Blog

Have you been phished?

While the majority of social engineering attacks are delivered by email, one-third of IT professionals have experienced an increase in social engineering delivered via other communication platforms in recent years. These include video conferencing platforms (44%), workforce messaging platforms (40%), cloud-based file-sharing platforms (40%), and SMS (36%).

As a result, email security providers shifting from traditional Secure Email Gateways, which block inbound threats, to providing security against outbound and internal threats, with integrations with popular messaging apps such as Microsoft Teams and Slack.

These shifts in the security landscape beg the question: have you been phished? And if you have, would you necessarily know?

Let's dive into what phishing is and how to keep your organization protected:

What is Phishing? How Widespread is It?

Phishing is a hacking technique commonly used by attackers to trick the user into giving up sensitive information or as a conduit for downloading malicious code. The premise of the attack is to send an email that appears legitimate and from a trusted source, convincing the user that any interaction with the sender is safe.

This attack exploits the human element, most often the weakest link in a network, using social engineering techniques that make it impossible for defenders to use a one-size-fits-all model to mitigate the risk.

Proofpoint released a phishing report detailing the statistics of the attack method, using multiple resources to emphasize the pervasive nature of the problem. Surveys reported that 83% of global cybersecurity respondents had experienced phishing attacks in 2018, whereas credentials obtained from phishing campaigns rose 280% since 2016.

Not only has the number of phishing attacks increased, but the techniques used to avoid detection have advanced. Approximately half of all phishing sites use HTTPS encryption and web page redirection, giving any user the impression that the site is trustworthy.

2023's Top Phishing Techniques

There are several methods that hackers can use to fool users into submitting their credentials to a malicious server.

These social engineering techniques are constantly evolving and are often moulded to complement the digital footprint of the target. Two methods, named whaling and spear phishing, are used by attackers to target specific persons of interest. In contrast to the generic phishing email, that is sent to all employees of a company, these two methods require further research into the persons of interest – delving into their lives and what interests or hobbies they may have. Whaling is when an attacker sends a specially crafted phishing email to the CEO or any individual holding an executive position.

Once compromised, the attacker can then send fraudulent emails purportedly from the CEO demanding certain actions be taken that benefit the attacker. Spear phishing is similar to whaling but differs in that it doesn’t specifically look for a top executive as a target; rather the attacker will focus on a person that he or she is interested in. This can be done out of spite or malicious intent, or an individual with access to resources that a hacker is curious about. Both methods require the hacker to comb the internet– with a special attention to social media posts – to find what the target is interested in or anything that may pique their interest in an email.

Conclusion

The basis of any phishing campaign is to fool users into believing that a malicious email is a legitimate message. In order to counter this threat, security awareness training must be done on an ongoing basis to help employees– including those in executive positions- develop a security instinct.

One of the best ways to do this is to emulate a phishing campaign by hiring an external company to send employees malicious emails.

For more information on simulating a real-life cyber-attack, contact us to learn more about our objective-based penetration testing.