Anatomy of a Phishing Attack
Step 1: An attacker sends a generic email (phishing) or a more specific email to a target group (spear phishing). The email will appear to originate from a trusted source and entice you to click on a link that will either download malicious software or bring you to a website.
In the first scenario, clicking the link will cause you to download malware, usually in the form of a keylogger. The keylogger will capture your keystrokes to acquire passwords and send these back to the attacker.
In the second scenario, you will be redirected to a website that attempts to trick you into entering confidential passwords or sensitive information. These sites are usually disguised to look like common websites such as an email or online banking login page.
Step 2: The attacker now has your password credentials and can access the system as you. This can be a system as simple as your email program or as big as your corporate network. Most people use the same password for several systems, which provides the attacker with access to those systems as well.
Step 3: Now the attacker can export data from the systems he has access to. The attacker can also impersonate you and possibly perform actions on your behalf.
Example Phishing Attacks
Here are just a few examples of phishing attacks that have occurred at organizations of all sizes:
- Hackers broke into a system operated by a church in Des Moines, Iowa, stealing more than $680,000 the church had raised to help homeless and abused women. The attack appears to have been an account takeover that started with spear phishing.
- Seven years’ worth of church files were encrypted in a ransomware attack after a church in Sioux City, Iowa received a phishing email titled “job application – please see attached CV.”
- A ransomware attack affected a group of 46 churches within the Bristol and South Gloucestershire Methodist Circuit in England after an employee opened a spear phishing email containing a malicious attachment. The email was sent in response to an employment ad. The attack resulted in the loss of an entire database of financial records.
- A phishing email scam resulted in a data breach of the human resources system at the University of Virginia. Direct deposit banking information and the W-2s of approximately 1,400 employees were compromised.
- Current and former employees of Tidewater Community College in Norfolk, Virginia had their personal information stolen in a tax season phishing scam. An employee in the school’s finance department received a request from a fake Tidewater email address asking for all employee W-2 information. Not realizing the e-mail was fake, the employee responded with sensitive information including names, earnings, and Social Security numbers.
Top 5 Lessons Learned
- Training is vital – All employees need to be educated on the appearance and risks of phishing. Do not click on links in emails and encourage your users to use different passwords for different systems. Be sure to check out our Cyber Checkup, which includes a phishing test.
- Email is not secure – Email is not a secure method of transmitting sensitive information. Data at rest and data in transmission can be accessed by unauthorized individuals. Not only do you have to be concerned about your email credentials being compromised and utilized, but you also have to be concerned with email downloaded on computers, laptops, home computers, and mobile devices.
- Know the notification requirements – Various laws and regulations require organizations to notify the victims within a certain timeframe. Know the requirements your organization is required to follow.
- Increase email security – Multi-factor authentication on email is a growing trend. Options include out-of-band authentication or IP address restrictions.
- Finally, ensure the controls you put into place are operating as intended. A school system in Louisiana lost $46,000 through wire transactions thanks to targeted phishing emails. Although there were dual-authorization procedures in place that may have helped catch the fraudulent requests, the procedures were not followed.
Contact us at email@example.com to learn more about how our cybersecurity services can help protect your organization from phishing or other types of cyber attacks.
Lisa is a partner at Traina & Associates, a CapinCrouse company. She uses her more than 30 years of experience to assist organizations in implementing measures to secure data and manage risks efficiently and effectively. She is a nationally recognized speaker and author, and serves on the AICPA Cybersecurity Task Force. Lisa founded Traina & Associates in 1999 to provide IS security services to a broad range of industries. Traina & Associates joined CapinCrouse in January 2017.