Phishing Defense by Design

Executive Summary

Data Security issues are increasing everyday. Hackers are now expert at using their knowledge to hack into someone else’s system and grab information. In the recent past, cybersecurity authorities in several countries observed an increase in sophisticated and severe phishing and ransomware incidents, targeting critical infrastructure organizations around the world. Phishing is one such methodology which is used to obtain critical business information by bad actors.

Cyber-attacks are evolving at a rapid pace, and businesses must keep up with trends to stay protected. The business threat landscape is filled with security threats and attack vectors exploited by hackers and other attackers. Using phishing, the attackers are trying to disrupt the normal business continuity of the targeted organization to take advantage. Hackers frequently use phishing attacks along with other types of cyber threats such as ransomware and remote trojans.

Phishing is a cybercrime in which confidential information including emails, telephone, text messages, personally identifiable information, banking details, credit card details, passwords are targeted. It is a type of online identify theft. Social engineering is also being used by the phisher to steal the victim’s personal data and account details.

This whitepaper gives a fair idea of a phishing attack, the various types of phishing attacks and detection of and prevention of them.

The below diagram shows high level phishing steps and how it happens.

Highlights of Phishing

Phishing is the action of attempting to provide information such as username, password and credit card details to an entity which looks like trustworthy entity in an electronic communication. Communication claiming to be from popular social websites, auction sites, online payments process or IT admin is commonly used to lure the unsuspecting public. Phishing emails may contain links to websites that are infected with malware or misleading codes.

Phishing Attack

• Phishing is a cyber-attack that uses disguised e-mail as vector
• The goal is to trick the recipient into believing that the message is legitimate so, they will click a link or download an attachment.
• E-mail phishing attacks or hoaxes are one of the most common exploit vectors available to bad actors

Phishing Step-by-Step

Phishing is an example of true Social Engineering. Phishing is mostly used in email hacking, in phishing email, the hacker sends a link via mail to the user.

As an example, let us assume the user receives the email with some bank details or any personal information, so now the user goes to that link and fills all the detail in that link and then the hacker gets all required input information provided by the user.

This is how phishing is done, the steps involved are:

• The bad actor sends the email to victim with URL embedded in the email link.
• Victim clicks on the email and goes to phishing website.
• Bad actor collects victim’s credentials.
• Bad actor uses victim’s credentials to access a website.

Phishing starts with communication like an email or other communication methods that designed to help in obtaining the victim information. The communication message is created as if that message is coming from a trusted sender. If victim gets fooled, the victim provides the targeted personal information to a spam website. Sometimes malware is also downloading onto the target’s computer from the spam web site. The downloaded malware may also be ransomwares.

Below picture shows how the common Ransomware works after phishing.

Widely used Phishing Types

Deceptive Phishing This is one of the common types of phishing, in this type, the attackers impersonate a legitimate company and try to obtain people’s personal information or their login passwords. And then they force the users to do as the bad actor wants.

Spear Phishing In this type of phishing the bad actor targets specific individual or organization with including information known to be of interest to the target, such as current organization events or financial documents.

Clone Phishing one of phishing attack where previously received email message contains the attachment and link shared. recipients address (es) taken and used to create the same identical or cloned email. That attachment or link within the mail is replaced with some external malicious version and then sent it to the victim from spoofed email address to appear to come from the original sender.

Link Manipulation In this type of attack the phisher send a link in the email or through another medium including a spoofed or malicious website. When the user opens that link, the link open ups in the phisher’s website instead of opening it into the website mentioned in the link. Taking the mouse over on that link to view the actual address stops users from falling for link manipulation.

Whaling In this type of phishing the attacker aims at a highly wealthy and powerful individuals. The attacker takes out all the possible information of the victim using different medium such as social media accounts and other internet sources then attacks the victim. The victims of this type of attack are also called as “Whales” or “Big Phish”. Whale phishing involves the same tricks used in Spear Phishing.

Voice Phishing is a form of phone criminal attack it is done using social engineering with the use of telephone system to obtain intended private personal, financial, and other information.

Smishing Sending text messages claiming to be from reputable companies to induce individuals to reveal personal information, such as passwords or credit card numbers.

Common type of phishing attacks are shown in the below picture:

Some of the cases phishing is also used to drop remote trojans as shown in the below diagram:

Phishing Defense by Design

Phishing attacks are usually presented in the method of spam or pop-ups and are many times difficult to detect them.

Once the bad actor takes control over personal information, they can use it for all the types such as identify theft, putting your good credibility into bad once. Since phishing is one of the trickiest forms of identity theft, it is important for us to become familiar with various types of phishing attacks and also know the ways to prevent such attacks. Some of them are explained below.

Protect against spam

In this type of prevention method, the attacker comes from unrecognized senders to the user. They ask you for confirmation of personal, financial, or other intended information over the internet and make requests for giving your information.

Communicate personal information only via phone or secure web sites

In this type of phishing prevention, the user should be aware of while conducting online transactions, look for the secured sign on the browser status bar or” https.” URL where the “s” stands for “secure” rather than’ http.”

Do not click on links, download files or open attachments in emails from unknown sender

Most important is always know your senders to secure any data properly such as bank details any social media details or any confidential information. In emails also open the attachment only if when you are expecting them and known what that attachment contains even if you know the sender.

Strong security policies

In the large organizations you should set some rules as to how you should respond to strange or unknown emails and requests. Organization’s company’s policy should also train people on phishing prevention methods.

Security Awareness Training

Train employees about how good emails look like and show them how a bad email looks like. Manage and teach the staff about the phishing attack and their preventions. Run the phishing simulations test in the organization and phishing violation needs to be monitored to further train the employees. Simulation helps organization to reduce the success of attacks and testing will make sure security and management know how to respond.

Using latest Technologies

The latest technologies can provide defense against for known type of phishing methods.

How Coforge Can Help

Step 1 Coforge provides industry’s trusted solution to easily accomplishes this by sending out a simulated phishing email to a random sample of personnel.

Step 2 Coforge provides this as an on-demand, interactive, engaging exercise and create a thorough understanding of how cybercriminals operate.

Step 3 Coforge solution has customized templates rated by difficulty from 1 to 5 for repeat testing.

Step 4 Risk Score enables you to take action and implement security awareness mitigation plans for highrisk user groups

Establish a robust and secure approach to address phishing threats

Coforge supports organizations by effectively implementing and assessing the user’s awareness of phishing through technology. Which aims to provide powerful engine to train the staff and enrich the security posture including automated, immediate remediation training and reporting of suspicious activities.

Coforge delivers this through managed platform-based service which provides Phishing, Analysis and Training & Testing.