Knowledge is power. Here we will go through how you can protect yourself and Emails from falling vistim to and Phising attack.
Email Phishing is one of many techniques used by attackers to try and trick you into revealing your data to them.
Attackers will send malicious emails often whilst disguising themselves as trusted entities to try and trick us into coughing up precious information in a variety of different ways.
Mass and Spear type of Email Phishing Attacks
Mass emailing
Mass emailing is the most common method. This involves sending thousands of malicious emails with the hope that only a few people bite. Even if only a small handful take the bait, the attacker will still have enough information to benefit him.
They use many different methods to try bump up their success rate. They go to great lengths to carefully plan and design their emails so that they copy official emails from the company. They use the same wording and phrases that the companies use in the actual emails so that they seem authentic. They do lots of research into this so they can copy the logos and signatures from the company that they are forging.
Also, when they use links within the emails, they have a tendency to use misspelled or slightly tweaked links that resemble the real one. At first glance, they are indistinguishable with the intent that we would not look twice at the link before clicking on it.
Spear Phishing
Spear phishing is a little bit different. This is a more targeted approach that usually is aimed at one person or company instead of firing thousands of random emails everywhere.
This is a lot more in-depth and requires a lot more specialist knowledge to pull off. The attacker will need to know about the user or company that the attack is centred around. This requires a lot more research than mass phishing.
A good example of how this method might play out would be:
- The attacker learns the names of the employees within the organisation that they are targeting and with this can gain access to something such as an invoice
- The attacker could then pose as a higher-up from the company. Sending the employee an email complete with all the logos and signatures that they company usually adds
- The email contains a password-protected document attached that would be a forged version of the invoice
- The user is then asked to unlock the document using their password. This then gives the attacker all his credentials that he needs to gain access to secured areas of the company’s network
- This will then let the attacker access all of the sensitive information within that secured part of a company
In-depth ways attackers can steal our data
There are many different things that email attackers use to ‘phish’ for our data. Each one has the same sort of approach with slightly varying methods.
Now, nearly all email phishing attacks start by the culprit posing as a trusted individual. Of course, this doesn’t always work off the bat, but still works more often than you think.
Email phishing usually contains links inside of the email that will be meticulously wrote out in a way that makes the user think its legit. The problem with this is that, instead of taking us to where it says, it can start to install malicious software onto your device. This software can attack our devices and potentially reveal sensitive information that can be used against you. Different types of information it can reveal include:
- Personal information that can be used in identity fraud
- Bank account credentials
- Passwords for sensitive websites
Other types of email phishing can be a link that doesn’t install software. These links do actually take us to a legit-looking webpage, but instead, the page will have been put together to get us to willingly enter in our sensitive information. This type of attack will usually be an email stating that a password is about to expire and we must reset it. It then takes us to a webpage which is a carbon copy of the one that we were expecting and we will think nothing of it as we proceed to enter our passwords for them to steal.
They might even send us to the correct page but, when the link is pressed, it runs a script in the background that collects our cookies for the session. This would then allow the attacker to gain access to any webpage that is stored during our sessions.
Email Phishing doesn’t just apply to individuals either. Sometimes, it can be done on a much larger scale. These types of attacks can target whole corporations for their information. These attacks are used to gain entry into company or even government networks which can then lead to bigger attacks.
One of these attacks is called an advanced persistent threat (APT) in which employees are targeted in order to bypass security measures. Once they have done this, they are then able to distribute malicious malware inside the closed network and potentially gain access to very sensitive data.
Psychology tricks that attackers use
Attackers can use different types of psychology to try and trick the us into falling for their scam. There are 3 main types of psychology that they use in order to achieve their goals:
Sense of urgency
Attackers will often use keywords that make the email sound urgent. They will often give a time frame for the task to be completed. The ramifications of this are that we might not think twice about it and complete it. We also might complete it so that we don’t face any consequences if we don’t. An example of this could be a password change. They might word the email so that it reads “You have 24 hours before your password expires. Please re-enter it at the link below to stop this”
Use of authority
They might email an employee posing as a CEO or higher up in their company. The trick here is that the victim is used to taking orders from their people in command without question as its part of their job. The attackers can then use this to force sensitive information out of the user to be used for malicious purpose.
Fear and blackmail
Some emails contain threats from attackers. If we don’t comply then we will be met with consequences. They usually do this by threatening to reveal sensitive data that they claim to already have. This sometimes make us panic about what the consequences may be and will end up following along with what the attacker wants us to do.
So why do attackers do this?
In short, Email phishing is malicious. There are many reasons why an attacker would try this:
- Money – Attackers could steal bank account details and steal money
- Installing malware – They could use it to put viruses onto your device
- Shut down systems – they sometimes try to shut down secured systems to steal sensitive data from a company. This can also be profitable.