By Lux Rao
Phishing attacks have long been one of the most popular threat vectors used by attackers. Simple in concept, a phishing attack is a hostile email designed to facilitate the threat actor’s attack. This can be the delivery of a malware attachment, redirection via a malevolent link in the email, a request to take some action- like in a business email compromise attack, or simply to engage in the gathering of information, like harvesting valid email addresses, in preparation for future attacks. The combination of potential uses means that phishing attacks are actually far from simple.
A phishing email can be a customized, one-off email, manually built by an attacker for a very specific attack against a particular target, and it can be one of millions of phishing emails sent via a malspam campaign run through a botnet. Phishing campaign emails tend to have subjectlines with misspelled words, grammatical or punctuation errors or include random charactersout of context. In many cases, the results of the phishing attack depend on how targeted, or appropriate, the email is for the intended audience. In most analyses of phishing attacks, it appears victims open about a third of phishing emails and click through them about 10% of the time.
Experiments where phishing attacks have been conducted with a small amount of customization, saw results reaching as high as a 100% open rate and about a 67% click-through rate. If you consider that, a dedicated malspam campaign can send millions of emails, the potential impact those volumes could have on most organizations should be intimidating.
But why do phishing attacks work?
A successful phishing attack is the result of two primary factors: the volume of theemails sent and the attractiveness of the lure.Volume is often important because of the open and click-through rates.
Considering the numbersabove are accurate, it means about 3.3% of phishing emails are likely to result in a click to download malware or be directed to a hostile website with an exploit kit. If the numbers are close, that means a malspam campaign, which sends 1,000 emails might expect to reach something on the order of 33 click throughs. But a malspam campaign which sends a million emails might expect more like 33,000 click-throughs. If the attacker can increase both chances – the chance of an open and the chance of a click-through – by using an attractive lure, this gets even worse.
The lure is the topic of the phishing email intended to grab the attention of the recipient, and lure them into being interested, and as a result, opening and clicking into the email. Lures can comein various forms, but some of the more popular and timely lures includes emails with subject lines related to computer security, healthcare insurance, holiday offers, banking and online accounts to name a few.
Many of the more popular and timely subject lines observed in phishing emails in 2020, have been related to COVID-19 – to capitalize on general interest in COVID-19, current infections, financial assistance, and vaccines. And, just because an email has one of these subject lines it doesn’t guarantee it is a phishing email, but it could probably be looked at with some suspicion at the very least. These could be misspellings, punctuation errors, random characters and other errors shown as copied from suspect emails.
Because prevention is better than cure
Phishing campaigns will continue to bea problem for one simple reason – they work. There are technical solutions which can reduce the amount of spam and malspam which reach employees. Good spam filters can catch even some targeted phishing emails. And employees should be restricted to operate – browse the web and process email – from non privileged accounts, but ultimately, the final filter are employees themselves. This means good phishing awareness is one of the best defences an organizationcan have against phishing attacks.
Users should have a comfortable awareness ofhow to identify phishing attacks. Often, even a cursory comparison of the subject line, email contents and the address of the sender, can reveal fake or malicious emails. An email with a subject line aboutan account lockup, with email contents about the victim’s bank, and a sending email of [email protected] should make it obvious to most users that the email isn’t genuine, but not all phishing emails are this easy to identify.
Given the topicality of the conversation, today users can assume that any email which includes ‘vaccine’ or ‘Playstation 5’ in the subject line has a high probability of being fraudulent – just as emails which include unsolicited or unexpected links to DocuSign or DropBox. If users are familiar with common lures and subjects which phishing attacks are currently using, it can improve an organization’s resistance to such phishing attacks.
The author is Senior Director – Solutions, NTT Ltd. in India
DISCLAIMER: The views expressed are solely of the author and ETCIO.com does not necessarily subscribe to it. ETCIO.com shall not be responsible for any damage caused to any person/organisation directly or indirectly.
Follow and connect with us on Twitter, Facebook, Linkedin