The Ultimate Guide To Understanding Phishing In 2020

Table of Contents:

1. Introduction 

2. Vishing Attacks

3. Types of Phishing Attacks

4. How to identify a Phishing Attack

5. How to Protect Your Company

6. How to Start a Phishing Training Program

 

Introduction

What is phishing? Phishing is a cybercrime that entices individuals to give out passwords or other information. With this information, attackers can then access vital accounts and perform identity theft, major financial losses, and other serious crimes. Phishing attacks can be in the form of emails, text messages, and phone calls. Usually these attacks pose as popular services and companies that are trying to lure in individuals. When an individual clicks or goes to a phishing link potentially the website can inject malicious code which can mess up your device.

 

How exactly phishing works:


 

Phishing is becoming more apparent as businesses and people integrate more with email services. They are evolving, becoming more sophisticated and targeted to certain individuals. On top of that they are harder to detect. In this guide we’ll be showing you how to identify and avoid a phishing attack and if for businesses out there how to protect your company.

 

Vishing Attacks

So, what’s a vishing attack?

A vishing attack is when a scammer gives you a phone call to attempt to trick you into revealing personal information about yourself.

The scammer might try to gain:

  • Personally Identifiable Information (PII)
  • Financial Information
  • Account Numbers
  • Passwords

Scammers usually pretend to be a reputable business or organization such as Microsoft, your bank, or the IRS.

They use social engineering techniques AKA fear-tactics to get you to reveal important account data that allows them to directly or indirectly access your important accounts.

Vishing attacks are tricky because attackers can easily impersonate people that you trust.  

Some examples of vishing attacks include:

  • Asking you for current password information so that they can reset your password for security reasons.

  • They may even tell you that they are a technician from Microsoft and noticed that you’ve been hacked and they need access to your computer to remove a virus.

  • A scammer could pretend to be a bank employee that is concerned about charges on your credit card and get you to reveal your account information or social security number.

The list goes on with other potential manipulation tactics…

There’s a few warning signs to look out for when you pick up the phone.

  1. Does the person on the other end of the line have a frantic sense of urgency? If the answer is yes to that question, then it is most likely a scam. Scammers use fear to create an urgent sense to take action in their victims.
  2. The scammer asks you for information. If you don’t recognize the person on the phone, think twice before answering any questions. If you get a sense that they aren’t trying to actually help you and that they are only fishing for information they are almost certainly a scammer.
  3. The caller says that they’re from the IRS or Social Security Administration. This is always a huge tip-off that they are a vishing scammer. Neither of those agencies call people on the phone unless requested. They typically stick to snail mail.

Is there any way to prevent vishing phone attacks?

Even if you join the National Do-Not-Call Registry, criminals will still spam you with robocalls and other forms of vishing attacks.

The best way to avoid vishing is to simply not answer the phone to any unrecognized number.

If you’re worried about missing important calls, get a caller ID for your cell phone, home, or work phone.

If you are receiving an important phone call, the caller will most likely leave a voice message anyway.

Well, what if you answer the phone and you suspect that the caller is vishing you or leaves a robotic message?

The best way to respond is to hang up the phone immediately.

If you think that there is a possibility of the caller being legit, do a Google search and call the company directly from their listed business number.

What if I fall for a vishing scam?

As soon as you think that an account has been compromised make sure to contact the business or organization and have your account numbers or password changed.

If the attack compromised your credit card or banking information, make sure to freeze your account and tell your bank not to process any future charges on your card.

 

Types of Phishing Attacks

There are many variations on the general phishing attacks. In this article we’ll be going over spear phishing, whaling, and angler phishing.

 

Spear Phishing

Spear phishing is similar to general phishing in that it targets confidential information, but spear phishing is much more tailored to a specific victim.

They try to extract the most information out of a person.

Spear phishing attacks try to specifically address the target and disguise themselves as a person or entity the victim might know.

As a result it takes a lot more effort to make these as it requires finding information on the target.

These phishing attacks usually target people who put personal information on the internet.

Because of how much effort it took to personalize the email, spear phishing attacks are much harder to identify compared to regular attacks.

 

Whaling 

Compared to spear phishing attacks, whaling attacks are drastically more targeted.

Whaling attacks go after individuals in an organization or company and impersonate somebody of seniority in the company.

Common goals of whaling is to trick a target into potentially revealing confidential data or transferring money.

Similar to regular phishing in that the attack is in the form of the email, whaling may use company logos and similar addresses to disguise themselves.

As employees are less likely to refuse a request from somebody higher up these attacks are much more dangerous.

 

Angler Phishing

Angler phishing is a relatively new type of phishing attack and exists on social media.

They do not follow the traditional email format of phishing attacks.

Instead they disguise themselves as customer services of companies and trick people into sending them information through direct messages.

Another way is leading people to a fake customer support website that will download malware or in other words ransomware onto the victim’s device. 

How to identify a phishing attack

Most phishing attacks occur through emails, but there are ways to identify their legitimacy. 

 

1. Check Email Domain

When you open up an email check to see whether or not its from a public email domain (ie. @gmail.com). If it is from a public email domain, it is most likely a phishing attack as organizations do not use public domains. Rather, their domains would be unique to their business (ie. Google’s email domain is @google.com). However, there are trickier phishing attacks that use a unique domain. It might be useful to do a quick search of the company and check its legitimacy.

 

2. Email has Generic Greeting

Phishing attacks always attempt to befriend you with a nice greeting or empathy. For example, in my spam not too long ago I found a phishing email with the greeting of “Dear friend”. I already knew this was a phishing email as in the subject line it said “GOOD NEWS ABOUT YOUR FUNDS 21 /06/2020”. Seeing those types of greetings should be instant red flags if you have never interacted with that contact. 

 

3. Check the contents

The contents of a phishing email are very important and you’ll see some distinctive features that make up most. If the contents sound absurd or over the top then most likely it’s a scam. For example, if the subject line said “You won the Lottery $1000000” and you have no recollection of participating then that’s an instant red flag. When the content creates a sense of urgency like “it depends on you” and it leads to clicking a suspicious link then that is also a no go.

 

4. Hyperlinks and Attachments

Phishing emails always have a suspicious link or file attached to them. A good way to check if a link has a virus is to use VirusTotal, a website that checks files or links for malware.

Example of Phishing email:

In the example, Google points out that the email can be potentially dangerous as it recognizes that its content matches with other similar phishing emails. 

 

If an email meets most of the criteria above then it’s recommended to report it to [email protected]g or [email protected] so that it gets blocked. If you are using Gmail there is sometimes an option to report the email for phishing.

 

How to protect your company 

 

Even though phishing attacks are geared towards random individuals they can still target employees of a company.

However, not always, attackers are not after a company’s money but its data.

In terms of business, data is far more valuable than money and revealing it can severely impact a company.

Attackers can use leaked data to influence the public seriously impacting consumer trust and tarnishing the company name.

But that’s not the only consequences that can result from that.

Other consequences include negative impact on investor trust, disrupt business, and if in Europe incite regulatory fines under the General Data Protection Regulation (GDPR).

Training your employees to deal with this problem would be the most recommended action to reduce successful phishing attacks.

Ways to train them generally are just showing employees examples of phishing emails and the ways to spot them.

Another good way to show employees phishing is through simulation.

Phishing simulations are basically fake attacks designed to help employees recognize phishing first hand without any negative effects.

However, be aware that using phishing simulations comes with a price.

How to Start a Phishing Training Program

Today I’m going to share the steps you need to take to run a successful phishing campaign.

Phishing remains to be the top security threat according to WIPRO’s state of cybersecurity report 2020.

One of the best ways to collect data and educate employees is to run an internal phishing campaign.

It can be easy enough to create a phishing email with a phishing platform, but there is a lot more to it than hitting send.

I’m going to discuss how you handle phishing tests with internal communications.

We are also going to go over how you analyze and use the data that you collect.

  1. Plan Your Communication Strategy

 A phishing campaign isn’t about punishing people if they fall for a scam.

A phishing simulation is about teaching employees how to respond to phishing emails.

You want to make sure that you’re being transparent about the fact that you are doing phishing training in your company.

Prioritize informing company leaders about your phishing campaign and describe the goals of the campaign.

After you send your first baseline phishing email test, you can make a company-wide announcement to all employees.

An important aspect of internal communications is to keep the message consistent.

If you are doing your own phishing tests, then it’s a good idea to come up with your own “brand” for your training material.

Coming up with a name for your program will help employees recognize your educational content in their inbox.

If you are using a managed phishing test service, then they will likely have this covered.

Educational content should be produced ahead of time so that you can have an immediate follow-up after your campaign.

Give your employees instructions and information about your internal phishing email protocol after your baseline test.

You want to give your co-workers the opportunity to respond correctly to the training.

Seeing the number of people that correctly spot and report the email is important information to ascertain from the phishing test.

 

  1. Understand How To Analyze Your Results

 What is your top priority for your campaign?

Engagement.

You can try to base your results on the number of successes and failures, but those numbers don’t necessarily help you with your purpose.

If you run a phishing test simulation and nobody clicks on the link, does that mean that your test was successful?

The short answer is “no”.

Having a 100% success rate doesn’t translate as a success.

It can mean that your phishing test was simply too easy to spot.

On the other hand, if you get a tremendous failure rate with your phishing test, it could mean something completely different.

It could mean that your audience/coworkers aren’t ready yet at the level that they can spot phishing attacks.

When you get a high rate of clicks for your campaign, there is a good chance that you need to lower the difficulty of your phishing emails and take more time to train people at their current level.

Whichever the circumstance, you ultimately want to decrease the rate of phishing link clicks.

You may be wondering what a good or bad click rate is with a phishing simulation.

According to sans.org, your first phishing simulation may yield an average click rate of 25-30%.

That seems like a really high number.

Luckily, they reported that after 9-18 months of phishing training, the click rate for a phishing test was below 5%.

These numbers can help as a rough estimate of your desired results from phishing training.

  1. Send a Baseline Phishing Test

To start your first phishing email simulation, make sure to whitelist the IP address of the testing tool to make sure that employees will receive the email.

When crafting your first simulated phishing email make sure not to make it too easy or too hard.

You should also remember your audience.

If your audience/coworkers are not heavy users of social media, then it probably wouldn’t be a good idea to use a fake LinkedIn password reset phishing email. The tester email has to have enough broad appeal that everyone in your company would have a reason to click.Some examples of phishing emails with broad appeal could be:

  • A company-wide announcement

  • A shipping notification

  • A “COVID” alert or something relevant to current events

Just remember the psychology of how the message will be taken by your audience before hitting send.

  1. Continue with Monthly Phishing Training

Continue to send phishing training emails to your employees, make sure that you are slowly increasing the difficulty to increase people’s skill levels.

Frequency

It’s recommended to do monthly email sends. If you “phish” your organization too often, they are likely to catch on a little too quickly. 

Catching your employees a little bit off-guard is the best way to get more realistic results.

Variety

If you send the same type of “phishing” emails every time, you’re not going to teach your employees how to react to different scams.

You can try several different angles including:

  • Social Media logins

  • Spearphishing (make the email specific to an individual)

  • Shipping updates

  • Breaking news

  • Company-wide updates

Relevance

As you send new campaigns, always make sure that you are fine tuning the relevance of the message to your audience. 

If you send a phishing email that isn’t related to something of interest, you may not get much of a response from your campaign.

Follow the Data

After sending different campaigns to your employees, refresh some of the old campaigns that tricked people the first time and do a new spin on that campaign.

You’ll be able to tell the effectiveness of your training if you see that people are either learning and improving, or whether they need more education on how to spot a certain type of phishing email.

  1. Self-run Phishing Programs Vs Managed Phishing Training

There are 3 factors in determining whether you are going to create your own phishing training program or outsource the program.

  1. Technical Expertise – If you are a security engineer or have one in your company, you can easily spawn up a phishing server using a pre-existing phishing platform to create your campaigns. If you don’t have any security engineers, creating your own phishing program may be out of the question.

  2. Experience – You may have a security engineer in your organization, but they may not be experienced with social engineering or phishing tests. If you have someone that is experienced, then they would be reliable enough to create their own phishing program.

  3. Time – This one is a really big factor for small to mid-sized companies. If your team is small, it might not be convenient to add another task to your security team. It is a lot more convenient to have another experienced team do the work for you. 

How Do I Start?:

So, you’ve gone through this whole guide to figure out how you can train your employees and you’re ready to start protecting your organization through phishing training.

What now? 

If you are a security engineer and want to start running your first phishing campaigns now, go here to learn more about a tool that you can use to get started today.

Or…

If you are interested in learning about managed services to run phishing campaigns for you, learn more right here about how you can start your free trial of phishing training.

We hope that you learned enough from this guide to figure out what you need to do next to decrease your chances of a phishing attack on your business.

Please leave a comment if you have any questions for us or if you want to share any of your knowledge or experience with phishing campaigns.

Don’t forget to share this guide and spread the word!

Summary:

 Be wary as anyone is victim to a phishing attack. Use the checklist to identify unusual emails and if they are phishing then report them.

Even though there are phishing filters out there that can protect you, it’s not 100%.

Phishing emails are constantly evolving and are never the same.

To protect your company from phishing attacks you can partake in phishing simulations to decrease chances of successful phishing attacks.

 

 

Resources:

How can phishing affect a business?

What is phishing?

How to Recognize and Avoid Phishing Scams

How Phishing Affects Businesses

5 most common types of phishing attack

10 Steps to A Successful Simulated Phishing Program