Thinking Like a Cybersecurity Villain

4 min read

Variations of a quote that reduces to “know your enemy” are found in multiple historical settings. The sentiment behind them is that you can better defend your interests if you think like those threatening them. This maxim holds for cybersecurity generally, but especially for social engineering attacks.

Phishing Attacks are a Significant Attack Method

Cybercriminals have seen significant success in gaining unauthorized access to an organization’s IT systems and stealing data using phishing attacks. Data shows that over two-thirds of cybercriminal groups use various forms of phishing as part of their attack methods, mainly due to the high success rate and the fact that phishing attacks can be automated with bots and require almost no effort from the bad actors after initial setup.

The Anti-Phishing Working Group (APWG) tracks phishing attack data worldwide and reported that 2022 was the highest year on record for this attack type (4.7 million). The number of phishing attacks recorded by APWG has increased threefold in the last two years.

While many endpoint security solutions and email scanning protection tools do a reasonable job detecting and blocking phishing emails, the well-crafted ones often make it into people’s inboxes. And the number of well-crafted phishing emails is expected to increase as the bad actors learn how to use Large Language Model tools to generate text in languages they don’t speak natively. We published some initial thoughts about ChatGPT and other LLMs in February.

Helping Your Team Spot Phishing Emails

When Phishing emails, or messages with the same intent via other channels like Messages, WhatsApp, and similar, arrive in people’s inboxes, one of the only remaining defense mechanisms is that the user isn’t fooled. Many organizations have outgoing URL blockers that prevent users from inadvertently visiting a phishing or malware drive-by site. However, in the increasingly hybrid work world, people are not always going through corporate gateways for Internet access.

What’s needed is staff awareness so that they can spot phishing attempts and other fake emails. Staff awareness training on all aspects of cybersecurity should be ongoing and frequent in organizations. Here are some telltale signs that an email or message might be from a cybercriminal.

The domain name in the email is suspicious. Either it can be from a non-business email address, but the email content is crafted to look like a business request from a known sender, or the email address domain is using similar characters to spoof a legitimate email address. A classic example is using a zero to replace an o in a name.

These can be hard to spot, but part of awareness training should be to be suspicious of all information requests via email and confirm the request via another means, such as by telephone or a new separate email to the requesting one using an address that you have used before, not by using the reply function in the email that might be fake.

The email is poorly formatted, uses idioms that are not correct, and has spelling and grammar errors. If the phishing email is spoofing a marketing email, then most (not all!) marketing teams spend a lot of time making the emails look good and have correct language.

There are attachments on the email that are atypical or that the email encourages the user to open. For example, if an email asks for some information and refers the recipient to open an attached Office file for the details, this should immediately signal danger.

The email has links that the recipient is encouraged to open.

The email tries to foster a false sense of urgency. This is often used with phishing attacks that are crafted to appear to be from important individuals in an organization. They often predict poor outcomes for the recipient if the requested action isn’t done promptly.

Phishing emails often include requests that are atypical for the recipient or the business in general. As before, this type of phishing email often appears to be from an important person in the organization who needs help. A classic example is the CEO at a conference sending a message asking the recipient to buy a gift card and send him the code.

Some phishing emails are not subtle and simply ask for information like the login details for a system or directly for financial information. These should be easy to spot, but some people still respond with the info asked for in real-world attacks and in dummy phishing attacks used to study organizational responses.

What to Tell Staff

It’s a sad reflection on the world, but a good starting point for avoiding phishing attacks is for everyone to treat all emails that ask for information, have links to follow, or attachments to open as hostile and that none of those activities should be done without independent verification that the email is from a trusted and known source. A source that can confirm its legitimacy independently from the email sent. Staff can do this via telephone, a different messaging system like Slack or Teams, or in person if the sender is in the same office.

Any suspicious email should be forwarded to the IT cybersecurity team for verification (without violating any privacy details, of course.)

Critical Insight runs regular free online webinar sessions on cybersecurity awareness, covering common phishing attack methods and other common tactics cybercriminals use. Visit our Events Page to learn more. And use the form below to arrange a chat with our cybersecurity experts, who can help your organization prepare for and defend against phishing attacks.