Phishing

What is phishing?

Phishing is a type of social engineering, which mostly works via scam emails. It’s a way hackers try to manipulate victims to lead them to a specific reaction, like typing in a password or opening a malicious document. The cyber-criminals try to bypass the email security companies have via appealing to specific employees in a personal way. Phishing is not malware, it’s a scam tactic, that elite hackers have in their toolbox to gain information or spread malware in order to breach the security of companies without an extended amount of effort. How exactly does this technique work? How can you protect yourself?

The basic knowledge of phishing

First, you should know what Social Engineering is. Social Engineering is in general, applied social sciences, but better known as social manipulation or scamming. For Social Engineering the offender uses psychological knowledge to manipulate the victim to do what they want them to do. One technique is to pretend to be a colleague of the victim, an example would be a colleague from the system administration department sending out a scam email disguised as email from system administration department head. The victim is a way more willing to do, what the hacker wants the victim to do with his computer if he thinks that the attacker is a colleague. Another method is to prepare a scam email, which looks like an email from a company you trust, like PayPal. The hacker uses this scam email to lead the victim into the trap to gain access to their PayPal account.

Phishing is a scam email attack from cyber-criminals using the techniques discussed above. In general, there are two types of phishing attacks. First the easier method, the cyber-criminal doesn’t need much information about the victim. He sends out as many phishing emails as possible, to as many recipients as possible. Underlining the idea, that in a mass of people, someone will react in the way they want them to react. The chance getting higher and higher the more emails sent out. The other variation of phishing emails is called spear phishing. Spear phishing emails are much more personalized than a normal phishing email. The hacker tries to attack one particular victim and manipulates them with emails to give over the data wanted. One variation of this based on a two-step approach is called Barrel Phishing.

How does Phishing work?

Types of Phishing Attacks

How to spot phishing Mails (+ Examples)

How can you differentiate between the real email? Which is very important to get, and those emails which are just phishing emails? There are a few warning signs which help to recognize phishing emails, and differentiate them to the real emails:

• Consider the subject line: Would a reputable brand threaten you in the subject line of an email? Probably not. If the subject line seems threatening or dramatic, it could be a phishing scam.
• Check the sender’s address: Does the sender’s email domain match that of the brand? Are there extra characters in the email address or extensions like .co or .company that shouldn’t be there? Scrutinize the sender’s address, and look for signs of email spoofing before clicking any links.
• Look for personalization: Any business sending you correspondence should know your first name. If you are addressed by anything other than your name, such as Dear User or simply Hello, then you should consider the email suspicious.
• Hover over links: Hover over links in the email to ensure it leads where it should. Often, phishing links will be long and complex with an excess of special characters. If it’s not clear where they link leads, do not click on it.
• Check the brand’s website: If you’re unsure about a link, type the brand’s website directly in your browser instead of clicking. Or use a free service like IsItPhishing.AI to scan the URL for phishing.

With these simple tricks you often can identify phishing emails. It is important to train yourself to question every email, especially those you didn’t expect, with the question “could this be a phishing email?”

To strengthen your resilience against phishing attacks, here are a few examples of phishing emails and the common warning signs to look out for:

Missing personal salutation

The sender

Email header

Deceptive attachments

Security alerts

Invoice phishing scams

Shared-file attacks

Voicemail phishing

Update payment alerts

Dubious links

Fake form fields

On those scam websites, there is another possibility to get access to your sensible data. Do you have problems with remembering long numbers? So glad that you can save your credit card information to Google, so you never have to type in the number anymore? But watch out! There is a big risk with auto fill forms Google, Safari and all the other services offers you.

The hackers can place a form on a website outside of the visible area, where you ask for the credit card information. So, the cybercriminal leads you to their fake website, and there you are asked to type in your name. Google proposes to you to use his auto fill form. What you don’t see is the credit card form, which automatically also gets filled. Don’t save your credit card details to an auto fill tool.

Language

If you are an American, you have your money in a US bank. Now you get an email, which seems to be from your bank, but is written in Spanish. Now ask yourself, why would they write you a Spanish email, even if they know you are speak English? You are right, there is a high risk. This is a scam attack and you should not react. Additionally you should be skeptic if you even get an email with important data from your bank, because normally they would send it via direct email or in your bank account inbox.

Sextortion

Sextortion scams are designed to trick victims into believing a hacker is in possession of compromising information, such as webcam video of the victim watching online pornography. These scams often target consumers of sites. The victim is instructed to pay the hacker in Bitcoin to avoid the information being leaked to the public and their acquaintances. 

Corporate phishing attacks

Phishing was once considered a consumer problem when it first emerged in the mid-1990s and hackers impersonated AOL employees to exploit users of the Internet service. But as attackers grew more sophisticated, they began targeting businesses, including cloud service providers, financial institutions, and other large corporations relied upon by organizations.

By 2013, phishing became the primary vehicle for delivering ransomware, an effective threat for seizing critical data and holding organizations hostage in exchange for a fee. 

Private information

Cyber-criminals try to steal your personal data. They are looking to get passwords, PIN’s and TAN’s. A bank never would ask you for such data in an email. If there is a question for this data, you can be sure you have received a phishing email. This is also a reason banks send all important things via postal … or in the inboxes of their own banking apps/internet-portales.

Grammatical and orthographic deficiency

Also, you should look out if there are misspellings or grammatical errors in sentences. Often phishing emails are originally written in another language, and then simply translated with an online translator. Because of this there are often many mistakes in phishing emails.

---

impact of Phishing attacks on businesses

Phishing attacks are often evaluated primarily in financial terms. In the United States, for example, business email compromise (BEC) accounts for more than $1.8 billion in annual losses, with phishing adding tens of millions more, according to FBI data. While a median BEC loss of around $30,000 may not immediately threaten a company’s survival, many small and medium-sized businesses (SMEs), particularly in Europe, report that a serious cyber security incident could put them out of business.

However, the impact of phishing extends well beyond direct financial loss. Organisations may also face operational downtime, exposure of sensitive data, reputational damage and loss of customers. While these consequences are significant, they do not capture the full scope of risk.

Increased likelihood of future attacks

Phishing is often the first step in more sophisticated, multi-stage operations. Organised criminal groups — responsible for the majority of breaches — often use broad phishing campaigns to gather credentials or internal intelligence. This information can be used for targeted spear phishing, large-scale BEC fraud, malware deployment or lateral movement within a network. Even if an initial phishing attempt is detected, attackers may retain harvested data that can be used to strengthen future attacks. In this way, a single incident can significantly increase long-term exposure.

Elevated legal and regulatory risk

Victims of phishing may face legal consequences, especially if an attack results in regulatory violations or harm to third parties. For instance, paying a ransomware demand could violate sanctions regulations if funds are transferred to prohibited entities. Managed service providers (MSPs) and other IT partners may also face litigation from clients alleging insufficient safeguards. Similarly, organisations that experience data breaches involving personal or health information are exposed to lawsuits and regulatory scrutiny, particularly if security controls or employee training are deemed inadequate.

Expanded risk across the business ecosystem

No organisation operates in isolation. A compromised company can become an entry point for attacks on customers, vendors or partners. MSPs are especially attractive targets because they connect to multiple client environments, but any organisation with supply chain relationships can be exploited as a launchpad for broader campaigns. In this sense, phishing can transform a single organisation into a conduit for systemic risk across its network.

How to protect against phishing?

To protect against phishing, it’s best to trust in professional IT security solutions.

Implement email authentication

Email spoofing is a foundational strategy of phishing scams. Email authentication protocols exist to limit the ability for hackers to impersonate senders. Email authentication protocols, including Sender Policy Framework (SPF), Domain-Keys Identified Mail (DKIM), and Domain-based Message Reporting and Conformance (DMARC)—act as an important layer of security. Detailed recommendations for implementing SPF, DKIM, and DMARC can be found from NIST, and there are numerous resources and vendors available to assist with adopting DMARC.

Adopt an email and web browsing policy

In addition to user awareness training, an email and web browsing policy addresses the human element of your overall security posture. These policies define the safe and responsible use of email and the Internet within your organization, establishing rules and guidelines for handling sensitive information and adhering to security protocols. You can start by using a respected institution’s template and customize it to suit your organization’s unique needs. Ensure that the policy is easily accessible and incorporated into employee training.

Embrace user awareness training

Human error remains the top contributing factor to data breaches, according to Verizon’s Data Breach Investigations Report. User awareness training helps limit the potential for human error by teaching users to identify and properly handle the latest phishing threats and techniques. The best training results come from programs that provide simulation-based instruction electronically, automatically, and on-demand as users need it. Programs should also contextualize training according to the unique role of each user, considering that phishing threats can vary depending on the profession and seniority of a targeted victim. This contrasts with traditional training programs, which use generic simulation scripts, follow a pre-determined schedule, and require direct facilitation by an administrator.

At the same time, user awareness training programs should teach users to report suspicious emails. This gives admins the opportunity to investigate and remediate potential threats.

Enable Multifactor Authentication (MFA)

Multifactor Authentication (MFA) fortifies your security by requiring users to authenticate their identity through multiple means that each offer a level of security. Institutions like CISA recommend all organizations adopt MFA, especially small-to-midsized businesses. Best practice is to adopt a FIDO or PKI-based MFA, which offers phishing-resistant protection. If these options are not feasible, the next-best alternatives are app-based, SMS, or voice MFA.

Adopt and enforce strong password policies

Compromised accounts are often exploited in phishing or Business Email Compromise (BEC) attacks. Strong password policies can mitigate the risk of users creating weak passwords or reusing them across applications. To create a robust password policy, require users to set long and unique passwords, as length is more important than complexity, according to the National Institute of Standards and Technologies (NIST). Limit the number of incorrect password attempts allowed and develop and enforce a list of unacceptable passwords that includes dictionary terms, specific names, and breached credentials.

Adopt a third-party, integrated email security solution

Integrated email security solutions are highly recommended for countering modern email threats. According to the Gartner Market Guide for Email Security, businesses should supplement the native features of their email platforms with this technology, replacing traditional solutions like secure email gateways (SEGs). SEGs operate outside an organization’s internal network and rely on technologies that base detection on past attacks, rather than those that have yet to find a victim. Integrated solutions solve these deficiencies. They exist within the internal network and provide protection for external and internal attacks. Many also leverage AI-powered algorithms to detect and neutralize threats that have yet to emerge. The best solutions provide advanced capabilities for threat prevention, detection, and response.

How can I prevent phishing?

Phishing isn’t malware, it is a scam tool hackers use to trick the security of the victim via personal appeal. Because of this there is no possibility to remove phishing attacks. If a hacker has your email address, he always can use it to send you phishing emails. You only can prevent to get more phishing emails.

To prevent phishing the first thing you can do is to sensitize yourself and/or your employees, to look even more precisely on emails which forces you to give out personalized data. If you did this, you and/or your employees could recognize all phishing attacks. To sensitize you can use all recognizing techniques I showed you above. To test your knowledge, google invented a quiz: https://phishingquiz.withgoogle.com/ That should minimize the danger, but anyways there remains a risk, if you don’t trust in a professional IT-Security solution.

How Advanced Threat Protection is working

Hornetsecurity ATP checks every incoming email for malicious content. To check them ATP puts all incoming files, URL and so on into a sandbox. In the sandbox ATP is running the content in virtual operating systems. Then ATP looks for effects in the systems and other anomalies. If everything is normal, then the recipient gets the email normally. When ATP detect malicious content it will block it and the recipient gets a security alert.

How to improve IT security with Security Awareness

Employees are on the first line when attackers try to exploit technical or human vulnerabilities. By training your employees companies reduce the risk of becoming a victim of cyberattacks. The Security Awareness Service from Hornetsecurity offers automated Security Awareness Training and phishing simulations.