Logo Intuity

Phishing: the role of the user is not that of the fish

Share article

Before we stop to understand what is a phishing mail and how it works, information this easily accessible and of which the web is already well rich, It is essential to convey to those less practical of these issues why they should be interested in understanding what Phishing is and why it could be targeted by a cyber attack of this type.

Cyber-attack techniques such as Phishing (Social Engineering) grow significantly each year (+87.7% in 2017, Clusit 2017) demonstrating that people are the most exploited vehicle to get business data and information.

By having direct access to data, folders, programs, tools and emails, a company’s staff finds themselves to be the direct link between the company and the outside world, It also becomes the easiest and most profitable vehicle to use to get to the real goal of a cyber attack: the company and its reputation. This is demonstrated by data: 75% of security incidents are attributable to the human factor, while 90% of cyber attacks start with a phishing email.

These figures show that the attacker has understood well how much easier and more profitable it is to exploit human vulnerabilities rather than technological ones, with the consequence that the best defense for this type of threat is the awareness and training of users who daily use PCs and business tools.

What is a phishing email for?

Phishing is nothing more than a fraud attempt made by sending mail messages with apparently legitimate content, also using logos of known brands, with the aim of making these fraudulent emails as familiar and credible as possible. Messages may include, for example, a notice of expiration of a bank or mail account, acceptance of contractual or regulatory changes such as GDPR, credit card renewals, attractive offers and much more.

The goal is to capture the attention of the potential victim, bring it to open this email and click on any links inside or any attachments.

In case it is an attachment it could contain a Ransomware, also in the text of the mail there could be a link to a site very similar to the original with the hope that the unfortunate user enter username, password or other information. If at this point the user on duty “takes the bait”, the phisher, the attacker, can get the data to access a bank account or a safe way to enter undisturbed in a corporate network.

Big Fish and Small Fish: Difference between Mass Phishing, Spear Phishing and Whaling

Unlike Mass Phishing through which malicious emails are sent in a massive way, Spear Phishing is a type of targeted attack that is much more likely to succeed, because the content of the emails are carefully adapted to the target company of the cyber attack.

This type of phishing is much more dangerous and sinister since it presupposes an activity of OSINT (Open Source intellingence), namely a collection of information about the company sought in the public domain. By patiently putting together all the info found in the web you can realize a perfect combination of details such as to make a Phishing email as convincing as possible.

An even more specific form of Spear Phishing is when certain strategic goals of the company are targeted, such as executives or high profile figures, this type of phishing is called whaling, whaling. The attack in this case is aimed at sensitive targets such as the Chief Executive Officer (CEO), the Chief Financial Officer (CFO) or any other figure who if damaged or compromised could lead to serious impacts on business or corporate reputation.

The 5 golden rules to avoid a Phishing email made with ribbons

To recognize a phishing email there are some “tricks” that it is useful to always keep in mind:

  • If in an email we are asked to do something such as enter the credentials of an account or open an attachment, before doing so we carefully read the email and always ask ourselves “Why should I do it? Does it make sense what you’re asking me?”.
  • In the case at the first point we did not give a certain answer, let’s check who is really the sender and the email address. In particular we verify the domain of the mail: it corresponds with the real domain usually used by this company/ person or it is very similar but it is not the same? In the example the sender seems to be SDA Express Courier, but the domain instead is @icareermail.com, very far from what could be a legitimate email address of SDA.
  • Do not trust any links in the emails. Let’s go over with the mouse without clicking and observe the pop-up that appears: the web address that will appear is the real address to which the link points. At this point we ask ourselves if it is an original site. From the example it is clear that the link is not pointing to the PayPal site but to something else very different.
  • If the email asks us to enter credentials in a particular site, we check before this site is in possession of an HTTPS certificate (e.g. https://www.intuity.it).
  • Lately the Phishing emails are very well made and written in a correct Italian, but still circulate mail made with less attention where the spelling and grammar errors are evident, as well as being anonymous and not addressed to anyone in particular.