The availability and easy accessibility of phishing kits makes it easy for cybercriminals to launch phishing attacks against potential victims. A phishing kit negates the need for any technical skills because it bundles together phishing website sources and tools that only need to be installed on a server. Once it is installed, an attacker simply sends out emails to potential targets. These kits as well as mailing lists are available on the dark web. A couple of sites, Phishtank and OpenPhish, keep crowd-sourced lists of known phishing kits.
The goal is to attract the victim enough so that they will share their login details and other sensitive information, which will vary depending on the phishing scam. Developed using a mix of basic HTML and PHP, most phishing kits are stored on a compromised web server or website, and usually only live for about 36 hours before they are detected and removed.
There are many methods used by cybercriminals to lure their targets. Some of these include:
- Embedding a link in an email that redirects your employee to an unsecure website that requests sensitive information
- Installing a Trojan via a malicious email attachment or ad which will allow the intruder to exploit loopholes and obtain sensitive information
- Spoofing the sender address in an email to appear as a reputable source and request sensitive information
- Attempting to obtain company information over the phone by impersonating a known company employee
And there are three main categories of phishing, these are:
Spear Phishing – Phishing attacks that are targeted at specific individuals, companies or organisations are known as spear phishing. Cyber criminals who conduct these attacks usually spend time gathering and using the personal information about their targets to increase the probability of success. It is often intended to steal data for malicious purposes and cybercriminals may also intend to install malware on a targeted user’s computer.
Clone Phishing – A more sophisticated type of phishing, this method is more difficult to identify and often tricks users into believing an email is legitimate. In clone phishing, an email is a clone of an email which has been previously delivered, this way, the victim is less likely to be suspicious of the email because it appears to be coming from a real sender.
Whaling – Whaling is a form where the attacks are directed specifically at individuals who are in positions of power, high profile people, senior executives, etc. In the case of whaling, the content of the malicious emails will be tailored to target an upper manager or person of interest. The content will usually include things that are more likely to get their attention such as subpoenas or complaints.
Avoid clicking suspicious links – Most phishing scams are successful because the emails contain very convincing links. The scam emails motivate people to take action by impersonating institutions and threatening to close down important accounts because of inactivity.
If you get one of these emails, don’t click on the links provided in the emails. Instead, it is recommended that a user opens up a tab in your browser and types in the domain name him or herself. Once logged in, a user can then check to see if the request is authentic. If it is, they can take action on the legitimate website.
Don’t open unknown files or attachments – Opening malware files is how computer systems and networks can get infected. It is important to double check the attachments and files that you are receiving from emails. Some Emails automatically send infected emails to your spam folder or delete them entirely, but it can be the case that an email bypasses that filter and ends up in your inbox.
Use an Internet Service Provider (ISP) that implements strong anti-spam and anti-phishing technologies and policies. Users can check with their respective ISPs for more information about the anti-spam and anti-phishing services that are available
Keep software up to date – Keep all your software and applications up-to-date, including your anti-virus software. Updates keep you safe from known security vulnerabilities which hackers exploit for their malicious intents.
Some more steps that employees can take include:
- Deploying web filters to block malicious websites
- Encrypting all sensitive company and private information
- Converting HTML email into text only email messages or disable HTML email messages
- Use spam filters that filter out blank senders, viruses, spam emails
- Implement a security policy that encourages regular password changing
And most importantly: Educating and raising awareness in company employees is one of the best lines of defence against cybercrime and especially phishing. Want to learn more? Read our article on enabling cyber security awareness.