Email deceit: Phishing attacks and how to outsmart them

As our daily lives move increasingly online and businesses digitize their operations, the danger from phishing attacks is growing. Phishing and the related tactic of pretexting are the origins of 73 percent of all data breaches (source: Verizon 2024 Data Breach Investigations Report).

The goal of a phishing attack is to trick the victim into giving away sensitive data such as their passwords, bank details, or confidential information about their organization.

To do this, cybercriminals use emails, text messages, phone calls, and links to fake websites. Whatever the method, the hallmark of phishing is a message that pretends to come from someone you trust. For example, your bank or credit card provider, a colleague or manager, or even a family member.

The lifecycle of a phishing attack has four main stages:

1. Planning: The cybercriminals identify their targets. They gather information about people and organizations from public websites, social media, or the dark web.

2. Execution: They launch the attack using fake messages and cloned websites. They can send generic messages to thousands of potential victims, or send tailored messages to specific people using the approach known as spear phishing.

3. Data harvesting: When victims click malicious links or enter their credentials, the cybercriminals capture their information.

4. Exploitation: Cybercriminals use the stolen data. They commit theft or fraud, sell it to other cybercriminals on the dark web, or use it to carry out larger attacks, such as ransomware.

Phishing tools and techniques

Technology is making it easier than ever for cybercriminals to create fake emails, text messages, and websites.

Software toolsets known as phishing kits are sold on the dark web. These help replicate the login portals and email layouts of well-known brands.

Cybercriminals also use website cloning and domain impersonation. Website cloning means creating a replica of a legitimate site, complete with branding, logos, and realistic content. Domain impersonation means using a fake address that looks real at first glance. For example, impersonating www.amo.com by replacing the m with rn to create www.arno.com.

Meanwhile, generative AI is also making it easier to write convincing messages and website content.

Social engineering and pretexting: Turning up the pressure

It’s common for phishing attacks to use social engineering, which relies on psychological triggers such as authority or fear. They often set up a fake scenario to pressure the victim into action. This technique is known as pretexting.

For example, the victim receives a message that seems to come from their bank. It says an unusually large sum has been debited from their account, and they must sign in immediately to confirm or block the transaction. The message contains a fake link that will harvest their username and password.

In a spear phishing attack, the message pretends to come from someone the victim knows. For example, their CEO requesting urgent funds to close a deal, or a family member stranded away from home with no money.

Phishing messages often use menacing phrases like “Your immediate action is required” or “Your account will be suspended.” Their goal is to make the victim act hastily without ensuring the message and its links are genuine.

These psychological tactics can be highly effective. The average victim falls for a phishing email in less than 60 seconds (source: Verizon 2024 Data Breach Investigations Report).

How to recognize phishing and avoid falling victim

Phishing messages often display some or all the following characteristics, any one of which is a warning sign:

• The message arrives suddenly and unexpectedly.

• It comes with a sense of urgency, pressure, or threat. Spear phishing emails take this further by pretending to come from someone closely linked to you.

• The sender’s address is strange or misspelled.

• There are unexpected attachments.

• The links go to strange URLs or unknown websites.

• There are mistakes in spelling or grammar.

• There are poor-quality visuals, such as fuzzy, distorted, or outdated brand logos.

To avoid falling for a phishing attack:

• Always take time to think. Don’t be pressured into immediate action.

• Check the sender’s address and links closely. Are they genuine? Do they use the organization’s real domains?

• Read the message carefully. Does it make sense? Does it contain mistakes? Is it something the sender would really ask you to do?

• If in doubt, contact the sender at their usual address or number. Don’t use any links or numbers in the message. If the sender is genuine, they won’t mind.

• Never open attachments or links until you’ve made sure the message is genuine.

• Never hand over passwords or any other personal information unless you’re absolutely certain it’s safe.

How to protect your organization from phishing attacks

Awareness and training

As cyber security threats increase, knowing how to recognize and report phishing attempts is vital. Provide security awareness training for everyone in your organization and keep cybersecurity fresh in their minds with regular phishing simulations.

Technical safeguards

Implement measures such as:

• Email filters and anti-phishing software.

• Multi-factor authentication (MFA) to add an extra layer of protection.

• Endpoint detection and response (EDR) tools to identify and isolate threats quickly.

Credential monitoring

Dark web monitoring tools can identify compromised credentials that pose a risk to your organization. Cyberchecks’s credential monitoring proactively detects stolen credentials and provides real-time alerts so you take immediate action.

Stay smart, stay safe

Phishing is a serious threat to individuals and organizations. However, with the right tools, training, and vigilance, you can avoid becoming the next victim.