Why Phishing Campaigns Succeed – And How to Fight Back

Phishing attacks

Nearly all of the email-based threats like phishing are totally harmless in and of themselves. In order to become dangerous, they require some type of user interaction, whether that’s clicking on a link, opening an attachment, etc. Yet, email remains a highly popular and lucrative attack vector. In fact, phishing ranks as the leading cause of data breaches. What do these two things tell us? Cybercriminals have gotten very good at getting users to interact with compromised messages.

There’s a clear, finely-tuned psychological element behind that success rate. Criminals have learned how to manipulate people into behaving in a certain way. One reason is that phishing targets the part of the brain dedicated to making quick decisions. Researchers noted how people agonize over important decisions while others are made automatically, without thinking. For most, clicking on links in emails falls into that second camp. They don’t take the time to stop and think “Is this something I should be doing?” It’s a reflex.

Phishing attacks may also play off a target’s emotions. People with higher levels of stress tended to be more skeptical and were better at sniffing out scams. Attackers also know this and often program against it. Some phishing campaigns are structured to put victims in a good mood, thus lowering their stress level (and their guard!). That, in turn, makes them more likely to click on a link or attachment.

Another way attackers look to slip past a person’s defenses is by impersonating a source the victim trusts. In some cases, this might be a boss or another authority figure. That trusted source could also be a company. Microsoft, PayPal, Facebook, Netflix and Bank of America are just a few of the companies most often impersonated during phishing attacks.

Masquerading convincingly as Microsoft isn’t just a psychological endeavor. It also requires some heavy-lifting on the technology side. Criminals have taken to swiping code from legitimate Microsoft websites and using it to make the line between their attack and the real thing almost imperceptible to even the most eagle-eyed, battle-hardened user.  

5 telltale signs of phishing emails

While the picture painted above is pretty bleak, things are most certainly not hopeless. There’s plenty that organizations – and end-users – can do to protect themselves. The best thing is to slow down. Sure, that’s easier said than done. Before a user interacts with an email have them mentally run through a checklist of common phishing warning signs. This can slow them down just enough to get ahead of attackers.

Excessive or suspicious typos. At first glance, typos can be easy to miss. Also, they may not even be an indicator of a threat, just that the person on the other end of the email was in a hurry. Still, too many misspellings and misspellings in certain places are major red flags. That “@micorsoft” domain name in the sender’s email address might not be instantly noticeable at first, but it’s a near-certain indicator of a threat. Other typos, like continually misspelling a company or contact’s name are worth noting.

Uncommon groupings. Users tend to see the same names popping up in messages they’re CC’d on. It could be other people in their department, people they’re working on a project with, etc. They should be suspicious if they’re suddenly CC’d on a message with a group of names they don’t usually see. If the collection of names appears random or if it has a rudimentary pattern (like all of the last names start with the same letter), users may want to look at it more closely – or even better, send it to the security team for further analysis.

Misleading hyperlinks. When it comes to phishing attacks, the truth is often in the hyperlinks. Encourage users to hover their cursor over a hyperlink prior to clicking on it. They should look for telltale signs of foul play like web addresses that don’t match the supposed sender. Typos again come into play. Attackers will often purposefully misspell something to make a fraudulent site look legit. For example rnicrosft.com instead of microsoft.com.

Unrequested follow-ups. Something can’t be dangerous if it’s just following up an earlier message, right? Attackers love to exploit that line of thinking by creating bogus subject lines that make threats appear to be nothing more than harmless responses to a user’s original message. If a user doesn’t recall sending that initial email, and there’s no sign of it in his or her sent mail folder, there’s a good chance that the message should be regarded as a threat. 

Unusual behavior. There’s a rhythm to the average workday and no one knows that better than the user who lives it each week. He or she knows when to expect given messages and requests. That’s not to say surprises don’t happen. However, if a billing request comes through in the middle of the night, one that usually arrives safely during business hours, users may want to think twice before interacting with it in any way.      

Next steps: Give your organization the tools it needs to fight phishing attempts

Really, the best defense users have against phishing attempts is their gut. If something feels wrong, then there’s no harm in calling in the experts to check it out. The key is giving them the knowledge to recognize threats and empowering them to slow down and assess a situation before reacting. Nauticon’s Managed IT Services team can help facilitate the training users need to be ready for the worst today’s cybercriminals have to offer. Call us today at 240.499.2546 or visit https://www.nauticon.com/contact to open up a dialogue with our team today!