3 phishing techniques you and your employees need to know about
Phishing is one of the most severe cybersecurity threats facing Australian businesses today. According to the 2019 Australian Threat Report, phishing attacks were responsible for more data breaches than any other exploit, malware strain or cybercriminal technique. All told, more than a quarter of all data breaches in Australia (27%) are caused by phishing.
This approach remains effective because it targets the weakest links in any organisation: employees who lack training and education around cybersecurity best practices. Workers who are unaware of the threat posed by phishing are far less likely to spot a red flag when they see one. Teaching staff to recognise common phishing strategies and exercise restraint when opening and responding to emails should be a top priority for all businesses.
To help get you started, review these three phishing techniques with your employees.
1. Impersonating a trusted brand or company
Cybercriminals have become more sophisticated over the years, using advanced techniques to exploit vulnerabilities and crack defences. That includes phishing attacks, as well. Many phishing emails impersonate legitimate organisations, including business partners, vendors and major brands.
Malicious actors may go to great lengths to create a veneer of legitimacy, adding official logos, links to brand websites and real contact information to phishing emails. A quick glance won't immediately raise any red flags because everything seems to be legitimate.
Take a closer look, however, and you'll find signs of foul play at work. Some common signals to keep an eye out for include:
- A generic greeting or one that uses the recipient's email address rather than his or her first name.
- Poor grammar and spelling.
- Sender's email address with extra characters and numbers.
- Embedded links that are not encrypted by SSL protection.
Another point to keep in mind is that brands almost never include downloadable attachments in emails sent to their customers. A business partner or vendor might, but those emails are harder to fake, given their specificity.
Employees should be suspicious of any email they receive that asks for login credentials, or urgently asks them to sign into an account to resolve a matter they're not already aware of. A little scepticism is always a good thing in the fight against cybercrime.
2. Tricking targets through spear phishing
Some phishing emails are easy to spot because they don't include any details related to the recipient. Everything about them is generic and vague, so targets are less likely to fall for them.
Spear phishing, however, is a far more targeted approach, using social engineering and publicly available personal information to make phishing emails seem legitimate. Many of the tell-tale signs listed earlier are not present in spear phishing emails. Instead, cybercriminals include details like the target's name, company, position and more to craft a seemingly innocuous correspondence.
With so many social media sites like Facebook and LinkedIn disclosing personal information, it's fairly easy for malicious actors to gather publicly available details about a specific person. They may even reference other co-workers or friends that their targets are connected to over social media.
All of this work makes it more difficult for employees to spot spear phishing emails and discern legitimate communications from cyberattacks. More rigorous and in-depth training can help teach cybersecurity hygiene and create more awareness among your staff.
As with any phishing attempt, your best course of action is to scrutinise any email that asks for login credentials, attaches downloadable or executable content or embeds links to third-party sites. If you can train employees to stop and analyse emails before clicking on links, downloading attachments or filling in login fields, you will greatly reduce the threat that spear phishing poses to your business.
3. Intimidating through authority
Cybercriminals love to create a sense of urgency in phishing emails to trick people into disregarding any doubts or reservations they might have so that they just click on a link or log into an account. Pretending to be a person or organisation with authority is an effective way to get targets to stop thinking logically and respond emotionally.
For instance, perpetrators may impersonate a law enforcement agency or government entity, even threatening legal repercussions if the victim doesn't comply with their requests. Cybercriminals can leverage the same tactics they would use to impersonate any business or company to create emails that appear to seem to have originated from police departments and other legal authorities.
Spear phishing adds an extra wrinkle to these types of impersonation efforts by sending malicious emails to employees from their boss's address. Employees may be hesitant to disregard or disobey a request that comes directly from their supervisors, which makes these techniques very dangerous.
Make sure your staff members know to follow up on a separate channel if they receive an email from a supervisor that seems suspicious or makes an unusual request. Again, a healthy dose of scepticism is your best friend here.
As cybercriminals become more sophisticated and employ new techniques, it's important to routinely assess your business's data security readiness. Biztech's computer security services can help any organisation identify shortcomings in its security posture and make the necessary adjustments.
Our email threat analysis tools provide an extra layer of protection, detecting malicious and suspicious correspondences, and removing them before they land in your employees' inboxes. To find out more about how Biztech supports better security hygiene and defends against the latest threats, contact our team today.