What is phishing?
In its simplest form, phishing is a type of cyber attack that uses social engineering techniques to trick computer users into taking an action which allows the perpetrators to steal sensitive information or money, or to install malware. Typically, a phishing attack is carried out via email.
How common is phishing?
Very. Phishing has been a popular method for hackers, cyber criminals and script kiddies for years, and its attractiveness shows no sign of abating. It is a low risk, low investment technique with potentially high rewards, and is often used as a means of laying the foundation for other, more disruptive and lucrative attacks such as ransomware.
How does phishing work?
Typically a phishing email will take one of two forms. The recipient will either be asked to click on an enticingly named attachment (“Employee salaries and bonuses 2022”) which then triggers the installation of a piece of malware, or to click on a malicious link which takes them to a clone of a legitimate website (“review your online transactions here”). Once clicked, the website will either download malware onto their machine or harvest the credentials entered into the login pages.
What is spear phishing?
Most phishing campaigns consist of emails sent to a large number of random recipients and rely on duping a small percentage of users from a big pool of targets to be successful. It’s purely a numbers game.
However, there are some phishing attacks which are targeted at specific individuals or organisations. These are known as spear phishing attacks and can take various forms:
As the name suggests, whaling effectively translates into landing a big fish (or phish, in this case). These campaigns target high profile individuals such as the CEO and other C-suite executives, Board members and often members of the finance team. These attacks require a greater effort on behalf of the perpetrator, but the potential rewards are far higher as these individuals often have access to sensitive information and financial privileges that more junior members of the team do not. More enticingly, a senior executive’s comprised email account is the perfect platform for Business Email Compromise attacks (see below).
BEC (business email compromise)
These are spoof emails which look like they have come from a senior executive and are sent to more junior members of staff often asking them to complete an “urgent” task such as transferring funds or disclosing confidential information.
In this case, a copy of a legitimate email that has previously been delivered is sent from a spoof address that closely resembles the email address of the original sender. The only difference between it and the original email is that links and/or attachments will have been replaced with malicious ones. Recipients are more likely to fall for this sort of attack as they recognise the contents of the email.
How can I spot a phishing email?
There are several tell-tale signs that indicate an email may be part of a phishing attack. They include:
- Public email domains (such as Hotmail, Yahoo, Gmail, etc.)
- Misspelled domain names (often with just one or two incorrect characters)
- Non-personalised greetings (Dear customer, for example)
- Poor grammar and spelling
- Unsolicited attachments/links (generally speaking, any link or attachment from an unknown source or from someone who wouldn’t usually send emails containing them should be considered suspicious)
- Sense of urgency
How can I protect against phishing attacks?
Cyber safety and phishing awareness training
The most effective way to defend against phishing attacks is to train your users to be cyber safety aware. Phishing, more than any other attack vector, relies on human error in order to be successful which means that it’s essential for your users to be vigilant at all times and to know how to spot a potential phishing email. The most effective training programmes include regular, bite-size training modules and simulated attacks that not only test users’ ability to spot a phishing email but also their level of confidence in doing so.
Implement technical cyber security controls
Phishing attacks are often only the precursor to other, more damaging threats such as ransomware and Advanced Persistent Threats. In the event that a user does fall foul of a phishing email, you’ll need to have the appropriate technical measures in place to ensure that the attack is not able to perpetuate further. This should include email threat prevention and threat detection and response solutions.
Build a positive cyber security culture
Phishing attacks are successful because the perpetrators are very good at tapping into natural human instincts like curiousity and a willingness to submit to authority. It’s important that your users know this, and that they are encouraged to report it should they suspect that they have fallen foul of a phishing attack. If you can steer away from apportioning blame, users are far more likely to ‘fess up which puts you in a better position to mitigate the damage.
For more information on how norm. can help you to protect your organisation against phishing attacks, take a look at the Cyber Safety and Phishing service here.
Written by Pete Bowers
Pete Bowers is COO at norm. where he is responsible for the overall operational and financial functions of the business. He also oversees customer innovation and success, and plays a pivotal role in the ongoing development of cyber security and data protection services which deliver transparency and tangible value to norm.’s growing client base.