Cybersecurity 101: Intro to Phishing
Welcome, class. Is everyone settled in front of their computers and ready to start a masterclass on cybersecurity threats? Excellent.
We'll start our series of deep dives into specific cyber threats by looking at the most common, most effective, and most costly form of cyberattack: phishing.
Phishing is an incredibly basic form of cyberattack, requiring very little sophistication and incurring minimal expense. That makes it attractive to a broad spectrum of cyber criminals, and its continued effectiveness means that phishing attacks drive the majority of unauthorized access events.
This month, we'll examine some of the most common types of phishing attacks, why phishing remains a common threat vector, and how working with a managed service provider can help mitigate the risk of a successful phishing attack.
Cybersecurity 101: What Is Phishing?
Probably the most important thing to understand about phishing is this:
While phishing targets computing systems, it is not a “technical” crime. Phishing is actually a confidence (con) scheme that takes place via a computing system.
Phishing falls into a category of cyberattacks known as "social engineering." In a social engineering attack, the attacker uses some technical means to gain the victim's trust and then abuses that trust for their own ends.
Phishing attacks come in a few different flavors, but the most common varieties tend to fall into these baskets:
Email Phishing for Access Credentials
The victim receives an email that appears to be from an entity they trust, usually a company they've done business with in the past. The email says that the victim has earned a reward and that the victim should "Click here to log in and claim your reward!" They click the link, open what looks like the company’s website, and enter their login information – which is then sent directly to the attacker to use as they see fit.
Email Phishing for Direct Profit
Phishing doesn't only target access credentials. The oldest form of phishing attack was a direct appeal for money; the "Nigerian Prince" scam is the most common example (which is itself a modern version of the "Spanish Prisoner" con that was common in medieval Europe). The attacker sends out an email pretending to be in some urgent or emergency situation, in need of money, and unable to access their own funds. Their email promises a future repayment tens or even hundreds of times larger than the "loan" amount they're requesting. They even helpfully provide details for ways you can send money to help them out. Of course, the alleged sender of the email, the emergency, and the promised repayment are all equally fictitious.
Vishing
Vishing (video/voice phishing) is a newer type of phishing attack that relies on AI technologies to allow the attacker to look and/or sound like a person the victim trusts. In the guise of this person – a colleague, a friend, etc. – the attacker convinces the victim to give up their login credentials, send money, or take almost any other action they wish.
Cybersecurity 101: Why Is Phishing So Common?
Phishing attacks are the single most common threat facing businesses today, and they were also the most common threat facing businesses ten years ago. Phishing isn't a complicated concept—it's simply a digital update of a number of confidence tricks that have been around since the advent of lying. So why is it still so common?
Phishing has a trifecta of distinct advantages that make it attractive to malicious actors:
- It’s cheap: Even a reasonably sophisticated phishing scheme can be implemented using free online tools and require no more connectivity than an ordinary 5G or residential ISP can provide.
- It’s easy: Phishing requires almost no technical acumen. If you can send an email, you can go phishing.
- It’s effective: At its core, phishing is effective because it works. No tactic or technique for gaining unauthorized access to a computer system has a success rate as high.
And here’s some bad news: generative AI is making phishing cheaper, easier, and more effective – so phishing attacks are expected to do more than remain part of the threat landscape. They’re actually getting more dangerous.
Cybersecurity 101: Why Does Phishing Work?
Phishing works the same way all confidence tricks work: by making the victim trust the attacker.
Most successful phishing scams play on a few common human traits:
- Humans are inherently trusting. Our first instinct is to take information at face value and only begin to question it later if something happens to make us question it.
- Phishing attacks on businesses target busy, frequently distracted people. When an email requiring action hits our inbox, we want to do what it says and get it off our plate as soon as possible.
- Some attacks work by creating a sense of urgency and appealing to victims' humanity by creating false emergencies and putting fictitious people in completely imaginary danger.
- People are notorious for not wanting to admit ignorance. A startling and worrying number of employees who have fallen victim to phishing attacks say something like this during the postmortem: “I thought it looked fishy, but I didn’t want to bother anyone asking about it.”
Cybersecurity 101: How Do Bad Actors Use AI In Phishing Attacks?
Generative AI is an awesome new technology in the classical sense of the word "awesome." Those of us who have been in computing for a long time have long debated the viability of generative AI platforms, and seeing them now being used for everything from internet searches to screenplay doctoring is kind of awe-inspiring.
Generative AI is also decidedly not awesome in a lot of ways, in the everyday sense of the word "awesome." It was only a matter of minutes after the launch of ChatGPT and DALL-E that bad actors were abusing the platforms – from offensive deepfake images of innocent private citizens to detailed AI-generated instructions for things like building bombs, cybercriminals took to AI like a duck to water. There are two main ways attackers are using AI to enhance their phishing expeditions:
Generative AI Copywriting
The most famous series of phishing attacks were the often-ridiculed “Nigerian Prince” scams that started showing up in inboxes during the 1990s. While these scams were frighteningly effective (and have been for an embarrassingly long time), their impact was blunted by the fact that the email’s composer clearly had only a passing familiarity with English. Many early phishing efforts were borderline comical in the atrocious quality of writing.
AI platforms now offer incredible proofreading and rewriting capabilities that can make even a bad translation of an email read like it was written by a real person. As technology has improved, it's become possible to train an AI to write in close approximation to a specific individual's writing style.
As more phishers begin using AI to write their content, identifying phishing communications will become more challenging than ever. Countering the threat requires that all members of a company's team be well-versed in phishing avoidance best practices.
AI Deepfakes
Even major political candidates have used deepfake technologies to make it appear that a person is doing or saying something they never did or said. AI platforms make it incredibly easy to create original, completely falsified video or audio content in real-time, allowing them to make phone and video calls in disguise as someone else.
This advance makes vishing attacks more dangerous than ever. With generative AI systems, attackers no longer need access to complex and expensive audio manipulation software to alter their voice for a phone call believably; those functionalities are now available online.
The availability of quality deepfaking technology means that even phone conversations and video calls can be a threat vector for sophisticated phishing attacks.
Cybersecurity 101: How To Counter the Threat of Phishing
While some technical tools can reduce the risk of your business falling victim to a phishing attack, those tools can only go so far. Training your team on proper email safety and password security best practices is the key to ensuring that your employees don't expose your company to cyber criminals.
By partnering with a managed service provider who offers turnkey cybersecurity and cyber awareness programs for your team, you can ensure that your employees know what they need to know to keep your systems safe and that your technical security is thorough, up-to-date, and continually monitored.
Cybersecurity 101: Your Phishing Homework
Is your team adequately trained on the dangers of phishing? Do they know how to handle an email from an unknown source? Are they regularly hovering on email links to verify the URL before clicking them? Your homework before our next session is to take an honest look at your team’s phishing awareness.
This Month’s Class Is Over, but We’re Still Paying Attention. Schedule a Call to Learn More About Security+ From Nocwing.
Cyberattackers change tactics daily, and the penalty for being caught off-guard is an existential threat to your company. With Nocwing’s Security+ program, companies can be assured of proactive, comprehensive cybersecurity for all of their technology assets and data, led by a team of experts who stay on top of new and emerging threats to keep your business’s vital information safe and secure.
Nocwing is a full-service managed IT services company based in Griffin, Georgia, providing robust cybersecurity, IT management, business continuity/disaster recovery, user support, and VoIP solutions for companies throughout the Southeastern United States.