Bytagig continues to celebrate the 20th anniversary of Cybersecurity Awareness Month with a focus on phishing. It’s a topic that comes up frequently, for good reason. Spearing phishing and all forms of social engineering pose a serious threat to even clandestine cybersecurity postures. In September 2023, for example, entertainment giant MGM observed a severe breach of its casinos due to social engineering, rendering multiple services null for a brief period.
By now, you’re aware of what phishing emails can do. In some cases, how they happen. Understanding a phishing email goes beyond a cursory glance at the techniques involved with it. Phishing involves preying on emotion, as extreme emotions can quickly override logic and critical analysis.
Malicious actors utilizing phishing attacks target several “dominant” emotions that can dodge security protocols.
The shortlist of them is:
- Fear and intimidation
- Urgency/Emergency
- Social links/social manipulation
- Curiosity
- Opportunistic/material-driven
- Authority/administrative
- Impulse
Let’s quickly break each down. You’ll find them familiar and have no doubt encountered phishing schema in some capacity, be it in a professional setting or otherwise.
Fear and intimidation
Phishing messages and emails in this category attempt to intimidate the recipient. Sometimes it’s with threats of blackmail, other times the message claims the sender has access to private data or information.
Urgency or emergency
If we think there’s a serious problem, we’re likelier to react to it without thinking. Phishing messages of this type prey on our sense of urgency. For example, the message might claim there’s a problem with your bank account or an unauthorized transaction somewhere, providing a “link” to correct it. Since financial fraud is something that can happen, it’s easier to believe.
Social manipulation
Phishing campaigns also exploit trusted connections or established social ties to dupe their targets. It’s easier to trust someone you know on a personal or professional basis. Therefore, receiving a message or inquiry from a trusted social link is an ideal foundation for phishing attacks.
You might think you’re receiving a message from a friend or coworker, or even administrator. But depending on the nature of the message, it could be malicious in nature.
Curiosity
While more common in spam phishing and junk messages, “curiosity” as an emotional driver is still something to watch for. Phishing emails using “curiosity” might imply financial reward or additional information about a subject. It could be benign in nature. The goal is to get the recipient to click on a provided link or visit a compromised domain.
Material-driven or opportunistic
Harkening back to the earliest days of phishing scams, these messages imply there’s something to be gained by accessing the contents, or by responding to the sender.
Typically, these emails and messages are mass-sent and prey on vulnerable people looking for quick financial boosts (or otherwise).
Authority and/or administrative
Getting a message from an administrator is another effective phishing schema. After all, a notice from a trusted source of authority is less likely to be questioned by staff (or other recipients). What if a worker receives a message related to a password reset or other valuable information? Unless zero-trust has been enabled or other cadences to identify a phishing scheme, it’s another efficient strategy utilized by malicious actors.
All of these are the criterion for emotional drivers in phishing scams. Once again, the goal is to override critical thinking so the recipient(s) respond quickly. In busy environments, these can be hard to detect, even with zero-trust policies in place.
How do we combat phishing?
Hackers and malicious parties have access to numerous resources. More than ever, they’re able to launch full-scale attacks without complex knowledge of IT systems. All they generally need is a contact list, an injection method, and a way to compromise a network.
Thus, it’s harder to effectively thwart their techniques. But it’s not impossible, and should not be treated as such. Because, even though hackers have resources available to them, so do companies and the general public. Once more, some basic knowledge and cautionary measures are more than enough to protect against even the most dangerous attack types.
But that’s why phishing is the go-to for hackers. Today, resilient architecture, anti-malware, and network monitoring create enough “roadblocks” that threat actors prefer not to deal with. They want the easiest path, something granting them access to administrator privileges to hop over the established cybersecurity architecture. If they can convince a staff member or otherwise compromise login details, they will. It’s why, unfortunately, phishing remains effective.
Today, organizations have to worry about business email compromise campaigns and social engineering. The question, therefore, is how do we combat phishing?
For Cybersecurity Awareness Month, the keyword is just that: awareness. Administrators and IT teams should take the time to establish awareness and education regarding phishing. Even cursory knowledge about social engineering can help mitigate the dangers associated with phishing attacks. Zero-trust, where staff must deploy a strategy of “trust only after verification” is another method worth considering if you have a complex network with different communication layers.
For personal use and individual instances, recipients of strange emails should always practice extra caution. Any email containing a link with the emotional drivers we’ve discussed is reason for suspicion.
But, even with awareness techniques, identifying phishing messages proves difficult. Phishing comes in a variety of forms, from SMS texts to phone calls to even messages on social media apps. Our only true defense is sound judgment.
To finish up, here are several quick tips if you suspect a phishing attempt:
- Identify the goal of the email – is it trying to get you to click on links?
- What is the subject of the email – personal, official, or financial?
- Note who is contacting you and check the sender’s address; if it’s unfamiliar, avoid it
- If there is another way to verify a claim (bank account transaction, for instance) always double-check the official source first
It’s not easy to thwart phishing emails and social media schemes, but also not impossible. In some cases, it’s also worth investing in third-party resources for additional help.
Bytagig is an MSP with provisionary IT and cybersecurity tools. We’re also equipped with resources to identify phishing techniques and provide data protection services in case of a breach event.
For more information, you can contact us today.
