Phishing, in a few words
Phishing is a fraudulent technique where a hacker sends an email, pretending to be a known third party, such as Google, Amazon or Facebook for example. The goal is to persuade the recipient to click on a link or download a file, aiming to steal information, money, or install malicious software.
Types of phishing most common
Credential Theft Phishing
You receive an email creating urgency, such as unexpected expenses, a suspended account, or a password change. Impersonating a known entity, the attacker aims to prompt you to quickly click on a link redirecting to a fraudulent site.You enter your credentials on the site, and the attacker retrieves them. The site looks real but is actually owned by the attacker. Typically, you may not realize the attack and are redirected to the genuine site after entering your credentials.
Attachment Phishing
This more sophisticated and less common attack allows the hacker to take control of a colleague's workstation, serving as an entry point to the company's information system. To achieve this, the hacker needs you to download a PowerPoint, Excel, or Word file and activate macros.
Strategies include sending an enticing document via email (such as a team report or the company's salary grid) or sending a malicious document through a file transfer platform (e.g., Dropbox or WeTransfer). If the document's macros are activated, the attacker gains control of the workstation.
This more sophisticated and less common attack allows the hacker to take control of a colleague's workstation, serving as an entry point to the company's information system. To achieve this, the hacker needs you to download a PowerPoint, Excel, or Word file and activate macros.
Strategies include sending an enticing document via email (such as a team report or the company's salary grid) or sending a malicious document through a file transfer platform (e.g., Dropbox or WeTransfer). If the document's macros are activated, the attacker gains control of the workstation.
Best practices to avoid falling victim
Reflex #1: Check the sender's email domain:
Even if the email address seems familiar, it may have been spoofed. Look for spelling mistakes or anomalies. Pay special attention to the domain (what comes after "@"). If it doesn't exactly match the real sender's domain, it's a phishing attempt.
Reflex #2: Verify the domain of redirected websites:
If the attacker redirects you to a fake website they control, the site's domain won't match the real one. Check the URL in your browser.
Reflex #3: Confirm information through an alternative channel:
Seek confirmation from the sender through another means, such as SMS, contacting customer service, or visiting the website directly via your browser.
For IT managers, how to mitigate this risk
Anticipate and limit phishing risk:
- Educate teams: 73% of cyberattacks originate from employee phishing (CESIN). Implement Stoic's phishing simulation tool for awareness.
- Implement two-factor authentication (2FA): Most phishing attacks aim to steal user credentials. With 2FA, even if credentials are stolen, it's not enough to impersonate the user.
- Deploy a password manager: Password managers check domain names for sites requesting credentials. If domains are spoofed, no password will be autofilled, alerting the user to abnormal activity.
Actions if phishing is successful:
- If credentials are given:
- Change the compromised email or service password and all other services where the same password (or a slight variant) is used.
- Implement 2FA for the compromised email or service.
- Notify Stoic to ensure thorough verification against any potential means the attacker left behind.
- If a malicious attachment is downloaded:
- Turn off the device to limit virus spread.
- Notify Stoic to clean the device of the virus and check for any propagation.