Phishing attacks have been around for a while, but they were responsible for 22% of all data breaches in 2020. While email is used in over 80% of phishing attempts, they can also use text messaging and phone calls. The methods crooks use continue to evolve, email attachments one day, disguised web links the next. They pose as your boss, your ISP, a business partner, a government agency or your bank. As phishing attacks evolve the bait is hiding the hook better. We can’t just rely on spotting spelling and grammar mistakes. Remember, the crooks only need to succeed once, and can keep trying.

  • Think before you click – Look closely, if you are at all suspicious attempt to verify with the sender
  • Verify before you enter credentials – If you do click on a link and are asked for credentials, close your browser and call the sender
  • Keep sensitive data off of free Wi-Fi networks – If the crook is listening in at the coffee shop, they can grab your data.
  • Don’t reuse passwords – Not re-using passwords is a damage limiting precaution. When you reuse your password, the bad guys have access to every site you use that password on

As phishing techniques get more sophisticated, they are getting harder to spot. Understanding the attackers methods may help you see new phishing methods quicker. The four main components of a phishing attack are;

Targeting – Phishing crooks use targeting to increase their odds of fooling you. It can be a broad group, like customers of a bank that has just merged. Or, it can be targeted at an individual, which is known as spear phishing. The target selection determines what type of bait gets used.

Bait Selection – Next, the crooks choose their bait. These are the emotional triggers that are designed to prompt you to click on the link or download the file. Her are a few common emotional triggers.

  • Curiosity – The ‘what happened next’ or ‘find out more’ approach. These are often tied to current events, celebrities or more normal events that can pull at you emotionally and reduce your level of care before clicking the link.
  • Hope – Hope phishing uses our aspirations to trick us. These can include high paying job offers, prize winnings, or health and fitness goals.
  • Necessity and Fear – The necessity trigger is very effective and really cranks up the urgency of a response. They can include warnings about large purchases on your amazon account or being locked out of your email or other account.

Hook Selection – After choosing their bait, the bad guys need to select the ‘hook’ or method they will use to collect your credentials or deliver malware or ransomware. Below are some of the more common hooks. One newer trick is to hide the phishing link in an unexpected place such as an unsubscribe link after the content.

  • A faked link that you will click on to reset your password or download a form or document.
  • A request for payment to a spoofed payment site
  • An attached file they are  pushing you to open

Casting the Line – Finally, the crook has to get the phishing message in front of you. They once again have multiple choices for delivery and methods to further hide the hook.

  • Spoofed email address – This can be a very effective method. The email looks like it came from you boss, a business partner, a government department or even your family.
  • Spoofed Domains – The bad guys often will register a look alike domain to make the content look more legitimate. They will use letter substitution and visual disuquises like adding an extra ‘l’ to a name that has two l’s (billling  vs billing) or using two ‘v’s for a ‘w’ (vvorldwide vs worldwide.)
  • Stolen email addresses – When the crooks have already stolen some credentials, they can use the compromised account making it very difficult to detect the sender is not legitimate.

Stopping phishing attacks look to be around for a while. Fortunately, they still require you, the recipient, to take action before the attack succeeds. Knowing what to look for and what to do if you see something suspicious is the best defense against phishing attacks. We can provide security training and ‘safe exposure’ to help you and your staff be better able to recognize scam and phishing emails. Please contact us to learn more.