Phishing

Phishing is an attempt to steal your sensitive data—such as username, password, or social security, bank, or credit card account number—for the purpose of personal gain, espionage, or other malicious intent.

Phishers pretend to be a legitimate organization —such as a bank, utility company, or university—requesting that you provide or verify your sensitive data. They then use that information to transfer money from your bank, use your credit card, download malware or viruses to your device (and potentially your network), or take advantage of your login credentials to gain direct access to your organization’s networks, systems, and data.

Common phishing tools include:

  • Emails, text messages, or social media containing a link to a fake website or malicious .exe file.
  • Email attachments containing macros enabling a malicious .exe file, a Remote Access Trojan (RAT), or ZIP file with malicious JavaScript or Windows Script Host files.
  • Phone call requesting your sensitive data.
  • Malware-infected popups that request and then capture your sensitive data as you input it.
  • Malware-infected legitimate websites that automatically redirect you to a fake website that captures your login credentials as you input the information.

The success of a phishing attack depends on mimicking an organization’s official correspondence and website or seeding a legitimate website with malicious code.

Threat Description

The five most common phishing attacks are:

#1: Generic Phishing. Phishers contact you via email, text, social media, or even phone with a generic message that they need to verify or confirm your sensitive data. Phishers often say they need this data because they are updating their system, correcting a technical error that damaged some of your data, alerting you to unauthorized or suspicious account activity, claiming that your account will be suspended, correcting an account discrepancy, offering a refund or reward, or similar reasons. The phisher’s message will include a link to a legitimate-looking but fake website used to capture and steal any information you provide.

#2: Spear Phishing. Phishers customize their email, text, social media, or phone message using your publicly-available information—such as name, company, job title, work phone number, associate or friend’s name—to mislead you into believing they are a trusted messenger providing a link to a legitimate website, video, or article. Social media sites, such as LinkedIn, Facebook, Twitter, and instant messaging or commenting sites, are fertile grounds for spear phishing attacks by either providing information about you or allowing the phisher to pretend to be a trusted connection.

#3: Whale Phishing. Similar to a spear phishing attack, whale phishers only target an organization’s senior executives with the intention of getting the person to either directly initiate financial or other transactions that benefit the phisher or provide sensitive data that the phisher can use to impersonate the executive and perform malicious activities.

#4: Pharming. As people become more aware of phishing attacks, phishers are moving to pharming attacks. In this type of phishing attack, a phisher cache poisons the domain name system (DNS) process of using DNS servers to convert an alphabetical website name (e.g., adobe.com) into a numerical IP address (e.g., 192.150.18.0).

With cache poisoning, phishers can change a website’s legitimate IP address to redirect you to a fake website, even if you type the correct website name. When you enter your login credentials or other sensitive information on the fake website, phishers capture that information.

In addition, if you click a malicious link on the website, malware or viruses could be invisibly downloaded to infect your laptop, mobile, or other device (and potentially, the organization’s network).

#5: SaaS Application Phishing. Phishers use a combination of traditional phishing and pharming methods to direct you to a fake login page for SaaS applications such as Box, Dropbox, and Google Drive. After capturing your login credentials, the phishers will send you to the legitimate website or request that you re-type your credentials and then send you to the legitimate site.

Mitigation Methods

Mitigating phishing threats requires a combination of policies, procedures, positive social engineering, and technologies.

Policies, Procedures, and Positive Social Engineering Strategies

  • Don’t click links or download attachments in messages requesting that you provide or verify your sensitive data.
  • Confirm whether emails requesting financial transactions or sensitive data were actually sent by the executive, associate, or friend.
  • Only provide your sensitive data on a website for which you typed the web address.
  • Use two-step authentication to accounts containing your sensitive data.
  • Don’t list employee email addresses on your website.
  • Scan the Internet for exposed addresses and/or credentials

Technology Strategies

Identity Governance: Ensure appropriate user privileges, according to principle of least privilege based on functional unit and role. Audit for excessive, inappropriate, and unused user privileges. Restrict usage of shared-privileged accounts.

Authentication: Authenticate devices as well as the user attempting to access organizational data.

Behavioral Analysis: Create a behavioral baseline profile or ‘whitelist’ of typical patterns of access to databases, file shares, and cloud-based applications based on functional unit and role; and then spotlight the riskiest users, client hosts, and servers so security teams can prioritize investigation of any anomalies.

Deception: Leverage strategically-placed hidden files to detect compromised user threats and block the infected user or endpoint if there are any write or rename actions on the deceptive files.

Detection and Blocking: Provide real-time monitoring and auditing of data usage, including the “who, what, when, where, and how” of the transaction. Review and manage user access rights to sensitive data. Alert and report on any deviations from corporate policy or behavioral baseline profile. Block user access when unusual activity is detected.

Investigation and Response: Use real-time alerts and auditing details to identify trends, patterns, and risks associated with data access. Prioritize open incidents by both severity and specific user, server, or client host. Drill deeper into a specific incident to determine data access and usage, compare with behavioral baseline profile, and then either close the incident or whitelist authorized behavior.

Learn how Imperva solutions can help you mitigate insider threats.

You might be interested in:

Insider Threats

Insider threats, as the name suggests, originate with an organization’s insiders — its current or past employees, business…

Learn More

Privileged User Monitoring

Privileged users — typically DBAs, network engineers, security practitioners, cloud custodians — require unrestricted access to servers, networks,…

Learn More
Live Chat Agents Unavailable