Phishing Test: Check Your Phishing Resilience

What is phishing?

Phishing is one of the most prominent forms of cybercrime, designed to take advantage of a person’s trust and steal their personal information. When phishing, the attacker presents themselves as a trustworthy, legitimate entity or institution and tries to obtain confidential or sensitive information from their target. Phishing attempts make a leading cybersecurity threat, and according to Statista, 54% of ransomware infections in 2020 occurred by phishing and spam emails.

According to Webroot, a security company, phishing attacks have intensified since the beginning of the Covid19 pandemic – in a recent report, Webroot presented the following statistics – 1 in 5 people worldwide have received a phishing email related to Covid19.

3 in 10 workers worldwide have clicked on such an email.

Although there is an ongoing debate on the efficiency of security training as a prevention method, phishing tests are a norm in many organizations worldwide, with either simulated phishing attacks or by undertaking phishing training in the form of multiple-choice questions.

Why do phishing attacks occur?

Phishing attacks have a single purpose – to steal a target’s sensitive data and perform identity theft. The data can include personally identifiable information (PII) like names, passwords, banking and credit card details, SSN, and more. The attackers can later use the obtained details to blackmail the victim (i.e., ask for ransom).

What are the types of phishing attacks?

Phishing by email is, undoubtedly, the most common type. But cybercriminals do get more creative every day, so today, phishing takes numerous different forms.

• Standard email phishing – The attackers are attempting to steal PII via email that appears to have a form of an email sent by a legitimate organization or sender. Email phishing scams are generally not targeted, but happen en masse.
• Spear phishing – phishing attacks directed at specific individuals, businesses, or political organizations. Very often, the victims are high executives and public personas. The attackers tailor the attempts with background knowledge about the victim, making them more dangerous. They are well-crafted and appear trustworthy.
• Smishing (or SMS phishing) – attacks that use text messages via carriers as bait, with the usual phishing goal: retract personal details and sensitive information. They can be disguised as prizes or account notifications.
• Vishing – the word is a blend made out of “voice” and “phishing,” and refers to phishing attacks that use VoIP (voice over internet protocol) technology. The attacks forge caller ID as trustworthy and persuade the victim target to disclose personal details or banking details. Most commonly reported vishing attempts are made to sound like someone from the target’s bank, technical support or a government official is on the phone.
• Clone phishing – uses a previously sent or received email containing links or attachments. As a “clone”, it is almost a perfect copy of the original email, except it replaces links and attachments with a virus or malware.
• Angler phishing – occurs when the attacker poses as customer support from a trusted company on social media. The attacker attempts to convince the target to share personal information, most commonly including login details. Another reported form of angler phishing includes a redirect link to send the target to a fake customer support page. By clicking on the link, the target’s computer automatically installs malware.
• Pharming (also known as DNS poisoning) – redirects traffic from a trusted, legitimate website to a fake website. Pharming involves DNS server software corruption or the local network router targeting.
• Whaling – this type of phishing targets high-profile business accounts. Whaling performs scams often using the story of a complaint, legal issue or subpoena, or some other C-level problem.
• Filter Evasion – Phishing detection tools such as phishing filters and anti-phishing toolbars are popular among regular users for their simplicity. Filter evasion attacks avoid the phishing filters by corrupting DNS cache entries and using rogue access points for hosting phishing sites.
• Content spoofing (also known as content injection phishing), occurs when the attacker changes elements or the entire content of a reliable website page. The revised part or page redirects the target to another site, where the attacker obtains the target’s personal information.
• Search engine phishing is a relatively new type of phishing attack where the attackers don’t use email correspondence to set the bait. Instead, they build their own site where they offer amazing deals or cheap products. They even get their sites indexed by search engines, and show up in organic search results, which makes them more difficult to recognize as fraud.
• Tabjacking, or tabnabbing – uses the opportunity when the victim has multiple open tabs to load and redirect the user to a fraudulent site to obtain the target’s personal information.
• Man-in-the-middle phishing – or MITM attacks feature three participants: the target, the entity that the target communicates with, and the “man in the middle,” whose tactic relies on intercepting the victim’s communication with the entity. Such attacks are often conducted by creating phony Wi-Fi hotspots at public places like shopping malls, airports or coffee shops. These attacks typically have two phases – interception and decryption. The attacker finds a vulnerability in the target’s internet connection (e.g., when the target connects to a poorly secured Wi-Fi hotspot), followed by deploying tools for interception so that they can read the victim’s transmitted data.
• BEC (short for Business Email Compromise) – This type of attack involves an non-legitimate email that seems to be from someone working in the target’s company and requesting urgent action, most commonly involving money or gift cards.

How to recognize a phishing scam

Phishing scams are becoming more and more sophisticated. The attackers can successfully mimic any kind of trustworthy entities, from family and friends to banking institutions or government organizations.

Still, there are some phishing scam indicators, typical identifiers that can help you perform a phishing scam test before you take the bait are the following.

• Non-personalized, generic salutations can mean the source of an email is not legitimate, as most legitimate sources will use your name in the greeting. Be careful with messages like this, especially if they offer something or convince you to take some action.
• Poor grammar and spelling is a typical sign of phishing because most commonly, attackers are from a different country than their targets. The mistakes include poor spelling, grammar, and even the improper use of idioms. Be careful not to click on any links provided in a message like that, even if they seemingly come from a legitimate source.
• Urgency – Although a sense of urgency is one of the popular marketing conviction methods, emails with a subject that advertises a limited time offer, threaten account suspension, have the urgent mark, etc., are probably phishing attempts. It’s best to avoid replying, but if you believe you’re wrongfully ignoring a legitimate message, try contacting the source directly instead of opening the email.
• Asking for donation – These often occur in the immediate aftermath of a natural disaster or another event of significant impact. The attackers count on their targets’ compassion and ask for donations. Always check the legitimacy of the charitable organization, and follow the official donation path on their website instead of following the link sent to you via SMS, social media message, or email.
• Suspiciously generous offers – From amazing sale deals, offers to make easy money or anything that would excite a naive person, emails containing unrealistic offers are certainly to be avoided.
• Odd, unexpected attachments – Pay extra attention to suspicious attachments, as they typically contain either ransomware or a virus. Unless you were expecting an attachment, you shouldn’t open it.
• Hyperlinks – Similar to suspicious attachments, hyperlinks within email messages will compromise your safety. Most commonly, they will install malware upon your clicking on them. The hyperlink displayed text may appear from a legitimate source, but a simple hover over the link will display the complete source URL.
• Unusual time of the day – As one of the staple signs of a phishing attempt, receiving an email during odd hours rather than the typical 9 to 5, is a red flag. Your bank or local court would not send you an email at 2 am, so keep that in mind.

How to protect against phishing scams: prevention tactics

One of the key strategies for many businesses is to implement anti-phishing efforts. Taking an organization-wide phishing test every six months is one of the most common ways to determine your company’s cyber resilience. Another one is educating employees through phishing training sessions.

Here are a few things you can keep in mind to avoid the damage of these attacks – the main thing to remember is consideration, vetting, and reporting.

• Never share passwords with others – under no circumstances will any legitimate entity ask you to do it.
• Never share personal details via email, SMS, social media messages, or through the links in any of them.
• Although this seems unnecessary to highlight, do not clink on odd links.
• Never open attachments from unknown senders if you don’t expect to receive them. If you receive an email containing attachments without heads-up, it’s better to consult the source whether they were intended.
• Use sandboxing for inbound emails to check and filter out suspicious emails and files. Sandboxing is a practice that can help prevent your host systems and devices from being exposed to threats and is one of the most efficient threat detection practices.
• Report any phishing attempts to the appropriate authorities or a member of the IT department at your organization.
• As an organization, implement spam filtering, regularly updated firewalls, and anti-phishing software.
• Organize a random phishing test to keep your employees alert.
• Trust your gut. If an email or another received message seems odd, do not open it or click on any links and attachments.
• Keep your cyber-security tools and software up to date and stay alert to the latest phishing techniques. Always look for the best cybersecurity practices.

Employee phishing training and phishing test

The best defense against phishing attacks, on top of anti-phishing tools and spam filters, are your well-informed employees. According to KnowBe4, 37.9% of employees will fail a phishing test when unprovided with regular training. It’s essential to invest in employee cyber resilience training to avoid damaging your reputation and business.

Make sure you conduct regular phishing training for new and existing employees and organize phishing tests every six months to check employee alertness and readiness.

Here are some free online phishing tests to try:

Phishing Test by PhishingBox – Takes 5-15 minutes to complete and consists of 10 multiple-choice questions.

Google + Jigsaw’s Phishing Quiz – 8 email templates to see whether your employees can tell the difference between legitimate and phishing emails.

Employee phishing simulation by uSecure – With no installation needed and a 14-day free trial, you can use this simulation to test your employees’ alertness to even the most sophisticated forms of phishing.

Keeping an eye on security goes hand in hand with securing your company from data loss. At Jatheon, we provide tools for data archiving, both on-premise and on the cloud. If you need a resilient business with full data coverage, get in touch with us or order a demo.

About the Author

Steven Tobolar

Steven Tobolar is Jatheon’s Head of Tech Support and an experienced engineer specializing in large-scale migration projects, AWS, Exchange Servers, and Microsoft Azure. Outside work, he enjoys reading, movies, off-road driving, and mountain biking.