What Is Email Phishing? (& How to Prevent It)
Email phishing can be tricky to spot, cost your company thousands of dollars, and tarnish your reputation, so how can you protect against these attacks?
What is email phishing? Email phishing is a social engineering attack that tricks users into clicking a link from an email, allowing the cybercriminal to steal private information or infiltrate your network.
What Is Social Engineering?
Social engineering exploits the human element in broad-scale IT attacks. While an IT system might have several dozen security measures and controls in place to protect data, that information is accessed by users—as it should be, because data without a user or administrator is somewhat worthless. Social engineering attacks will target these users through social means: phone calls, emails, document retrieval, even dumpster diving, and on-premises scams.
Social engineering is such a well-known form of attack that some of the earliest hacks were social engineering attacks. While we often have the image of the WarGames-style hacking from the security of a terminal, the truth is that most data breaches start with a human attack vector.
Some social engineering attacks include the following scams:
- Video games and Floppy Disks: Elk Cloner, one of the first computer viruses, was propagated through floppy disks masquerading as video games as early as 1989.
- Deepfakes and Scamming: In 2019, a caller using voice technology called the chief executive officer of a UK energy firm claiming to be the CEO of his parent company. The caller convinced the CEO to wire €220,000 to a fraudulent account.
- Spear Phishing and Politics: The 2016 Presidential Election email leak included the loss of thousands of emails from the database of the Democratic National Convention and the launch of several additional attacks from DNC-based email domains. The attack’s origin was traced to an email containing a malicious link hidden behind bit.ly shortening, targeting DNC IT engineers.
- Watering Holes and Fake Sites: The Lazarus hacking group launched several attacks against sites in 2017, replacing them with fake sites with links sending users to untrusted sites or infecting their browsers.
These attacks rely on the deception of users to take action that compromises the IT systems that they use every day.
How Is Email Phishing a Social Engineering Attack?
Email is by far the most ubiquitous form of digital communication used by consumers and professionals worldwide. The ease with which email can be sent, spoofed, and leveraged for mass emailing campaigns makes it one of the most common social engineering attacks.
The term “phishing” denotes the expectation of the attack—by using the right “bait” in an email, they can get a reader to perform a specific action: click a link, share a file, or provide login credentials. The bait, in this case, is a legitimate-looking email that seems like it comes from a real person or an established organization.
Therefore, phishing is a social engineering attack because it relies on a lack of knowledge on the victim’s part. By using deceit, the attacker fools the person to give away credentials. Because it is reliant on targeting a victim in an organization rather than the IT infrastructure, it can prove highly fruitful.
These attacks are so fruitful that there are several types of email phishing:
- Spear Phishing: Typical phishing often follows a “spray-and-pray” approach where thousands of emails are used to target a large victim pool somewhat indiscriminately.
Spear phishing refines the target to someone specific, such as a certain type of engineer or professional within an organization. These users are often more likely to have advanced access to system resources, and likewise, the phishing attack will appear more sophisticated.
- Whale Phishing: A form of spear phishing, whale phishing targets the highest levels of an organization, like the C-Suite. Unfortunately, while we might assume that these executives are more tech-savvy than others, this is often not the case in the face of sophisticated phishing attempts.
- Clone Phishing: In this attack, a hacker gains access to an email account and finds an existing element in an email, like a signature link or something else, injects malicious code or links, and sends legitimate-seeming emails to the contacts in that account. This attack can continue so long as at least one person continues to open emails and provide access to their email account.
- Business Email Compromise: A hacker gains access to tools that allow them to spoof professional domains and send emails that look as if they come from someone specific in that organization (a manager, the IT system administrator, etc.) and ask for rapid action such as providing login information or even the transmission of company funds.
Why Is Email Phishing Such a Popular Form of Attack?
Phishing is a social engineering attack that is fruitful, and statistics have shown that these are by far the most common form of attack. According to a report from Verizon, responding companies report that 25% of all breaches are directly related to phishing and 85% of breaches involve human error or social engineering.
The reason phishing works so well is threefold:
- They are easy to launch: Emails are simple to send, and with a little knowledge of company email templates, email address spoofing, and persuasive language, they can send thousands of emails that look like they came from a legitimate company, like PayPal or Microsoft. With the right information, phishing scammers can send emails to employees of a company that look like they come from someone inside the organization.
- Low success rates are still successes: Even with wide-ranging phishing campaigns, a shallow response rate can provide critical access information to a user or enterprise IT system. One such set of credentials can prove enough to give full access to a system.
- People are the weak link: Email is one of those technologies everyone uses. People often don’t pay attention to what comes to them. So, if a message looks like it comes from a company domain or a legit company, many users will take that as an authoritative email and not ask questions.
How Can I Recognize an Email Phishing Attack?
Even the most sophisticated phishing attacks will have flaws. It’s up to a well-informed and well-trained employee population to see these flaws and delete (and report) phishing emails when they see them.
Some common markers of a phishing attack include the following:
- Fake Email Addresses: Poorly structured emails can still spoof an email address description so that it looks like the email came from somewhere else. Or, more commonly, these hackers will use a common company name inside a fake domain address to fool victims.
Employees should be able to look at the email details to determine the address is who it says it is, and employees should also recognize fake domains—for example, the real domain name microsoft.com versus the fake domain like microsoft.customersupport.com. These fake addresses will often look official without actually coming from where they say they do.
- Requests for Personal Information: By now, nearly every company globally has internal and external policies around never requesting personal information or login credentials. An email that asks for them outright should immediately be deleted and reported.
- Misleading Link URLs: Phishing attacks will often use the fact that users won’t look at a link or button URL before clicking. All browsers will have a mechanism where they can hover their mouse over a link or button to see the URL, and if it isn’t to a location that it claims to go, then it’s a scam.
- Misspellings, Broken Text, and Templates: Many phishing attacks are sent via foreign or state-sponsored attackers using auto-fill templates. Sometimes these templates don’t fill correctly, have extensive typos, or read in broken English—all sure signs that it is a phishing attack.
- Attachments: The classic delivery vector for viruses and malware are attachments on emails. No one should ever click or execute an attachment from an unknown emailer. This is doubly so for an executable file.
Strong Authentication for Strong Anti-Phishing Protection
One of the key weaknesses exploited by phishing attacks is weak authentication. If a hacker gets a password, then there is little to stop them from accessing system resources.
Suppose you’ve implemented secure identity management solutions that can handle advanced biometric, multi-factor, or passwordless authentication. In that case, it’s much less likely that enterprise user accounts can be compromised via email phishing.
1Kosmos BlockID provides authentication support that stops hackers from exploiting weak systems—weak passwords, uninformed users, or single-factor authentication. BlockID comes with the following features:
- Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
- Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
- Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
- Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
- Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.
To learn more about phishing and prevention through authentication, read our whitepaper on Strong Identity-Based Authentication by 1Kosmos. Also, sign up for our newsletter to stay ahead of our product news and releases.