Dara Security

Phishing - Would you Click?

February 26, 2015

As part of our ongoing series on social engineering, this article highlights phishing, the most widely used social engineering tactic.  Like other social engineering schemes, phishing relies solely on an individual’s trust and/or gullibility to provide a criminal with open access to sensitive information.

How is Phishing Done?

Phishing occurs when a criminal sends a target individual a specially crafted email.   The ideal phishing email will appear as if it is from a trustworthy source, perhaps the individual’s bank or a reputable website or group. Phishing emails may look like a tracking confirmation notification from FedEx or an order status message from Amazon.  With a well-crafted phishing email, the target individual will see no harm in clicking on the message.  The sender hopes that the individual will click on the message which could either install malicious code onto the his computer or send him to a fake website where sensitive information will be requested and harvested by the criminal.  

Opening the phishing email, clicking on a link within the email, or opening an email attachment would install malware onto the target’s computer.  Once installed, malware can run undetected and is used by criminals to harvest data either immediately or continuously over time.  Oftentimes, malware is not removed until it is discovered, providing criminals a window of opportunity to collect quantities of data.  If the target individual’s computer is connected to a company network, then the malware can spread to other devices on the network.  The resulting widespread infection can yield the criminal a treasure trove of company information while crippling the company with severe financial consequences and a tarnished reputation, as shown by the many high profile breaches of 2014.

If a phishing email directs recipients to a fake website, they will arrive at the login page of a website that looks just like a site they commonly use, whether it’s an online banking site or their company remote access site.  Entering their login credentials is exactly what the attacker is hoping for, as this allows the criminal to collect this data and access the actual website, masquerading as the user.

As with most social engineering techniques, the basic phishing technique is subject to many variations:

  • Vishing, or Voice Phishing, occurs when a criminal gathers sensitive information from a target individual over the phone.
  • SMishing, or SMS Phishing, occurs when a criminal sends bogus text messages that include malicious links.
  • Spearphishing, so named for its targeted approach, occurs when a criminal collects data about the target individual and uses this personal information to craft a customized email that the target is sure to open.  
How to Recognize the Phishing Scheme

Phishing emails can be difficult to recognize as criminals have become very creative in producing convincingly genuine emails.  As criminals continue to develop more sophisticated phishing tactics, it has become increasingly important to refrain from clicking at every opportunity and to approach each email with a healthy dose of caution.

There are, however, a few signs that can distinguish a suspicious email from a legitimate one.

Spelling or grammar errors
Professional emails from legitimate parties are typically free of spelling and/or grammar errors.  However, phishing emails may contain errors, raising a red flag that the email should not be opened.

Hyperlinks
While they do not always necessitate suspicion, hyperlinks should be viewed with caution. The link text may be in a genuine domain, but clicking on it may not lead to the expected website. It is safer to mouse-hover over the link to reveal the destination URL, copy and paste the link into the URL bar of a browser, or figure out how to access that specific webpage from the expected website''s homepage.

Inconsistent Sender Information
The organization sending the email should have its name display correctly in the sender’s email address shown in the From line.  If the sender’s email address displays the organization name as Amaz0n instead of Amazon, then the email is not from Amazon and should be deleted.

Impersonal Salutation
Emails from organizations you have done business with will include your name in the first line.  Impersonal salutations like “Dear customer” are suspicious, and the email should be treated with caution.

How to Secure Your System Against Phishing

The strongest defense against phishing and any other social engineering scheme is to ingrain security awareness within the company culture.  Employees must be constantly engaged in discussions on the different forms of social engineering, especially phishing, if they are to recognize these schemes and take the appropriate defensive approach.  

Regular discussions could be supplemented with activities where employees use their knowledge in real-life scenarios.  Such was the case recently at Twitter, where upper management sent out a phishing email to employees to test their responses.  A pop-quiz like this would be a valuable lesson not only to those who would click on the email, but to all employees as ongoing discussions would no doubt be energized after such an exercise.

Dara Security is prepared to help secure your company information with our employee security training program.  We have extensive experience testing for social engineering attacks and training company employees on how to recognize and appropriately respond to phishing and other social engineering schemes.  By engaging with our team, you can be confident that your employees will have the tools to most effectively protect your company’s information.