Phishing Attacks

What is a Phishing Attack?

People are commonly considered the weakest link in the cybersecurity chain.

Phishing attacks are social engineering attacks that try to trick people (exploiting a security weakness) into revealing sensitive information, clicking malicious links, or downloading malware. 

"Phishing" draws on the analogy of "fishing," where attackers, like fishermen, cast out bait — emails, messages, websites, etc.- hoping that targets will take the bait and disclose information or compromise their system.

Phishing communication channels include:

• Email (most common attack vector)

• SMS - smashing

• Phone calls - fishing

• Social media platforms

• Messaging apps

Goals of Phishing Attacks

The goals of each attack depend on the motive of the attacker, but the most common goals are:

1. Credential Theft: Attackers harvest usernames, passwords, or multi-factor (MFA) tokens to gain unauthorized access to systems. 

2. Financial Gain: Attackers trick targets into making fraudulent payments, sending funds, or revealing financial information, such as credit card numbers and bank account details. 

3. Data Exfiltration: Attackers retrieve/export sensitive organizational data such as intellectual property, personal data, or confidential documents.

4. Malware Delivery: Attackers use phishing emails to deliver malicious attachments or links that install malware — ransomware, spyware, keyloggers, trojans, etc.

5. Initial Access for Advanced Attacks: Successful phishing attacks serve as an initial foothold for larger attacks, such as:

• Ransowmare deployment

• Business Email Compromise (BEC)

• Lateral movements across the organization's internal network & systems

• Data breaches

6. Reputation Damage and Espionage: Attackers use targeted (spear-phishing) attacks for long-term surveillance, competitive advantage, or political/industrial espionage.

Common Phishing Strategies

Attackers will use one of the following tricks in a phishing attack to achieve the above goals.

• Authority:  Impersonating someone in authority, e.g., IT staff, managers, CEOs, etc.

• Trust: Impersonate a trusted individual or organization, such as friends, relatives, a bank, partners, or vendors.

• Intimidation: Communication designed to instill fear may appear from a person or organization of authority (e.g., a Federal or Government entity) or threaten to disclose sensitive information.

• Urgency: Communication creates a sense of expediency due to the limited time the offer expires.

• Scarcity: Similar to urgency, but communication pushes the target to act based on limited resources.

• Familiarity: Communication attempts to establish credibility through recognition, e.g., a former classmate or colleague.

Phishing Attack Defense & Mitigation

Educating users on quickly and effectively identifying, verifying, and dealing with suspicious communication is the most effective defense against phishing attacks, regardless of the communication channel.

However, a comprehensive phishing defense strategy requires a multi-layered defense-in-depth approach that combines technical controls, user education, policies, and continuous monitoring. Below are the main preventative, detective, and corrective phishing attack defense and mitigation controls.

1. Cybersecurity Awareness Training (Preventative): Reduce human susceptibility to phishing attacks.

2. Email Authentication Protocols (Preventative): Prevent domain spoofing and ensure email integrity.

3. Email Security Gateway and Filtering (Preventative): Block malicious emails before they reach end users.

4. DNS Filtering/Web Proxy Controls (Preventative): Block access to malicious domains even if links are clicked.

5. Multi-Factor Authentication (Preventative): Limits an attacker's ability to compromise accounts if credentials are compromised.

6. Privilege Management & Least Privilege (Preventative): Limit access to resources and information if an attacker successfully compromises an account.

7. Network Segmentation and Zero-Trust Principles (Preventative): If phishing leads to initial compromise, limit an attacker’s lateral movement across the network.

8. Endpoint Protection & EDR/XDR Solutions (Preventative/Detective): Detect and contain malicious payloads in phishing emails that bypass filters.

9. Security Information and Event Management (SIEM) & Monitoring (Detective): Monitor, detect, log, and investigate phishing-related anomalies.

10. Incident Response and Playbooks (Corrective): Ensure rapid containment & remediation of phishing incidents.

Cybersecurity Awareness Training

Organizations should include a simulated phishing attack in regular cybersecurity awareness training to evaluate their effectiveness. Post-simulated attack reviews should be constructive and positive, seeking to help staff improve rather than chastise them for failing. 

Training should teach staff to recognize:

• Unsolicited or unexpected emails or messages,

• Unknown/suspicious email or message sender,

• Generic greetings, e.g., “Dear Customer”

• Urgent or threatening language demanding immediate action

• Requests for sensitive data or login credentials

• Poor grammar, spelling errors, and odd sentence structure

• Mismatched display names and sender addresses

• Hyperlinks that do not match the displayed text

• Suspicious attachments or file extensions

• Emails claiming to come from executives or financial personnel with unusual requests

• Emphasize “Trust but Verify” practices

• Encourage employees to report suspicious emails to the security team immediately.

Regarding the latter, add a “Report Phishing” directly into the email client to simplify user reporting.

Email Authentication Controls

Sender Policy Framework (SPF)

It is a control that enables domain owners to specify which separate domains and IP addresses can send emails on behalf of the original domain.

DomainKeys Identified Mail (DKIM)

DKIM verifies the integrity of the email content and authenticity of the sending domain using public-key cryptography.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DMARC ties SPF and DKIM, and adds alignment to ensure that the domain in the From header matches the domains authenticated by SPF and DKIM. Domain owners use DMARC to instruct receiving mail servers on what to do if authentication fails.

Resources

• Phishing Attacks - The Basics

• Norton 10 Real Phishing Email Examples

• Phishing.org Phishing Examples

• MS-ISAC - Phishing Guidance: Stopping the Attack Cycle at Phase One