Cyber risk resources
Phishing Awareness Guide

Phishing Awareness Guide

To download and read as as a PDF, download the version here: PDF Version

Phishing is one of the easiest and low-cost methods for an attacker to deliver a malicious payload link or obtain sensitive information such as usernames, passwords, or credit card details from a victim. In fact, the majority of all successful cybersecurity breaches involve some form of phishing, especially to gain a foothold in a system before escalating an attack.

Phishing tactics have also become far more subtle and sophisticated, as they are disguised to look like legitimate communications. All forms of digital communication are vulnerable including SMS (‘smishing’) and voice calls (‘vishing’).

This Phishing Awareness Guide has been designed to give you a basic understanding of phishing, including tips for prevention, identification, and examples of common tactics.


KEY TERMS

  1. Phishing: a social engineering attack via electronic communication used to defraud a victim by disguising the sender as a trustworthy entity (e.g., government, bank, vendor, employer, etc.). These attacks are often untargeted and widely distributed.
  1. Spear Phishing: targeted phishing aimed at members of an organization with access to critical data and accounts, such as a finance or accounting manager.
  1. Whaling: a phishing attack designed to target senior decision-makers such as the CEO or other members with significant authority. Whaling is often the most strategic, persistent, and lucrative form of phishing.
  1. Credential Harvesting: phishing attacks that ask the user to click a link to visit a fake website and enter their credentials. Any usernames, passwords, security answers, or other information submitted may also be used in future attacks.
  1. Malicious Attachments: some phishing emails or websites may ask you to open an infected attachment. These attachments download and execute a first-stage payload such as ransomware, malware, or remote access trojan. Common attachment types include infected PDFs and macro viruses embedded in Microsoft Office documents.

HOW TO IDENTIFY A PHISHING EMAIL

  1. Carefully inspect all web addresses. Phishing attackers often change one number, symbol, or letter in a domain to impersonate legitimate websites, email addresses, etc. These subtle differences are easily overlooked (e.g., paypal.com vs. paypa1.com, nike.com vs. nike.org).
  2. Look for spelling or grammar mistakes. Phishing messages often include spelling and grammar mistakes. The tone and language of the message may also serve as indicators of its authenticity. Ask yourself: Does the language seem normal and appropriate for this sender?
  3. Ensure the email is from someone you know. Never open an attachment or click on a link from a source you do not know or trust. If you are unsure, verify the sender by contacting them separately (e.g., via phone or text).
  4. Beware of urgent requests. Many attackers use urgency to trick their victims, requiring the completion of time-sensitive tasks (especially those with financial implications). Always verify such requests with the sender through alternate channels.
  5. Hover over links to preview their destination. Better yet, parse the address through a URL scanner and ensure you select a private scan to avoid alerting the threat actor.

     

    PREVENTIVE MEASURES

    1. Enable Multi-Factor Authentication (MFA) on all user accounts.

    2. Reset email account passwords regularly, and immediately when suspicious activity is identified.

    3. Automate software updates to ensure you have the latest software with bug fixes and vulnerability patches.

    4. Disable mail forwarding rules to external domains. This action prevents Business Email Compromise (BEC) scammers from silently monitoring email communications as a means of replicating your internal communication processes in an attack.

    5. Never forward a phishing email. Take a screenshot, mark as phishing/spam, and reach out to your IT team for support.

          REAL WORLD CASE STUDY – HONG KONG, 2020

          A spear-phishing campaign was launched against the CEO of a garment trading firm in Hong Kong. The CEO supposedly received an email from Microsoft asking him to validate his O365 account. Thinking this was a legitimate request from his email service provider, the CEO clicked on the link and entered his credentials. He then received a message informing him that his account was validated, and thus did not give it any further thought. However, his account was compromised, and the attackers now had access to his emails and calendars.

          As the CEO’s account did not have multi-factor authentication enabled, the hackers were able to access the account with just the stolen credentials. The attackers launched a surveillance campaign, gathering information they needed to understand the company's communication style, and invoicing practices. The attackers set up mail forwarding rules, sending all email communications to their own personal inbox to gather useful information needed to carry out fraudulent transactions.

          As part of the mail-forwarding rules put in place, all invoice-related emails went straight to the hacker and were deleted from the CEO’s inbox, making the CEO unaware of any ongoing transactions. Further, the attackers were aware that a supplier of the garment trading company was in the midst of changing bank accounts and would be sending invoices with new payment details shortly – providing the perfect opportunity for the attackers.

          Knowing the CEO’s calendar, the hackers attacked the firm while the CEO was on a two-week business trip. The hacker created a fake invoice from the supplier, complete with fraudulent company stamps, and sent the documentation to the accounting department of the garment firm to process the transaction. Upon multiple email correspondences between the “CEO” and the CFO, the transaction was authorized.

          Tracing back nearly three weeks, the company discovered that the CEO’s compromised email account had sent an invoice for HKD $1.5M to the hackers’ designated bank account.

          To prevent this and other similar phishing attacks from succeeding, remember to critically examine any emails requesting log-in to sensitive accounts, enable multi-factor authentication, disable all mail forwarding rules, and confirm any significant financial requests by alternative communications.

           

          COMMON PHISHING EXAMPLES

          Bank Notification:
          Banks and other Government agencies will not ask you to click on a link to verify your credentials or authenticate a transaction over text. Instead, you will be given a specific number to call or enter an OTP as part of Multi-Factor Authentication.

           

          Fraudulent Sign-In:
          Be wary of emails that ask for sensitive information like credit card details or other personal details like your password. These emails provide a link that might obfuscate its true nature wherein attackers can harvest your personal information or install a piece of malware on your endpoint without your knowledge. Manually log in to such services in a separate window or reach out to the relevant service provider to determine the validity of the request.

           

          Urgent Request:
          Always verify the origin of a request. Attackers often pose as members of your organization or someone from your network in order to gain your trust and have you complete an illegal transaction on their behalf. Another telltale sign of a phishing attempt is poor grammar and sentence structure.

           

          Malicious Attachment:
          Look out for emails from unknown senders with fake email addresses, especially if you are asked to download an attachment. This attachment can install a piece of malware, ransomware, or trojan bot access on your endpoint without your knowledge. Further, this email has poor spelling and grammar and does not have a proper sign-off.