Building Cyber Security Resilience Against Phishing

Phishing is a deceptive tactic used by cybercriminals to trick individuals into taking harmful actions.  These actions may include downloading malicious software, sharing confidential or sensitive information, or transferring money to the attacker under false pretences.  Phishing campaigns are generally crafted to imitate a legitimate business, bank or email provider, by replicating the branding, design and pattern of their communications.  Regardless of the intended outcome of a phishing attack, deceit will always be an element.

The method of delivering phishing differs depending on the target, type of attack and information targeted. The most common forms of delivery are:

• Email
• Instant messaging, including SMS (smishing)
• Telephone (vishing)
• QR codes (quishing).

Email and instant messaging remain the most prevalent forms of attack vectors.  They are free, exposure is nominal, and they require little technical knowledge to execute due to the availability of pre-determined phishing kits.  The number of targets that can be attacked at the same time is, theoretically, unlimited.

Using phones as an attack vector is becoming more common; whilst it once involved a degree of intricacy, vishing has become easier in recent years through the development of AI technology, which can be used to help execute such attacks.

QR codes are a relatively new phishing attack vector, and their use is increasing due to the ease with which they can be generated.  Additionally, because ‘quishing’ is relatively new, there is a lack of awareness and training surrounding it, increasing susceptibility.

Just like the forms of delivery, targeting strategy can vary.  It can be a ‘sprinkler’ style, where the attack is widespread, however, it can also be targeted, for example a senior member of the organisation being attacked.

‍

‍

Attackers have been known to utilise business email compromise (BEC), where they will impersonate a trusted individual (e.g., your organisation’s CEO) to lure you into sending money or data, in order to replicate authenticity.‍

The anatomy of phishing is relatively straightforward.  What makes it so dangerous is its simplicity and the vulnerabilities it is attempting to exploit.  A phishing attack directly targets users and plays on basic human behavioural traits:

• Desire to help: A phishing email may impersonate a colleague or friend asking for urgent assistance, such as a new employee being asked by the CEO to purchase some vouchers.‍
• Trust: Attackers often mimic trusted institutions like banks or government agencies, prompting users to click on malicious links or enter credentials on fake websites.‍
• Fear: Messages warning of account suspension, legal action, or data breaches pressure users into acting quickly without verifying the source.‍
• Greed: Scams promising lottery winnings, investment opportunities, or exclusive deals lure victims into providing personal or financial details.‍
• Curiosity: Subject lines like ‘You won’t believe what happened!’ or ‘See who’s talking about you’ entice users to open attachments or click links that install malware.

Hopefully, your email provider/technical controls will have already filtered most phishing attempts before they reach your users’ inboxes.  However, in many cases, suspicious emails still slip through the cracks.

One of the best ways to mitigate the impact of phishing is to provide user awareness and security training.  Such training should cover the techniques and tactics used in phishing, examples of phishing attempts, key indicators of phishing, and how to report phishing attempts (even after falling for a phish).

Users should be encouraged to consider the following key questions:

1. Why did I receive this?
2. Am I expecting it?
3. What if I don’t comply?
4. Is there anyone who can help?

A reporting process is a benefit of its own accord.  By having a process, there is less chance for organisation-wide phishing attempts to go unnoticed.  Instead, your organisation can gain insights into the attacks being attempted, allowing you to respond rapidly, such as by sending an organisation-wide alert of ongoing phishing campaigns. In some cases, gamification of this can increase the likelihood of engagement with reporting.

Regular phishing simulations allow your organisation the opportunity to test its resilience to phishing attacks, and assess the effectiveness of your:

• Awareness training
• Reporting process.

To help raise awareness of the issue, URM has produced a video with practical, real-world guidance on what to look for in differentiating between a phishing email and a genuine email.

‍

‍

‍