How does email phishing work?
Posted on November 1, 2019 by Benjamin Bressington
How email phishing works?
There are two types of phishing?
- Social Engineering: Phishing is a form of social engineering - the act of deception, or taking advantage of a user’s trust to convince them to reveal sensitive information.
- Spear Phishing: Spear phishing is a type of phishing attack that targets a specific individual or set of individuals. Attackers may research their targets via social media and publicly available information online. Using the data to craft a credible message to convince victims to click, download, or give away additional non-public information.
Email phishing is a human behavior problem not a technology problem. Attackers only need to stimulate curiosity.
Email phishing is not a new problem. The art of phishing has existed with every form of communication. Fax fraud, mail fraud, and even radio and TV fraud have existed. There are now social engineering attempts using social media.
Phishing is not a new problem. It’s an old con just executed under modern communication.
Phishing is an extremely low effort way of attacking businesses and individuals because it requires the attacker to send an email.
This also means that the attackers can send thousands or millions with low effort and play the numbers game. Someone will click the link. Someone will follow the steps resulting in a malicious attack with unauthorized access to your organization's data.
Just because the attackers gain access today, does not mean the attack will be today. The exploits or ramifications from this attack could be in 180 days from now.
When attackers have a user's password to access your network data, they can move undetected. Like a ninja in the shadows lurking, watching and waiting until they are ready to strike. Yes, this type of attack bypasses your security measures like firewalls. That’s why they can be so devastating.
But the problem is bigger than just a technology problem. Phishing is a people problem, a human behavior problem. That’s why phishing is and will always be a successful way of attacking.
While humans remain vulnerable, phishing will be successful. Therefore how can we reduce human-based vulnerabilities by implementing smart technologies?
How Phishing Works
What is the information that is targeted by attackers?
You might be surprised that an attack may be layered into various small attacks. This makes it easier and less obvious to detection. But from the attacker’s point of view, they can stack all these small pieces of data into a much larger attack.
Usernames and passwords that can be used to log into personal and work accounts
Email addresses of colleagues or family and friends that can be used to send more convincing phishing emails
Personally identifiable information like names, physical addresses, birthdates, Social Security Numbers, etc. that can be used for identity theft.
Confidential company information, like details about mergers and acquisitions, research and development, and any other information that could be used to influence stock trading or for competitive gain
Financial data like credit card numbers, tax information or W2s that could be used to commit tax fraud and steal money
Phone numbers that can be used to bypass two-factor authentication, as well as used to deliver SMS-based phishing campaigns
Medical records or health insurance information like insurance policy IDs that could be used to commit healthcare insurance fraud
The phishing methods and objectives of your attackers vary based on their personal mission. It can be as simple as data theft to malware infection and machine compromise. Understanding the process, however, will give you ideas for how you can protect yourself against these phishing attacks.
Protecting Against Phishing
Phishing works against your perimeter defenses. Yes, firewalls and network security is important foundations for all business and personal access to the internet.
But how do you scan emails for malicious intent?
How do you protect and train your humans who are click-happy social animals?
Phishing is requiring security to move into the new world of “identity-based perimeter” protecting your people and understanding the anomalies in behavior.
Results of Email Phishing Attacks?
Email phishing attacks typically result in three types of fraud occurring to the victim.
- Compromised Data or Data Breach
- Impersonation Attempts and Identity Theft.
Each of these frauds and cause significant harm to the victim. At the core of each of these crimes are a breach of trust and a loss in reputation.
Cybercriminals understand it much easier to attack the person than it is to attack the companies infrastructure. That’s why 80% of attacks are against the person and not the network.
Phishing email examples
All phishing attack emails will use fear or curiosity to manipulate humans to click.
It can be as simple as sending you a social media invite with a friend request. The goal of this friend request is to steal your login credentials or install malware on your computer.
Hackers are smart when it comes to sending emails. Hackers use free software to clone any website, or login page to make it look real in minutes. They are making it harder for users to detect real login pages from fake login pages.
If you have ever been on a login page, enter your account information, and it did not log you into the website. You could have been on a fake page that compromised your username and password.
Hackers use like to trigger humans behaviors that are simple and commonplace. Like the idea of you have entered your password incorrectly so getting you to enter the password again. But this time when you enter the password you are on the correct site, so it works.
Top Phishing Email Scams:
- Target.com, Walmart.
- Social Media Linkedin, Facebook, Twitter.
Hackers will send you emails related to your interests which is how they can bypass your spam filters.
It’s common for hackers to even use real email signatures or website links in the email. This makes it harder for you to detect the email. But there are always some tell-tale signs within the email if you pay attention.
6 ways to detect phishing emails
Here are six simple ways you can detect if the email is real.
- Reply to Address: is it correct? Are there strange characters in the reply address.
- Send time: was the email sent outside of normal business hours?
- No Personalization: is the email not personalized, or does not contain the identifying information it usually does.
- Blurry or Not Loaded Images: Are the images, logos either blurry or not loading?
- Bad grammar or misspellings: does the email contain bad grammar or misspellings?
- Hover Over Links: when you hover over the links does the URL display as something strange?
Email Golden Rule
Don’t click on any link or use the phone numbers in the email. Always type the URL directly into the address bar or google the phone number for the business directly.
Who is ChatFortress
ChatFortress is a leading cybersecurity company that is helping small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts. Our goal is to help you create a cybersecurity aware culture.
ChatFortress Email Guardian is the Ultimate Anti-phishing Program as it Detects and Mitgates Email Phishing Attacks in 3 seconds using A.i Real-Time Inbox Scanning for Phishing Prevention!
Helping you verify the device and the person you're sharing wire information with via our secure chat platform. When you need to validate the person you are sending information you need ChatFortress communication. To speak with a ChatFortress Agent call (307) 999-7755. If you want a demo you can Schedule a ChatFortress demo here.
Complete your FREE scan using our Hacked Scan Tool which scans over 11 Billion compromised data records and the darkweb to see if your data has been exposed to hackers. We will tell you exactly which third party services exposed your data and what you can do about it. Complete your free scan now it only takes 30 seconds!
Discover secrets to social engineering scams hackers use to steal your data and money with the 7 Day Cybersecurity Crash Course
The ChatFortress Free 7 Day Cybersecurity Crash Course will give you cybersecurity insider secrets on how to protect yourself from hackers. The 7 Day Crash Course is one email a day for 7 days and will cover password cracking skills, social engineeing scams, how to detect phishing emails, how to protect yourself from attack and current threat trends. Sign up today to unlock these insider secrets.
- Common cybersecurity mistakes business make that allow hackers to steal your identity, data, and money
- 8 types of hacking and social engineering attack campaigns
- How to Protect Your Email Inbox from phishing attacks!
- Cybersecurity Maturity Model Certification
- Understanding CMMC Level 1 Requirements
- Understanding CMMC Level 2 Requirements
- Understanding CMMC Level 3 Requirements
- Understanding CMMC Level 4 Requirements
- Understanding CMMC Level 5 Requirements
Talk to Us
Reduce your cybersecurity risk and exposure. Schedule time with your ChatFortress Specialist now
or Call 307-999-7755
Cybersecurity Education Links
Common Cybersecurity Mistakes and how you can protect yourself and your business from liability and financial loss! Instant Webinar Access!
Schedule Your Free Cybersecurity Risk Assessment Click Here to Schedule Call
Discover current hacker trends to steal your data and how you can protect yourself in 7 day FREE Email Cybersecurity crash course
Here are the 8 common types of email phishing attacks that hackers use to steal your identity. Are you protected?