Take a look at the image below. Can you tell the difference between one Google login page, or the other? Pretty tough, right? Well, the main difference is that the one on the right will take you to your emails and dog pictures, and the one on the left will pretty much steal your password and email. This example is from 2018, and to this day, hackers are getting more sophisticated when replicating pages and impersonating trustworthy entities.
Quite a difference right? This is what is called phishing. It’s the process in which someone tricks you into handing over important information, or getting acquainted with malware under false pretenses and social traps. This can happen via email, SMS, phone calls, and websites with malicious components (like fake Facebook logins!).
Let’s look at another example, an email no one wants to get. It’s from HR, and your bonus will be reduced! Except, it isn’t. Did you know that people can actually ‘replicate’ an email address? This is called spoofing. Combine that with a quick research on LinkedIn to learn the name of an HR rep, and bam: a bad person can impersonate HR via email and tell you to fill out a form with all your information.
Once again, that’s phishing. It’s what we used to know as spam (remember the Nigerian prince scam?), except nowadays it is more sophisticated and manages to slip right into your inbox in spite of your spam filter’s efforts. They usually sound something like this:
- Update your Netflix account payment details.
- A fraudulent payment has been discovered in your card.
- We’re calling because your card is void!
- Click here to login to your Facebook at FakeVook.com
Phishing versus Spear Phishing
There are two clear types of phishing. Regular phishing, and spear-phishing. The main difference relies on how much information the attacker has on you, how they try to convince you to trust them, and the scope of targets they have.
These types of attacks usually happen in scale, because the attacker gained access to an important database of contacts, and expects to convince a small percentage two do a malicious action. For example, the massive coronavirus-related campaigns that have been going around since the pandemic started. Regular phishing tend to:
- Take advantage of general problems (Coronavirus, credit card expirations)
- Have hundreds if not thousands of recipients, and don’t really know them.
- Tend to include malicious bait. A link, an attachment, or request of information.
The most frequent attacks come via email and SMS, which they get from any database the attacker managed to get its hands into, or right out of your company’s website in some cases. All they need is a contact and a premise.
Spear Phishing Attacks
In contrast to regular Phishing, Spear Phishing takes the original contexts and adds social engineering to it. Spoken more flatly, the attacker investigates you and your life to create a better story to convince you to do something, maybe even impersonating someone you know.
Spear Phishing attacks are targeted, planned, and have a clear objective. They usually target businesses, which they are trying to infiltrate, and so they target lower-level employees . There is a sub-variant called Whaling, for those spear phishing attacks directed at ‘big fish’ targets, like CEOs.
Why? Well, if the attacker manages to infect an ‘insider’ computer, or ‘phish’ some credentials or validation tokens out of an employee, he or she may manage to move through the organization’s network and cause all damage intended. The initial attack is used as a trampoline, so to speak.
The email above is a great example. It’s a phishing campaign aimed at Ukraine Government officials, in a possibly state-sponsored attack attempt. The email included a malicious file that executed a PowerShell script to download a second malicious file that uses an exploit to capture screenshots, audio, and more on the infected device. To achieve this, they use:
- A solid story, with background information and a real context.
- A real, but spoofed, contact that the target can identify and deem trustworthy.
- A request or important information that entices the target to cooperate.
How To Identify And Avoid Phishing
The main, and most important part of a phishing scam is the hook. Meaning, how the attacker is trying to convince you to pay attention to their message, and have you follow their malicious instructions. These are some of the most frequently used ones, according to the Federal Trade Commission:
- We have detected suspicious activity in your account/service/credit card.
- You have been charged, here is the attached invoice (malicious file).
- You owe the *insert your country’s tax agency name here*.
- Here’s a discount / free offer for your Netflix account.
The second part of a phishing scam is the malicious action that the attacker tries to hide behind a seemingly routine process. The attacker will try to force this action using the hook, and usually highlight the importance of you doing so:
- Log in to your Facebook account via this link (malicious) to recover your password.
- Please deposit money to this account to make the payment (ransom).
- Confirm your credit card number via a call to confirm your identity (card theft).
- Share your ID, social security number, or bank account (data theft).
- See the attached documentation for instructions (malicious file).
The third part… Well, there is no third part! That is most attackers have phishing schemes setup, it’s quick, and easy to distribute in mass. It requires little skill, but many of these attacks can get really sophisticated, even hijacking usually safe websites with fake logins.
How To Identify and Avoid Spear-phishing
Spear-phishing is not that easy to identify. After all, the attacker is likely spoofing an email address, and has made his homework to impersonate someone you know and trust. They tend to be more sophisticated attacks that don’t fall short due to generalized claims.
Because of this, you have to pick into the details. Is the email’s format the usual one for that sender? Is his signature right? If there is a link, do you see a familiar domain if you hover over it? Are they asking for something sensible, like accesses, company data, or information on another employee? If anything, be a bit paranoid in general. If you’re suspicious, you can:
- Send a quick message or call the person who supposedly contacted you to confirm.
- If in doubt, ask your team or supervisor if it is okay to share that type of information via email.
- Scan any attached documents before opening them with antivirus software.
- Attackers usually check your social media to comment on something you did recently and appear friendly/close. Be mindful of what you shared recently.
Many software solutions and antivirus offer some kind of email scan protection, or phishing detection. However, it is not entirely reliable due to the shifting nature of phishing emails, which are not always easily identified.
Furthermore, when these attempts don’t happen in mass and instead are directed, they become even trickier to identify. Spear-phishing attacks don’t rely on malware 100% of the time, and an innocent “coworker’s” email asking for a customer database might fly over your head.
Because of this, awareness will be your main defense.
If you receive a call from your bank claiming there was a problem, check the number, and doubt. If someone offers you something, doubt. If something seems too good to be true -or too bad-, doubt. There is no harm in staying safe, so be sure to take a minute to check that link, scan that file, and think twice before handing your password via a phone call. Like all banks say, no important organization will ask for payment or credentials via phone.