What is Phishing and How to Prevent it?

Wherever we are, whether online or in person, you will always hear us talk about how DMARC prevents phishing. We’re sure you heard us tell you to protect your domains against phishing at least once. Or what about: “91% oF AlL cYbEr AttAcKs BEgIn WiTh a PhiSHiNg EmAiL!!” And the response is always the same: “Okay, DMARC Advisor! We get it! But what is phishing exactly?”

That’s a good point and a legit question. We have been trying to avoid this subject for far too long. But you are now old enough to finally hear the truth about phishing from us. Especially after all these years of scaring you, we owe it to you. We have to explain why you need to be aware of this form of email abuse. Why is it so dangerous?

Most importantly, how can phishing be prevented? So, make yourself comfortable. It’s story time.

What is phishing?

Once upon a time, a Windows application called AOHell was created by teenage hackers. According to its manual, it was made to “annoy others, get free service, and other things. […] You can also use it to get other people’s passwords and credit card information.” To describe this functionality, the program allegedly contained the first mention of the term ‘phishing.’

While the AOHell program was only meant for AOL and its users, phishing quickly became widespread, growing more sophisticated and wreaking more havoc by the year.

Phishing is a scam in which a criminal uses devious methods to obtain sensitive information. This is done, for example, through a spoofed email that should give?the impression that it comes from a legitimate, trusted source.

What is a phishing attack?

A phishing attack occurs when a criminal attempts to steal your personal information through deception. This information could include?private data such as your login credentials, credit card details, bank account information, or even your identity.

In the case of a company, a phishing attack often means that a criminal pretends to represent your business to steal customer data, for example. Or to cause internal damage, often through BEC attacks. In this kind of fraud, criminals pretend to be the CEO of a company and try to extract money or sensitive information.

How does phishing work?

Phishing is a variation of the verb ‘fishing’ and illustrates the metaphorical act of using bait to ‘catch a big fish.’ The ‘bait’ is usually a spoofed email engineered to look as authentic as possible. Or, in some cases, the exact opposite. Because once upon a time, there was a Nigerian prince who…

Sorry, that is another story. I’m straying from the topic.

The spoofed email is often so professionally crafted that it looks exactly like it comes from your bank or the government. By making the message seem urgent, the sender hopes the victim will bite more readily.

The content of such a message can vary. Sometimes they say that, for example, they urgently need additional information from you. Sometimes, they ask you to pay an outstanding amount. They add a link to an equally corrupt website, asking you to perform a certain action, like entering your username and password. Sometimes, an email contains an attachment that, when opened, installs malware or ransomware.

The Impact of Phishing

But apart from impersonating a bank, criminals also use the domain of unsuspecting, hard-working entrepreneurs. That means it can also be done on behalf of your business. Criminals can use your domain to send out their malicious content.

They can easily spoof email addresses and use the same logo. Everything it takes to make it more realistic. And then they sit back and wait, hoping somebody will bite and reel them in. If people previously had a positive association with your brand, this will cause a significant dent in your reputation.

Alternatively, they can send messages to the financial department on behalf of, for example, the CEO, asking them to transfer large amounts of money. Here are a few good examples of the impact of phishing:

• How this scammer used phishing emails to steal over $100 million from Google and Facebook
• Austria’s FACC, hit by cyber fraud, fires CEO
• Belgian bank Crelan loses €70 million to BEC scammers
• A cyber attack could cost Sony Studio as much as $100 million
• BEC scammers stole €19m from film company Pathé
• Football club Lazio loses €2 million by falling foul of phishing scam

Types of phishing

We focus our attention on email phishing, but email phishing takes many forms, some of which we highlight below.

Spear phishing

This primitive, original way of catching fish has been revived and given a modern equivalent. Spear phishing attacks are aimed at a specific target instead of fishing with a net, trying to catch as many fish as possible. Evil phishermen use highly personalised emails that are fully tailored to the target. The victim has often been investigated in advance. This way, they can offer relevant content and use the names of people they know, such as colleagues. Sometimes, fake attachments are also added with a reference to the recipient’s specific field of expertise. As a result, the success rate of these scams is reasonably high.

Whaling

To stay in terms of fishing, this means going after the big boys with a digital harpoon, so to speak. Criminals use spear phishing to target only high-profile people, like CEOs. Here, too, the content of such a message is fully adapted to specific situations that are recognisable for the victim.

CEO Fraud

This technique works the other way around. The fraudster pretends to be a CEO and often tries to convince the lower-ranking victim to transfer money to a certain account. But you might understand that this bank account smells rather phishy…

How to recognize phishing emails?

At a glance, phishing emails are difficult to distinguish from real ones. Therefore, you should pay attention to the details if you doubt its authenticity. Be aware if you notice (one of) the following things in an email:

A false sense of urgency.

For example, if you receive an email stating that something is wrong with your account and that you need to log in immediately or that you immediately have to click on a link to handle an overdue payment, be careful with emails that rush you into doing something.

Bad spelling and grammar.

While this is generally a good indication of a bad phishing email, we all know one colleague who also struggles with it, right?

A generic greeting.

Greetings like ‘dear user’, ‘dear sir or madam’ or sometimes even ‘dear’. Unless your spouse works there, you may assume that emails starting like that will not likely come from your bank. Or any company that knows your name, for that matter.

Suspicious links or attachments.

As mentioned earlier, the purpose of phishing is to use bait to catch a victim. This bait often consists of a malicious link, leading to a fake website designed to steal your sensitive information. You need to hover over this link with your mouse to determine its reliability. You will then see the target URL. This URL can help you determine if it is legitimate. Check it carefully for spelling mistakes and other things that arouse suspicion. Also, never open attachments if you have doubts about the origin or didn’t expect such a document. You might infect your device with malware.

Email domains that do not match.

When you receive an email from DMARC Advisor, we understand you want to consume the content immediately. But if it says that something went wrong with the payment or that an immediate login is required to change certain information in your account, that may raise some questions. Then, it is wise to first look at the actual From: domain. Does it say @dmarcadvisor.com? Or is it coming from another domain, like @gmail.com or even @dmarcadvis0r.com?

How to prevent phishing?

Much is being said and done to educate people about phishing and its possible dangers. Many people are aware of the red flags mentioned above. To prevent phishing emails from entering your mailbox, a spam filter might be of service. However, phishing tactics are constantly evolving and improving at bypassing spam filters, making it?almost impossible to keep track.

We believe phighting phishing begins at the source. Anyone who registers a domain should take responsibility by implementing DMARC immediately. DMARC cuts the phishing line, preventing the hook from reaching the intended inbox. This keeps the internet clean and protects you and others from malicious parties. Don’t risk your reputation and let those phishermen get away with nothing!

Report Phishing

Another thing you can do is report phishing emails to the Anti-Phishing Working Group (APWG). This global organisation is a group of professionals in different fields with one common goal: “eliminating the identity theft and frauds that result from the growing problem of phishing, crimeware, and e-mail spoofing.”

Any suspicious or malicious email you receive can be forwarded to the APWG for further analysis. By reporting phishing attempts, you help the APWG identify new threats, warn others, and remove malicious websites associated with these scams.

Find out what to do on the APWG website.

The End… Or is it?

That was a scary story, wasn’t it? Don’t let it give you nightmares, though. DMARC is here to protect you from evil monsters. Not the kind of monsters that hide under your bed or in your closet, but in your email traffic. BRRRR.

It seems like only yesterday that a rebellious little Windows application annoyed people on a small scale. Today, phishing attacks that cause millions in damage are a common global threat. Every day, we have to be more careful with the emails we receive.

The moral of this story? Phishing is likely to continue for a long time, with many victims who do not live happily ever after. So, it’s up to all of us to fight email abuse such as phishing. We could all be heroes. Let’s hope that one day, this story becomes one of history rather than one of fear.

Until then, to be continued…