Phishing refers to any attempt to obtain sensitive information such as usernames, passwords, or banking details, often for malicious reasons, by impersonating a trustworthy entity in an electronic communication. Phishing is an example of a social engineering technique used to mislead users and exploit weaknesses in network security. Various attempts have been made to control the increase in reported phishing cases, include legislation, employee and general user training, public education, and standardized network security protocols.
Phishing is typically carried out by direct digital communication. An attack will often direct users to enter sensitive information at a fake website, the look and feel of which match the legitimate site. Correspondence, claiming to have originated from social media, auction or retail sites, financial institutions, or network and IT administrators, are used to trap users. Phishing emails may even contain links to distributed malware, further damaging a victim’s system.
In addition to standard phishing techniques, specific types of phishing can be used to accomplish various objectives.
- Spear phishing: An email-spoofing attack that targets a specific organization or individual, seeking unauthorized access to sensitive information. Attackers usually gather personal information about the intended target to increase their chance of success.
- Clone phishing: Where an authentic, previously valid email has its content and recipient address stolen, reverse engineered to create an identical or cloned email. Any real attachments or links in the original email are replaced with malicious software, and then sent from a spoofed email address to trick the victim into believing its authenticity.
- Whaling: A phishing attack crafted to target an upper manager based on the person's role in the company. The content of a whaling attack email is often written as a legal subpoena, customer complaint, or executive issue. Whaling scam emails are designed to masquerade as a critical business email, sent from a legitimate business authority.
Common Features of Phishing Emails
When dealing with web security, it's important to be able to recognize the most common aspects of a phishing attack. Users are often the only reason that phishing attacks are successful, so avoiding major pitfalls can help businesses avoid cyber security threats.
- Dramatic Statements: Lucrative offers and eye-catching or attention-grabbing statements are designed to attract people’s attention immediately. For instance, many claim that a target won a phone, a lottery, or some other lavish prize.
- Urgency: A common tactic among cybercriminals is to ask the victim to act quickly before an opportunity ends. Most reliable organizations give ample time before they terminate an account and they never informally ask their users to update personal details over the Internet.
- Hyperlinks: A link may not be all it appears to be. Hovering over a link shows the actual URL, and it could be totally unrelated to the link text. Sometimes it might appear to be a safe website, but with slightly altered spelling – for example, with the number “1” replacing a lowercase “L”.
- Attachments: Unexpected attachments in emails should be treated with suspicion. They often contain payloads like ransomware or other viruses.
- Unusual Sender: Low level spam will often be sent by unknown or suspect sounding users. When receiving an email from someone unknown, who seems to be acting suspiciously, practice control in responding too quickly, if at all.
Avoiding Phishing Attacks
- Social Responses: Training people to recognize phishing attempts, and deal with them. Education can be effective, especially where training emphasizes conceptual knowledge.
- Browser Alerts: Maintain a list of known phishing sites and check websites against the list. One such service is the Safe Browsing service provided by Google Chrome.
- Eliminating Phishing Mail: Specialized spam filters that reduce the number of phishing emails that reach their addressees' inboxes, or provide post-delivery remediation, analyzing and removing phishing attacks upon delivery through email provider-level integration.
- Monitoring and Takedown: Round-the-clock services to monitor, analyze and assist in shutting down phishing websites.
- Transaction Verification and Signing: Using a mobile phone (smartphone) or alternate email address as a backup channel for authentication and authorization of sensitive interactions (like financial transactions).
Phishing is one of the largest threats to enterprises today. A successful phishing attack can not only cost money, it can open a company up to much greater security and data breaches. That is why training and education are so important, as they can greatly reduce the rate of successful phishing attacks.
- Blog: Four big spear phishing attacks you may have forgotten
- Blog: Phishing vs. Spear Phishing: What You Need to Know
- Blog: Is spear phishing the new ransomware?
- Whitepaper: Best Practices for Protecting Against Phishing, Ransomware and Email Fraud
How Barracuda Can Help
Barracuda Email Protection is a comprehensive, easy-to-use email security solution that delivers gateway defense, API-based impersonation and phishing protection, incident response, data protection, compliance and user awareness training. Its capabilities can prevent phishing attacks:
Barracuda Email Gateway Defense quickly filters and sanitizes every email before it is delivered to your mail server to protect you from email-borne threats. Using virus scanning, spam scoring, real-time intent analysis, URL link protection, reputation checks, and other techniques, Barracuda provides you with the best possible level of protection.
Barracuda Impersonation Protection protects against business email compromise, account takeover, spear phishing, and other cyber fraud. It combines artificial intelligence and deep integration with Microsoft Office 365 into a comprehensive cloud-based solution.
Impersonation Protection’s unique API-based architecture lets the AI engine study historical email and learn users’ unique communication patterns. It blocks phishing attacks that harvest credentials and lead to account takeover, and enables real-time remediation.
Barracuda Security Awareness Training is an email security awareness and phishing simulation solution designed to protect your organization against targeted phishing attacks. Security Awareness Training trains employees to understand the latest social engineering phishing techniques, recognize subtle phishing clues, and prevent email fraud, data loss, and brand damage. Security Awareness Training transforms employees from a potential email security risk to a powerful line of defense against damaging phishing attacks.
Barracuda Incident Response automates incident response and provides remediation options to address issues faster and more efficiently. Admins can send alerts to impacted users and quarantine malicious email directly from their inboxes with a couple of clicks. Discovery and threat insights provided by the Incident Response platform help to identify anomalies in delivered email, providing more proactive ways to detect email threats.
Do you have more questions about Phishing? Contact us today!