It’s not often you get to be the Chosen One, so imagine the delight at receiving an email from a member of the African aristocracy, who really does need your help to unlock his (or her) mega riches. What luck! This minimal effort of course won’t go unrewarded, the email promises a slice of said fortune.

How nice.

Or maybe not. In the ‘old days’ it wasn’t all that hard to spot a scam email. That’s essentially what phishing is. There are lots of categories – such as spear phishing and whaling – but in its most basic form, phishing refers to fake emails, those sent with malicious intent, the objective being to install malware or harvest – steal – personal information.

In the vast majority of cases, the phish requires end user interaction to be successful. Typically, that means the recipient needs to open an attachment or click on a web link. And this is what social engineering is all about. Finding a way to engage the end user, to trick them into opening a file or clicking on an embedded link.

Unlike our example of African Kings and Queens desperate to reclaim their billions, phishing emails today are far more sophisticated. Cyber criminals will often craft emails purporting to be from legitimate organisations, ensuring the look and feel accurately mimics a legitimate email. The language, colour scheme, logos, disclaimer – all are made to accurately resemble the organisation being impersonated. There may be multiple links in the message, with only one pointing to the malicious site, relying on the user not checking each one. Cyber criminals will make sure the sender information appears genuine, using clever techniques such as only minimal altering of the organisation’s domain name, so that to a cursory glance (which, let’s face it, is all we give) it looks like the original.

To push the user to take action, various methods are used. Sometimes, in an effort to pique our interest, the content references current news and affairs. Similarly, with the explosion of online shopping and frequent customer deliveries, attackers send emails claiming to be from courier services, with instructions to check a status of a delivery or open the attached order confirmation. Another tactic is to scare or threaten the end user by claiming there will be unsavoury consequences if action isn’t taken.

Many phishing attacks are highly targeted, not designed for mass propagation. These are characterised by sending the email to selected recipients in an organisation, and impersonating someone known to the user, such as a work colleague or business acquaintance. The subject matter is also carefully related to the user, something that the attacker hopes will appear believable. For example, it may be an attached ‘invoice’ sent to people in Finance, requesting payment and made to look as if coming from an actual supplier. Or it could be an instruction from a senior director, asking for funds to be transferred to a particular account.

A large proportion of successful hacks begin with a phishing email or message. Opening that seemingly innocent attachment, or clicking on an innocuous link, can all too quickly snowball into a full-fledged ransomware attack, or a backdoor giving hackers access to systems and data.

Security solutions can do a good job of spotting phishing emails and so, depending on the settings and functionality, these messages can safely be marked accordingly, deleted or quarantined, or attachments and links disabled before delivery to the user’s inbox. However, judging by the fact companies are being hacked and compromised every day, clearly phishing attacks continue at pace and some slip through the net.

As well as having security technology and good security controls, it is always important for us as end users to remain vigilant. We’ll take a look at how to spot a phishing mail along with some dos and don’ts in a future blog post, but it’s always worth remembering that if an email urges immediate action, it’s good practice to slow down and verify its authenticity. If in doubt, don’t open the attachment and don’t click on that link!