Pentester Insight On Phishing

Even if your company secures its website and business network, it is still vulnerable to phishing attacks. This is because humans are the weakest link in security. Cybercriminals know that humans are much easier to manipulate than to hack into technology. The situation becomes even graver as the COVID-19 crisis continues. Everyone is worried about cyberattacks, and that gives hackers more advantage over businesses and individuals.

In a recent report by the Anti-Phishing Working Group, the number of reported phishing attacks doubled from 2018 to 2020. In business email compromise scams, the average fraudulent wire transfer request increased from $48,000 in Q3 to $75,000 in Q4 of 2020. Verizon says 36% of all confirmed breaches in 2021 involved phishing.

A strong defense is the best offense. The most reliable way to build defenses is to learn about phishing attacks. Penetration testing gives you specific actionable insight into how phishers trick users, and this knowledge forms the foundation for security awareness training that works. Here’s a summary of phishing email elements that help make users slip up, but keep in mind that no two phishing emails are the same.


Pentesting Insight

When you’re attacking a business, you send out fake emails with links or attachments that lead to fake login pages or Microsoft Office documents with viruses. In a classic pentesting exercise, security professionals send employees messages from a fake person asking for account credentials or information about the company.

Sometimes, the bait is just a simple link or file attachment, and only white-hat security researchers can see what is happening. But in most cases, the attack will be true-to-life and the macro-based payload will give researchers complete access to a target computer. This gives pentesters an idea of how reliable security defenses are and also helps them see how hackers work.

A key component of the phisher’s work is to make the fraudulent email feel as real as possible. It has to fit the context of the phishing scheme. The ideal message will pretend to be someone who is highly ranked in your business. The attacker will want to send this message to higher-ranked employees or partners, to make them feel important or trusted.

If your goal is to hack a computer it would be best to target someone in accounting, then you would send an email that looks like it’s from their boss. It will probably say something like “Please check the wire transfer credentials.”

In most cases, phishing emails try to pressure users into taking action immediately. In order to achieve this goal, scammers often force their targets into a false sense of urgency. However, it’s important that the email is written well. Misspellings and other errors can cause an employee to be suspicious, and this can ruin a phishing campaign.


The Pentesting Findings

In most phishing tests, employees are more likely to open an email attachment than fill out a web form. They’re even more likely to do so mere moments after receiving the message.

The best email subjects are related to corporate perks such as employee discounts and bonus programs from affiliated businesses. About a third of recipients engage with messages like that in some way. Emails that instruct staff to read new corporate policies and other documents associated with enterprise culture come second.

Scammers like to attack during bad news, like terror attacks and natural disasters. They also like to advertise fake promos and freebies around the holidays. The holidays are known for massive phishing scams.

When you’re crafting a targeted email, the likelihood of success increases. Using open-source intelligence, you can find all sorts of details that can help you craft a spear-phishing message that will hit the right key. In pentests, I’ve seen that personalized emails that zero in on one to three employees have a 100% success rate. But as soon as the number of potential targets grows, so does the subject line.

Despite the growing risks of phishing, most employees remain ignorant when it comes to online threats. They often ignore red flags such as unfamiliar senders, requests to disclose credentials, and typos in the domain names of impersonated companies.


Staying Safe From Phishing

In the vast majority of cases, spear phishing attacks are easy to spot. If you have an attack that is too sophisticated for you, you may need to bring in the pros. In any case, remember these things:
  • Employees need to be aware of the dangers of email security. They should be extremely careful when opening attachments or clicking on links, even if they seem trustworthy.
  • A reliable Secure Email Gateway solution is the best way to prevent phishing emails from being sent out, identifying them and stopping them before they reach your users.
  • Use a cyber security awareness tool to teach and test employees.
  • Tech staff should inform employees about latest phishing tactics.

I hope this article was helpful, if you have any questions please feel free to contact me. If you would like to be notified of when I create a new post you can subscribe to my blog alert.

Discover more from Patrick Domingues

Subscribe to get the latest posts to your email.

author avatar
Patrick Domingues

Leave a Comment

Stay Informed

Receive instant notifications when new content is released.