Phishing attacks and how to avoid them

Defending against malicious emails and other phishing threats

While technical security measures continue to improve, phishing remains one of the cheapest and easiest ways for cyber criminals to gain access to sensitive information.

Simply by clicking a link, victims can endanger their company’s security and put themselves at risk of identity theft.

They might also compromise their personal information, login credentials such as usernames and passwords, and financial information, including credit card numbers.

This page provides an overview of phishing and explains how security awareness training can help you avoid falling victim.

What is phishing?

Phishing is a type of social engineering attack in which cyber criminals trick victims into handing over sensitive information or installing malware.

More often than not they do this via malicious emails that appear to be from trusted senders, but sometimes use other means, which are explained below.

How does phishing work?

Most phishing campaigns employ one of two basic methods:

Phishing Staff Awareness Course

Malicious attachments

Malicious email attachments, which usually have enticing names, such as ‘INVOICE’, install malware on victims’
machines when opened.

Phishing Staff Awareness Course

Links to malicious websites

Malicious links point to websites that are often clones of legitimate ones, which download malware or whose login pages contain credential-harvesting scripts.

Types of phishing website

There are many types of malicious website, including:

Pharming/DNS cache poisoning

Pharming attacks redirect a website’s traffic to a malicious site that impersonates it by exploiting vulnerabilities in the system that matches domain names (the URL you type into your browser address bar) with IP addresses (the string of numbers assigned to each device connected to a network).

Typosquatting/URL hijacking

These spoof websites’ URLs look genuine, but are subtly different from the ones they impersonate.

They aim to take advantage of typing mistakes when users enter URLs into their browser address bar.

For instance, they might:

  • Misspell the legitimate URL;
  • Use letters that are next to each other on the keyboard, such as ‘n’ in place of ‘m’;
  • Swap two letters round; or
  • Add an extra letter.

Clickjacking/UI (user interface) redressing/iframe overlay

Attackers use multiple transparent layers to place malicious clickable content over legitimate buttons. For example, an online shopper might think they are clicking a button to make a purchase, but will instead download malware.

Tabnabbing and reverse tabnabbing

In these attacks, unattended browser tabs are rewritten with malicious sites. Unsuspecting users who return to the tab may not notice that the page is not legitimate.

Targeted phishing attacks

Most phishing emails are sent at random to large numbers of recipients and rely on the sheer weight of numbers for success. (The more emails are sent, the more likely they are to find a victim who will open them.)

However, there are also many types of attack – known as spear phishing – that target specific organisations or individuals. As with broader phishing campaigns, emails might contain malicious links or attachments.

These types include: 

Clone phishing

A copy of a legitimate email that has previously been delivered, but sent from a spoof address that closely resembles the email address of the original sender. The only difference between it and the original email is that links and/or attachments will have been replaced with malicious ones. Recipients are more likely to fall for this sort of attack as they recognise the contents of the email.

Whaling/CEO fraud

A type of spear phishing that targets high-profile individuals, such as board members or members of the finance team. These attacks require additional effort on the part of the attacker, but the rewards are potentially greater: CEOs and other C-suite executives have more information and greater levels of access than junior employees. Moreover, a senior staff member’s compromised account can be used to carry out BEC attacks.

BEC (business email compromise)

These emails often take the form of ‘urgent’ requests purporting to be from senior staff, such as the CEO or CFO. They use social engineering tactics to fool more junior staff members into wiring money to the wrong recipient or disclosing confidential business information.

How to identify phishing emails

According to Proofpoint's 2019 State of the Phish Report, 83% of information security professionals experienced attacks in 2018, up from 76% in 2017.

Even if your organisation has strong technical security measures, some phishing emails will inevitably get through.

It is therefore critical for all employees to be able to recognise them. Things to look out for include:

  • Public email domains
  • Misspelled domain names
  • Bad grammar and spelling
  • Suspicious attachments/links
  • Sense of urgency

How to mitigate phishing attacks

  • Implement appropriate technical measures

    Use robust cyber security practices to prevent as many phishing attacks as possible from getting through your defences and ensure that, if they are successful, they don’t get much further.

  • Build a positive security culture

    Recognise that social engineering is successful because its perpetrators are good at manipulation. Don’t punish staff for falling victim, but encourage them to report incidents. If there is a culture of blame, your employees will not admit to what is perceived as a mistake, which will put your organisation at far greater risk.

  • Learn the psychological triggers

    All social engineering attacks exploit human psychology to get past victims’ natural wariness, such as:

    • Creating a false sense of urgency and heightened emotion to confuse their victims;
    • Exploiting the human propensity for reciprocation by creating a sense of indebtedness; or
    • Relying on conditioned responses to authority by seeming to issue orders from senior figures.
  • Train your staff

    Any member of staff might succumb to a phishing attack, so all employees need to be aware of the threat they face.

    Regular staff awareness training will help everyone in the organisation understand the signs of a phishing attack and its potential consequences. They will then be able to report potential phishing emails, according to company policy.

  • Test the effectiveness of the training

    Simulated phishing attacks will help you determine the effectiveness of the staff awareness training, and which employees might need further education.

How we can help you mitigate the threat of phishing

IT Governance is a leading provider of IT governance, risk management and compliance solutions. Browse our range of staff awareness e-learning courses and phishing solutions: