This article was first published as a part of the cover story in the February 2018 issue of Digit magazine. To read Digit’s articles first, subscribe here. You could also buy Digit’s previous issues here.
Phishing involves impersonating a trusted individual or company, to trick a user into compromising their sensitive data. For example, to gain your banking credentials or email login details, a malicious attacker might send you a link appearing to originate from the company and directing you to a web page that looks identical to the official website. Google and Amazon are among the most spoofed companies.
More sophisticated attacks can say be personalised to each individual in an organisation, and bait the users with the promise of a chance to win a free gift. If everyone on a mailing list has been sent a fishy email, be especially wary of follow up emails supposedly from cybersecurity personnel, providing mitigation measures against the initial round of messages. Those could be phishing attacks as well. If the initial round of phishing emails was in the news, follow up attacks are more likely to succeed. Even suspicious users will see enough material in the news to convince them of the situation after looking up the claims of the attacker on the internet.
Phishing remains one of the most effective and lucrative methods for cybercriminals. Emerging technologies promise to allow the attackers to craft even more convincing and targeted emails. One of the biggest additions to the toolkits of hackers is AI. AI will allow cybercriminals to mimic various kinds of social behaviour, and sustain communications in a natural language, allowing for a wider reach. Machine learning algorithms are now as good as humans at writing these messages and can come up with them faster, and without tiring. This allows phishing attempts to leave the realm of the inbox, and say, use a chatbot instead.
Targeted phishing attacks, known as spear phishing, have become more focused over the last year. A report published by Ironscales, an automated phishing prevention provider, showed that over 77 percent of the attacks targeted 10 inboxes or less. 33 percent of the spear phishing attacks were directed towards just one individual. These emails slip past the traditional spam filters in place.
For high-value targets, instead of sending out emails en masse, the attacker might choose to target the emails on an individual basis. Information farmed from social networks can be used to draw up profiles of an individual, allowing a cybercriminal to figure out what kind of approach is likely to work best. The spear-phishing attacks can be based on what motivates an individual or scares them the most. These kind of phishing attacks are more likely to focus on gaining access to the communications and documents of the target, as against details of their bank accounts. According to Phishlabs, 95 percent of espionage attacks involve phishing, and 20 percent is the average spear phishing success rate. Ministers, high ranking officials, and those in the top tier of management are most likely to be targeted. Academics, activists and journalists are other high-value targets.
To stay safe from spoofing emails, one of the simplest precautions one can take is to make a call to the person involved, to verify the need for the requested action, such as a transfer of funds. While keying in login information, be sure to verify that the website is using an https protocol and that it is the actual website by carefully scrutinising the URL. Enable two-factor authentication wherever possible. There is no legitimate reason to provide your personal login details to any person, for any reason whatsoever.