Phishing is a common practice, and businesses are not the last victims. It’s common to receive fraudulent messages in our mailboxes. These invite you to settle a non-existent unpaid bill, or to provide your credentials to “solve a technical problem”. This is known as phishing. With this technique, the hacker poses as a trusted third party to extract information.by Olivier Saint Léger .
Phishing: Don’t bite the hook
Recognizable messages… well, almost
Spelling mistakes often attract attention. But today’s generative AIs make it possible to improve the content and correct the most glaring errors.
Professional social media also serve as relays. As we demonstrated recently, it’s easy to get caught in a moment of inattention.
After clicking on the email, the victim is lured to a fake website where they will leave sensitive data (bank identifiers, password, social security number…), potentially resellable by the hacker. Below is a diagram summarizing how phishing works:
Some advice on how not to fall for phishing
While a filtering solution is essential for sorting out most fraudulent e-mails, there are other reflexes to adopt as well, here’s some quick tips:
- First of all, look at the spelling. By being wary of advances in generative AI and automated translation tools; you may be able to pick up small spelling and grammatical errors that flag an email as suspicious.
- If in doubt, track down a copyright, address, contact, and phone number.
- Check the validity of dubious emails by approaching your business partner. Your business partner could also be a victim of the deception.
- Check the URLs of the web pages and the sender’s e-mail domain.
Here’s Olivier’s full post on phishing: https://elie.net/blog/anti_fraud_and_abuse/how-phishing-works/
Companies are increasingly targeted by phishing
“Dear subscriber, we would like to inform you that the payment of your last invoice seems to have failed. The direct debit has been rejected by your bank. You have one step to take: click on the following link to pay your outstanding invoice.” Many subscribers to a major Internet operator have found this email in their inboxes. This phishing technique, based on the trust a web surfer may have in a service or brand, is not new, as this type of attack was already seen in the mid-2000s.
But despite its relative antiquity (and therefore supposed knowledge of the problem), phishing still poses a significant threat. As proof of this, a 2015 study by US telecom operator Verizon showed that it only took a few tens of seconds to see the first clicks on fraudulent links following a massive attack.
On the other hand, setting up a phishing campaign isn’t particularly complicated, although some techniques are becoming more complex; some hackers have shown themselves capable of sending phishing emails using URL links that can be remotely activated.
This relative technical simplicity undoubtedly explains why phishing is becoming increasingly popular with hackers and cybercriminal groups.
Email is a real security weak spot that, beyond technical specificities, relies essentially on users’ lack of vigilance and, sometimes, on a “social engineering” phase that would allow them to better know the target.
Cybercriminals aim to better understand their targets
Cybercriminals spend more time “understanding” their targets by studying them where they are visible, on social networks. This makes their attacks much more credible, and therefore much more effective (known as “spear phishing”). In other words, the threat of identity theft posed by phishing is still alive and well among e-mail users. In other words, everyone (or almost everyone) is potentially targeted.
What are hackers looking for with phishing? It’s simple: any sensitive data that could lead to its resale on the Dark Web (a password to an Internet service, access to a corporate customer account, a social security number, etc.) or lead to action, ie. aiming at the installation of a malicious program that will have even greater consequences.
Companies are no exception
But if you think phishing exclusively affects private individuals, this is absolutely not the case – quite the contrary. Businesses are increasingly impacted by increasingly targeted attacks that put them at risk, or at least cause real difficulties.
No less than in 2015, a survey conducted by OpinionWay showed that 81% of companies surveyed had faced a hacker attack.
Moreover, one variant of phishing, dubbed “whale phishing” targets, as its name seems to indicate, bigger fish: company directors. With consequences that are just as catastrophic.
While the financial impact of these actions is the first consequence that comes to mind, there are others such as the loss of brand reputation, the dissemination of sensitive data, or the outright theft of industrial secrets.
Beyond technology, a human question
So, how can we effectively combat these harmful attacks? There’s the technological answer, of course. More and more solutions (antispam, antivirus, URL blocking) are able to detect malicious emails.
Hackers’ techniques are constantly evolving. However, technical solutions are adapting accordingly, limiting a large proportion of attacks when possible.
In reality, humans play a central role in the outcome of these attacks. The implementation of an e-mail security solution is essential. But user training is also a growing necessity.
Gaps in training plans
Unfortunately, few companies have deployed a training and awareness-raising policy for their employees. Beyond theoretical training, proof by example is also a good way of raising awareness. Personally, while attending The Ohio State University, the university would send out mass emails that simulated phishing. The university would then track how many of the emails were reported as phishing to the server and act accordingly with follow-up emails. This is an example of a training method that can be used to train individuals within a company to recognize phishing and take action.
Another response is to review certain company procedures in order to avoid the identical disappointments suffered by the American company Choice Escrow. The latter saw its bank account emptied following the theft of identifiers carried out by phishing.
For security reasons, it is preferable to optimize the decision-making circuits on certain sensitive procedures. In the case of Choice Escrow, for example, the bank had recommended validation by two people before making a transfer to an external account.
As this security procedure was not followed, the company was unable to obtain any recourse from the bank, which believes it had warned of the risks.
Defining authorized actions
Another solution, this time more technological, will enable you to define the actions authorized to staff. Depending on the level of responsibility, for example.
For example, by using an outgoing e-mail filtering solution, it will be possible to prohibit certain employees from inadvertently or carelessly sending out sensitive files for the company or customers.
Some tips to guard against phishing
It’s worth ending this article with a few recommendations. If they are well-known and seem basic, it doesn’t seem pointless to reiterate them. Because phishing continues to claim thousands of victims every day.
First, look at the spelling. Perhaps this “trick” seems a little stale, given the progress hackers are making (in technique and spelling). However, some e-mails still arrive in mailboxes with spelling mistakes that seem very strange, or with mistakes that are not worthy of the sender.
If one mistake is allowed, a text with at least two errors is made for the trash.
Brands and references
Also, check for marks that no big company would forget in a letter. If in doubt, track down a copyright, an address, a contact, or a phone number.
If you have a relationship with the company sending the email, nothing should be easier than using conventional communication channels to check the validity of this dubious email. And at the same time, you’ll be warning your business partner that he’s also potentially a victim of deception.
Phishing: the link is key
The link is the key. So pay special attention to it. Check web page URLs. First, check the domain and make sure there are no mistakes or variations. Example: Scnf.fr instead of sncf.fr.
Also, check that the domain of the link is identical to the domain used by the email sender. In the case of an overly complex link, don’t hesitate to escalate the email to the company’s IT manager. In any case, when in doubt, the rule is simple: don’t click! Ditto for attachments.
If there is the slightest doubt, the previous rule is recommended: no opening, one check, and trash.
Last but not least, take your time! Hackers often play on a stressful situation to force a quick response. This encourages mistakes since the receiver won’t necessarily take the time to check.
The trick? Reread the points above.
This post first appeared on the Secure-IT website that Visionary Marketing had created for Egedian. Since the company’s activities have changed, this site has disappeared. We have therefore reproduced the text of this post, as the subject is more topical than ever.