Phishing is the process of sending fraudulent emails, while posing as legitimate sender, to convince people to reveal sensitive information such as passwords, social security numbers, bank account information, and more. 

Email phishing is one of the most common ways attackers are able to successfully infiltrate systems. In 2022, Microsoft alone recorded over 70 billion attempts at email and identity threat attacks.

IT teams can take as long as 13 days on average to recognize new phishing attacks, according to research conducted by Darktrace, and by focusing on historical attack data they can only catch up with threats they have seen before.

Phishing is a form of social engineering that makes it difficult for traditional legacy security systems to detect malicious behavior. Therefore, organizations often train their employees to identify spoofed emails or malicious links or are forced to manually sort through flagged emails and set parameters for known malicious links and files which can take up a lot of time. However, there are robust security systems that can detect, respond, and stop phishing attacks at every stage of the attack lifecycle. 

A threat actor can take several approaches to conduct a phishing attack:

A targeted attack, one that focuses on a specific individual or organization, can involve intense research on personnel and communication within that organization.

In a widespread attack, the threat actor is generalizing their messaging and hope their victims don’t recognize their fraudulent emails. Ultimately, the goal is to facilitate communication with a party and extract valuable information by using a sense of urgency to fool the victims.

Phishing case studies

Bytesize security: HTML phishing attachments

How one email took down a logistics company

Phishing attacks are deceptive attempts to trick individuals into providing sensitive information by masquerading as legitimate entities. Common types include email phishing, spear phishing, whaling, and smishing, each targeting victims through different communication channels to steal personal data or credentials. Read more about them below:

Social Engineering

Social engineering is a technique used by cyber-criminals to manipulate the humans behind machines rather than exploiting code-based vulnerabilities. This can be done by impersonating legitimate parties, targeting vulnerable individuals, building trust with a victim, creating a sense of urgency in a message, and more. Social engineering can be used to enhance phishing, smishing, spoofing, or other cyber-attacks that target humans. Because humans are susceptible to trusting other humans, the goal of social engineering is to present the victim with a seemingly legitimate situation.

Email Spoofing

Email spoofing is the forging of email headers to make messages appear as if they are from a trusted source. Email spoofing is a common technique in email cyber attacks and is used by cybercriminals to trick recipients into revealing personal information or downloading malware.

Hidden Links

Hidden links involve links to webpages embedded within web content or emails that are not readily visible to users. Often used for malicious purposes such as redirecting users to phishing sites or executing drive-by downloads.

URL Shortening

URL shortening is a common practice in the IT space to condense a long URL into a shorter format to make it easier to share. However, this can also be exploited by attackers to disguise malicious links and evade detection.

Malicious Redirects

Malicious redirects are unauthorized actions that divert web traffic from its intended destination to a malicious website. This method is often employed by attackers to infect users with malware or steal sensitive information.

Smishing

Smishing, short for "SMS phishing", is a form of cyber attack that uses text messages to trick people into revealing sensitive information or installing malware on their devices. Smishing attacks often involve sending fraudulent messages that appear to be from a legitimate source, such as a bank, social media site, or other trusted organization.

Spear phishing attacks

Spear phishing attacks are a type of cyber attack that targets a specific individual or organization rather than a broad audience. This usually involves an attacker conducting a significant amount of research on an organization or individual to make their attack seem more credible by contextualizing their message with relevant information.  

Vishing

Vishing (voice phishing) uses voice communication to get people to reveal their sensitive information. Attackers will often have an automated voicemail ready that asks individuals for their social security number or bank account information. They sometimes mask their identity as a loan provider or banking institution. 

Watering hole attack

A watering hole attack is a type of cyber attack in which the attacker targets a specific group of individuals by infecting websites that they are known to visit. This type of attack is named after the watering holes where animals gather to drink water in the wild. Just as predators wait at watering holes to ambush their prey, cyber attackers wait at compromised websites to target their victims.

‍

Learn how modern threat actors use AI to turbo-charge their phishing attacks in the white paper "How AI is Changing the Phishing Landscape."

Common indicators of a phishing attempt include suspicious links or attachments in emails, misspelled words or unusual grammar, requests for sensitive information, and urgency or threats to act quickly.

The rising accessibility of generative AI means that more phishing messages may not have the traditional misspelled words or unusual grammar. As these attacks grow in sophistication, security tactics must evolve as well.

Common indicators of phishing include:

• Suspicious email addresses or URLs: The sender's email address or the URL in the message looks slightly altered or mimics a legitimate source, often containing extra characters or misspellings.
• Generic greetings instead of personalized ones: The message starts with a generic greeting like "Dear Customer" instead of using your actual name, which suggests it’s a bulk email rather than a targeted one.
• Urgent or threatening language: The email contains language that creates a sense of urgency or fear, such as threats of account suspension or legal action, to prompt immediate action without proper scrutiny.
• Unexpected attachments or links: The email includes attachments or links that you were not expecting, which may contain malware or direct you to a fraudulent site.
• Requests for sensitive information: The message asks for confidential information, such as passwords, credit card numbers, or Social Security numbers, which legitimate organizations typically do not request via email.
• Poor grammar and spelling: The email contains noticeable spelling and grammatical errors, which are often a sign of unprofessional or automated phishing attempts.
• Mismatched sender details: The sender's name does not match the email address or the domain name does not align with the supposed organization, indicating a potential spoofing attempt.
• Inconsistencies in logos or branding: The email's visual elements, such as logos and branding, look slightly off, pixelated, or inconsistent with the legitimate organization's branding, suggesting it may be a counterfeit.

Preventing phishing attacks requires a combination of awareness, technology, and best practices. Here are some effective strategies:

• Educate and Train Employees: Regularly conduct training sessions to help employees recognize phishing attempts and understand the importance of not clicking on suspicious links or providing sensitive information.
• Use Anti-Phishing Software: Install and maintain up-to-date anti-phishing and antivirus software to detect and block malicious emails and websites.
• Implement Email Filtering: Use advanced email filtering systems to reduce the number of phishing emails that reach inboxes by identifying and blocking suspicious messages.
• Enable Multi-Factor Authentication (MFA): Require MFA for accessing sensitive accounts and systems to add an extra layer of security, making it harder for attackers to gain unauthorized access even if credentials are compromised.
• Verify Email Authenticity: Encourage employees to verify the authenticity of unexpected or suspicious emails by contacting the sender through a trusted method, such as a phone call or a new email to a known address.
• Check URLs Carefully: Always hover over links to see the actual URL before clicking, and verify that the domain is legitimate, especially for financial or sensitive transactions.
• Avoid Sharing Personal Information: Be cautious about sharing personal or financial information online, and ensure that websites requesting such information are secure (look for "https" and a padlock symbol in the browser).
• Report Phishing Attempts: Establish a clear process for employees to report suspected phishing emails to the IT or security team for further investigation.
• Regularly Update Software: Keep all software, including browsers and operating systems, up-to-date with the latest security patches to protect against vulnerabilities that phishing attacks might exploit.
• Use Secure Passwords: Encourage the use of strong, unique passwords for different accounts and services, and consider using a password manager to store and manage them securely.

‍

To avoid falling victim to a phishing attack, it's important to be cautious of any unexpected or suspicious messages, particularly those that ask for personal information. It's always a good idea to independently verify the legitimacy of any request by contacting the organization directly, rather than clicking on a link or providing information through an unsolicited message. Although these measures are valuable, the email conversation is shifting and CISOs and other security professional should consider advanced tools to stop increasingly sophisticated cyber attacks. 

Organizations can prevent phishing attacks by being cautious of suspicious emails, using anti-virus software, and implementing a strong cyber security infrastructure. A strong cyber security infrastructure includes detection and response systems, firewalls, visibility across all your digital assets, having security systems that integrate with your network and cloud-based applications, and more.

‍

If you clicked on a phishing link or received a phishing email you should:

1. Disconnect from the Internet: Temporarily disconnect your device from the internet to prevent further malicious activity.
2. Do Not Enter Any Information: If you haven’t already, do not provide any personal information on the phishing site.
3. Run a Security Scan: Use your antivirus or anti-malware software to scan your device for any malicious downloads or infections.
4. Change Your Passwords: Change the passwords for your important accounts, especially those related to financial or sensitive information. Use a different device if you suspect your current device is compromised.
5. Enable Multi-Factor Authentication (MFA): If you haven’t already, enable MFA on your accounts to add an extra layer of security.
6. Monitor Accounts for Unusual Activity: Keep an eye on your bank accounts, credit cards, and other important accounts for any unauthorized transactions or changes.
7. Report the Incident: Report the phishing attempt to your IT department if it’s a work-related incident, or to the relevant service provider. Additionally, you can report phishing emails to organizations like the Anti-Phishing Working Group (APWG) or the Federal Trade Commission (FTC).
8. Clear Browser Cache: Clear your browser’s cache and cookies to remove any potentially harmful data.
9. Inform Contacts: If you suspect that your email or social media accounts have been compromised, inform your contacts to be cautious of any suspicious messages coming from your account.
10. Stay Informed: Keep yourself updated on the latest phishing tactics and enhance your knowledge on how to avoid future incidents.

Security solutions such as email filtering, anti-virus software, and security awareness training can help detect and prevent phishing attacks. More advanced solutions, such as AI powered cyber security, can also be used to train employees, comply with security directives/regulations, and level up security teams. 

With Self-Learning AI, Darktrace can identify phishing attacks by understanding your organization. It analyzes emails for the sender, recipients, tone and sentiment, and hundreds of other factors to determine if something doesn’t look right. Then it neutralizes the threat, even on the first encounter.  

Darktrace/Email is the industry’s most advanced cloud email security, powered by Self-Learning AI. It combines AI techniques to exceed the accuracy and efficiency of leading security solutions, and is the only security built to elevate, not duplicate, native email security.