms of communication, meaning that if you receive an email from a colleague stating a ‘task’ or piece of ‘information needed’, and you weren’t expecting it, check that query with them via a trusted second communication method, or even better, talk to them directly. 

The importance of “Training”
Let’s talk about businesses, because many do not train their employees the right way. As we’ve discussed, the signs to spot an attack can sometimes be difficult to see, so training is vital to prevent the onslaught of phishing attacks. Typically, this training includes lectures and courses that employees must complete when they join the company, going through lots of cyber safety tips and things to look out for. This generally provides impressive results for staff, which businesses will test by sending out phishing scams as practice. This is usually a great method of keeping people on their toes and heightening awareness, but the results do not always provide a clear picture of their employees. 

Consistency over Complexity

The issue is that over time, more of these tests will happen and more people will fail them, despite completing their training with flying colours. There’s a correlation between the length of time an employee has been with the company, and the likelihood of them failing one of those tests. This is because the actual method of training is not important, the consistency of it is.    Employees who have been there for less time will have had the training recently, making them more aware of it. Those who are more experienced at the job will have been there longer and will have likely forgotten their training, leading to them failing the test. Some businesses might even use the results from these tests as justification for disciplinary actions, despite it not being the fault of the employee, but instead the employer. If the training is repeated on a yearly basis, then it is far more likely succeed as it gives employees a reminder of this valuable information, rather than relying on their memory. 

Breaking the Stigma

Stephen Le talks about the stigma in this article, how sophisticated scams are designed to catch out just about anyone, it’s a good read that I would recommend.    The stigma that surrounds phishing is so toxic that most people would rather not ask to check if an email they received is malicious, or worse, will not notify their employer if they fulfilled the emails requests. 

Training regimes that try to catch out employees rather than providing them with reliable knowledge on a regular basis are partly to blame, but so is the culture surrounding phishing. People are tricked by these attacks because they are misguided and ill-informed, not because they are incompetent. 

Businesses that can recognise this will produce a healthy environment for their work force, where they can feel empowered to ask the question “Is this a scam?” and in doing so can avoid a catastrophe. 

Connor Curran
 
IT Support Technician
Code Nation Connor.curran@wearecodenation.com