Cyber criminals have a variety of tools and techniques at their disposal, including malware, ransomware and disrupted denial-of-service attacks. One of the most common and difficult-to-spot strategies hackers use is phishing scams, which require minimal technical know-how and can be deployed from anywhere in the world via a simple email.
While the content of phishing emails can vary, cyber criminals often employ similar strategies and tactics. Using these methods, phishers have proven repeatedly that they can affect users regardless of their position in companies, presumed level of technical expertise, or employment field.
Targets are not always key employees in a business - anybody can be a victim. To avoid becoming prey to a phishing scam, it's important to understand how cyber criminals think when creating and sending phishing emails.
When carrying out a phishing attack, hackers will generally follow these four basic steps:
Target Identification:
When identifying targets, phishers may create master email lists. These lists will either consist of random email addresses for larger phishing schemes or more focused targets for phishing attacks. If the phisher is after a particular business, they might concentrate on executives or high-level managers with greater levels of access.
In other cases, phishers may target lower-level employees who may respond to pressure from someone impersonating their boss. In most cases, the targets of more tailored spear-phishing attacks are those that have valuable information or the authority to transfer funds.
Intelligence Gathering:
With a target in mind, in the case of spear-phishing attacks, the phisher's next job is to search social media, company websites and the dark web for enough information to build a believable email. These emails may include personal details, professional affiliations, or the names of acquaintances and family members. Phishers have also been known to collaborate with other cyber criminals, trading victim emails and vital information to enhance the effectiveness of an attack.
Message Crafting:
Using all the information gathered, the phisher will craft the most convincing email possible. Scammers may insert logos of popular websites (e.g. Paypal, Amazon, Ebay) and official-sounding verbiage in their own malicious email template.
Typically, phishers will ask for your username and password in the body copy of the email. The email will be worded with a sense of urgency so the end user feels like they will lose the account or money if they don't comply immediately. The goal of hyper-targeted phishing emails is the same as any other phishing attempt - get the user to take an action that will benefit the scammer.
Email Deployment:
While spam filters and other solutions can prevent phishing emails from affecting employers and individuals, no tool is 100% effective. In fact, all a phisher needs to do to ensure an email is delivered is to trick email filters into thinking a message was sent from a legitimate source.
One way they do this is through display name spoofing, a method where an email's "From" field is made to look like a safe source. Frequently, attackers will register a free email account and, in the case of phishing attacks, will use specific names or companies the victim will recognize.
Cyber Assessments:
With the increased usage of technology in people’s lives to stay connected while mostly working from home, cybersecurity threats have also become a growing issue and require proper assessments to manage any security gaps and risks that can harm your business.
Therefore, it’s important to conduct proper cyber assessments to mitigate the possibility of having your company’s cybersecurity system breached.
Get a FREE Cyber Risk Assessment to see if you're properly protecting your business from cyber risks:
