When it comes to cybersecurity, the use of automatic protection tools is half the battle. The human element plays an increasingly important role, as well, and for good reason. Scammers like to take shortcuts and know that it's easier to hoodwink people than it is to exploit software or hardware. Any organization with a well-guarded security perimeter is low-hanging fruit as long as its employees fall for phishing hoaxes.
The problem reached new heights amid the coronavirus calamity, which is fertile soil for panic that gives threat actors a leg up in orchestrating effective online frauds. According to the latest report by the international Anti-Phishing Working Group (APWG), Q3 2022 was the worst quarter for phishing attacks the consortium had ever observed, with the number of recorded attacks exceeding 1.2 million. To top it off, the average amount of money requested in wire transfer business email compromise (BEC) scams reached a whopping $93,881.
Thinking like a fraudster can help create additional barriers for these social engineering tricks and form a foundation for effective security awareness training so that the human factor hardens an organization's defenses instead of being the weakest link. Let's try to break bad and gain insights into the things that set the most successful phishing attacks apart from mediocre ones.
Hallmarks of a 'mental payload' that pulls the right strings
Simply put, any phishing email aims to make a recipient slip up in one of the following two ways: clicking a malicious link or downloading a malware-riddled file. The former typically results in visiting a credential phishing page, and the latter mostly triggers rogue macros within a Microsoft Office document.
During penetration tests, security professionals use harmless decoy elements that allow them to keep a record of link hits or instances of opening attachments. In real-life attacks, though, the bad actor instantly obtains credentials entered in the fake sign-in page, and recklessly enabled Visual Basic for Applications (VBA) macros quietly drop malware that can provide backdoor access to the target device.
The narrative of the message has to be accurately aligned with the attacker's goals and the would-be victim's position in the organization. If the scammer wants to get a hold of a senior executive's correspondence, the email should pretend to come from a person whose rank and reputation in the business world match those of the recipient. If the objective is to remotely access a workstation used by a finance department employee, the message would be masqueraded as an accounting report or a manager's request to verify wire transfer details.
Urgency is a scammer's best ally, too. The most effective phishing messages instruct victims to take some kind of action immediately. For instance, they emphasize the adverse consequences of not meeting a specified deadline. Yet another step in prepping for the attack is to proofread the email. Typos and grammar errors can raise red flags and cause the recipient to ignore the message.
[RELATED: 5 Emotions Used in Social Engineering Attacks]
Here is how crooks take their hoaxes to the next level
Users are more likely to open email attachments than enter personal information on a credential phishing page. It means that perpetrators have a greater chance of depositing malicious programs than pilfering passwords via a phony web form. It comes as no surprise that Trojan downloaders and ransomware are becoming inalienable components of a phisher's repertoire. They add an extra layer of monetization to these attacks.
As far as phishing themes are concerned, the most lucrative ones revolve around corporate benefits, such as freebies and discounts from partnering businesses. Statistically, about a third of all targeted users get on the hook in such scenarios. Messages that tell employees to familiarize themselves with changes to organizational policies and other rules relating to the corporate culture are also highly effective.
One more recipe for a "delicious phishing meal" is to lace the attack with a little bit of hype like seasonal events or news that's currently the talk of the town. For instance, when winter holidays are around the corner, it's time to be wary of scams in which criminals try to bait people with bogus promos and giveaways. During this period, crooks may also camouflage malicious files as a holiday work schedule that most users will open without a second thought, only to get hit by malware.
An email thoroughly tailored for a specific recipient has a much higher success rate than a generic message used in a spray-and-pray attack. This kind of foul play is known as spear-phishing. Some open-source intelligence (OSINT) based on publicly available sources, such as social networks, discussion groups, and professional publications, may suffice to retrieve personal data and gain insights into pain points that allow a scammer to concoct a legitimate-looking email. An attack targeting only several employees in a company is usually a sure-shot exercise, contrary to a large-scale campaign that lacks personalization.
How to make phishers' efforts go down the drain
Most phishing attacks are easy to spot, but things can get challenging when experienced fraudsters step in. It's in every organization's best interest to nurture a proactive security posture and forestall these scams regardless of their sophistication. Let's go over the pillars of this corporate philosophy.
No matter what position an employee holds in the company's hierarchy, they must keep in mind that any hyperlink or file embedded in an email is potentially dangerous, even if the message appears to come from a trusted individual or organization. Long-standing loopholes in the design of the SMTP protocol make it ridiculously easy to pull off email spoofing via tweaks of a message header, which lowers the bar for carrying out effective impersonation attacks.
Being on the lookout for red flags in incoming electronic correspondence is a precious skill you should hone. You and your colleagues should pay attention to anomalies like misspellings, inaccuracies in the sender's name, and regular domain names (for example, gmail.com or yahoo.com after the "@" symbol) when the email claims to come from a reputable company.
Most importantly, you need to understand that security is a process, not a plug-and-play product. Deploying a Secure Email Gateway (SEG) and an anti-malware program with online security features in its toolkit is worthwhile because these solutions do filter out most scams that match known phishing templates. However, crooks are increasingly proficient in bypassing them.
That being said, security awareness training is indispensable these days. In addition to enlightening your teams on the ways to identify frauds, it teaches them to respond to various cyber threats and helps refine their online hygiene overall.