Phishing – the danger that lurks on the net

Use this blog post as a training opportunity in your organization. Post it on your intranet and educate your employees with a micro-training session.

‍

Cyber risks such as ransomware (malicious software) and phishing attacks have increased continually in recent years. This is also shown by the Allianz Risk Barometer of 2022 (1a) and 2023 (1b). Those surveyed see cyber risks as the greatest risk for the coming year.

Increasingly, besides large companies, attackers are also targeting small and medium-sized companies. In Switzerland, attacks have risen significantly in recent weeks and months. Affected companies make the news almost every day. A survey conducted by DigitalSwitzerland (2) among 506 managers of small and medium-sized companies showed that in 2021 36 % had been victims of a cyberattack in the last year. This corresponds to an increase of 11% compared to the previous year’s figure of 25%. Among other things, the impacts included financial damage, damage to the company's image, and loss of customer data. The study sees an opportunity for increasing employee training. Only 39% of those surveyed trained their employees regularly, while 21% did not train at all.

If a company is successfully attacked with ransomware via phishing, production can come to a standstill for between a day and several weeks until the damage is repaired. It sometimes takes months for affected companies to realize that they have been the victim of a cyberattack.

The most common attacks with ransomware or other malware are carried out using phishing emails. Why? Because humans are one of the most successful entry routes for attacks. Hackers rely on the ignorance, helpfulness, good faith, or insecurity of their victims. Creating a phishing email is easy and inexpensive and can be sent to thousands of people at the same time with the click of a button. And with every such attack, dozens, even hundreds, of people fall for it.

Spam filters are often unable to recognize all phishing emails in good time. It is therefore important that all employees are trained and recognize phishing themselves, thus helping to protect the company.

In this article, we take a closer look at the topic of phishing. What is phishing? How do you recognize phishing emails? What can be done to combat phishing?

What exactly is phishing?

Nowadays, each of us, whether private individuals or employees, is a potential target of hacker attacks and thus of phishing. You have probably received a phishing email yourself.

Attackers are becoming more and more professional, and it is therefore becoming increasingly difficult to recognize phishing emails. It's very important to pay close attention when it comes to email.

Attackers try to obtain their victims' data with phishing emails, instant messaging, personal messages, or websites. Access data such as passwords, usernames, and account information are particularly popular. Links and infected websites can also be used to inject ransomware into a computer or company network.

Once hackers gain access to user accounts or networks, they can spy on or steal customer or business data. Money transfers can be made, and systems manipulated or even rendered inoperable. A first attack is often followed by further attacks, which can lead to major financial losses and damage to the company's image. In severe cases, it can lead to bankruptcy.

The different forms of phishing

There are different forms of phishing. Basically, each one has the same goal: to get data. However, some forms of phishing are more obvious, while others are more difficult to spot because they are more sophisticated.

• ‍Fake websites, emails, and short messages:
  Attackers use emails or websites that look deceptively real to persuade their victims to enter their personal data in a fake web form or in an email. The messages often contain links that lead to fake websites and ask for data entry. For example, this can be a fake login page from your bank or from your employer.
• ‍Malware in file attachments or on websites:
  Via email, victims are tricked into opening a malicious attachment or visiting a malicious website. The attachment or the website then automatically installs malware on the computer without the user noticing. This gives cybercriminals direct access to the victim's device or network and their data. ‍
• Spear Phishing:
  Spear phishing messages are specifically tailored to the victim. Before an attack, cybercriminals gather information on the Internet, for example on LinkedIn or Facebook, about their victims. They use the information obtained in the phishing message and thus increase credibility. This raises the chances that the victim will fall for the message and provide their details. This type of phishing takes more time for the cybercriminals and often targets people in finance, HR, senior management, or product development. Influential or respected personalities from politics, show business or business are also popular victims. But look out – even the "average consumer" can become such a target! ‍
• CEO fraud:
  In the case of CEO fraud, emails are sent from the "CEO" to people with decision-making authority in the financial sector, e.g., someone from the finance department or a personal assistant. The supposed "CEO" asks these people to urgently transfer money to a specific address, for example, claiming that otherwise a transaction cannot be concluded. Once the money has been transferred, the company has little chance of getting it back.
• Vishing:
  Vishing is derived from voice phishing. The scam is perpetrated over the phone. Attackers pretend to be friends, colleagues, support staff, or Microsoft employees to obtain confidential information or to trick you into installing malware.
  Always be careful who you talk to and who you give information to.‍
• Smishing:
  Smishing is derived from SMS phishing. The attack is not sent via email, but - as the name suggests - via SMS to your smartphone or tablet. Again, the sender asks you to reveal confidential information. With this new method, attackers take advantage of one of the most popular means of communication, knowing full well that victims trust this medium and are sometimes unaware of the damage that SMS can cause.‍
• Prompt Bombing:
  This is another new method of phishing. First, the attacker obtains the victim's login credentials. The attacker then uses this credential to repeatedly log in to a website that supports multi-factor authentication (MFA). If the victim uses MFA, he or she will receive login prompts over and over again. Eventually, the victim becomes so stressed that he or she inadvertently confirms the additional factor, giving the attacker access to all the information.‍
• QR-Code:
  Counterfeit QR codes direct users to a fake login page where they are asked to enter information. The problem with QR codes is that you can't see the URL until you open the page, so you can't verify it.‍
• Deepfake:
  As artificial intelligence (AI) has advanced, so has the ability to manipulate video, photos, or audio recordings to make it appear that someone is making a statement they never made. For example, a deepfake call can be created by a CEO asking his CFO to transfer a certain amount of money to a person or organization. Rapidly advancing technology makes it increasingly difficult to detect such deepfakes.

The bottom line is that no matter what channel cybercriminals use to attack. The attackers are always interested in getting a link clicked, files opened to install malware, sensitive data disclosed, or transactions executed.

Detection of phishing emails

To protect yourself from phishing, it is important to recognize such messages. Certain characteristics allow you to recognize phishing.

1. Strange sender

Is the sender unknown to you? Have you never been in contact with this email address? Then you should be suspicious!

This also applies if the sender, i.e., the email header or the email address, does not match the stored Internet link (example: mailto:no_reply@europcar.ch / website: www.europcart.ch).

Sender addresses are easily forged, often containing small errors or a different URL (e.g., .net instead of .com).

Another sign is a personal return address (e.g., @gmail.com or @outlook.com), even if the message is supposed to be from a company.

2. Unusual or dubious email attachments

Email attachments can infect computers and networks with malware. Therefore, dubious attachments should not be opened. If in doubt, check with the sender. Important: Do not reply in the message but choose another communication channel such as the phone. If you are unsure, it is better not to open the attachment.

When using Windows, make sure that the "File name extensions" selection is activated in the "View" tab in Windows Explorer. If this setting is deactivated, the file type is not immediately recognizable. There is therefore a risk that manipulated extensions such as "Document Name.pdf.exe" will not be recognized and that a file containing malware will be opened.

3. Impersonal address

An impersonal form of address, such as "Dear customer", can be an indication of phishing. But be careful: Cyber criminals can find out about their victims via social networks or search engines and write to them in a targeted manner (so-called "spear phishing").

4. Grammar and spelling mistakes

Incorrect text, character set errors, missing letters or inflections, grammatical and orthographic errors, letters from other alphabets (e.g., Cyrillic letters). Attention: Letters from another alphabet are often very difficult to recognize.

5. Request for urgent action

If you are asked to act within a short time, often combined with a threat (e.g., the blocking of your credit card or online access), this can indicate phishing. Therefore, check carefully whether the request is really justified. An invitation is often "too good to be true".

6. Entry of data

If you are asked to enter personal data such as a password, PIN or TAN, you should be careful. Remember: No reputable company will ask its customers to change their user data via an attached link or form. Or if so, then without a direct link to the login page. Always use the web page you saved previously to modify user data. Never reply to emails asking for usernames, passwords, or account information, etc.

7. Fake links

The message contains one or more links that point to an address that does not belong to the sender's address range. (EXAMPLE Sender: info@ebay.net Link: http://www.paypal.com-verfy-transactionid-7961312693567631367.login.ebay-buyerprotection.net).

Also check that there are no special characters (e.g., from the Cyrillic character set, spaces, etc.) in the URL. To check a URL, hover over the link. The advertised link appears in a pop-up window. If this doesn't work, you will need to enable this in settings. Think carefully about whether or not you need to visit the link and don't just click on it out of curiosity.

8. Foreign languages or a mix of languages

Normally the communication is in the recipient's language. Sometimes, like in the example email in the picture, several languages are mixed up. To start with, this is suspicious, and in addition, it doesn't look very professional, for example, when a company ends a German email with the English word "Goodbye".

9. Use of unusual terms

If unusual or unfamiliar names are used for departments, products, or services, you should immediately pay attention. Check the intranet to see if this designation is used within the company. If not, report and delete the email.

The right action if phishing is suspected

If you receive an email that seems suspicious to you or you clearly recognize it as phishing, always report to your IT service desk immediately. To do this, use the method that is customary in your company (e.g., by forwarding the email to the IT Service Desk or reporting via a specific button in the email program).

Only with your help can phishing attacks be recognized early and the necessary countermeasures taken. Therefore, it is important that you promptly report such emails, without replying to them and without clicking on any links or attachments contained within them.

The same applies to phishing attempts via other channels such as phone or SMS. Report them to your IT service desk immediately.

The technical protection of the IT infrastructure in a company is usually a given, so that there are hardly any hacker attacks. However, hackers can still very successfully obtain money, data, and information from the employees, i.e., the users of the IT infrastructure, and extort ransoms. This is why it is so important that the people who use the IT infrastructure also know how to behave securely. Especially when dealing with phishing. Train your employees on information security and reduce the risk of a successful hacker attack.

‍

Sources:

1. A)Allianz Risk Barometer 2022: https://www.agcs.allianz.com/news-and-insights/reports/allianz-risk-barometer.html
   B) Allianz Risk Barometer 2023: https://commercial.allianz.com/news-and-insights/news/allianz-risk-barometer-2023-press.html‍
2. Digital Switzerland 2021: Auswirkungen der Corona-Krise auf die Digitalisierung und Cybersicherheit in Schweizer KMU. https://digitalswitzerland.com/sub-programm/digitalswitzerland-studies/
3. Sophos 2021: Phishing Insights 2021. https://www.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-phishing-insights-2021-report.pdf ‍
4. Verizon: 2021 Data Breach Investigations Report (DBIR). https://www.verizon.com/business/resources/reports/2021/2021-data-breach-investigations-report.pdf?_ga=2.114300289.745830874.1642758834-858085877.1642758834 ‍
5. Ponemon Institute. Cost of Phishing study 2021 https://www.proofpoint.com/us/resources/analyst-reports/ponemon-cost-of-phishing-study‍
6. Forbes 2020: https://www.forbes.com/sites/simonchandler/2020/11/25/google-registers-record-two-million-phishing-websites-in-2020/?sh=48011f291662

‍

‍

Subscribe to our newsletter now and never miss more information security and security awareness news and blogs. Subscribe using the form below.