What is email phishing?

Ultimately, these scams aim to exploit the recipient’s trust to gain unauthorised access to accounts, steal personal information or install malware.

In 2023, phishing attacks were the most common type of scam in Australia with over 108,000 reports.

How does email phishing work?

Before we delve into how email phishing works, it is important to explain social engineering and why it is critical to the success of email scams.

Social engineering is a form of psychological manipulation that motivates people to perform a certain action or reveal sensitive information. In short, it takes advantage of the fact that certain emotions and behaviours have the potential to override rational thought.

Here are just some of the ways the tactic is utilised.

1 – Trust and credibility

Attackers may pose as a bank, government agency or well-known company and replicate logos and email templates in email correspondence.

Others may send emails that appear to come from someone the recipient knows, which also adds credibility.

2 – Urgency and fear

To create a sense of urgency and/or fear in the victim, fraudsters send an email that conveys a need for action.

To that end, the fraudster may claim that the recipient’s account is at risk of imminent closure if they don’t confirm their details.

They may also:

• Emphasize that a lucrative offer is about to expire, or
• Claim that a debt is payable by a certain date (such as to the ATO).

3 – Emotion and curiosity

Attackers also craft emails that elicit sympathy or excitement, such as charitable donation requests after a disaster or notifications of a prize win.

Whatever the message, the intent here is to exploit the recipient’s emotions and provoke a reaction that clouds their judgement.

4 – Personalisation

Personalisation is one of the more common social engineering techniques.

Criminals gather personal information about the victim from social media (or past communications) to make the deception more convincing.

They may also pose as an authority figure within the company and use that sense of trust to deceive the victim.

5 – Technical deception

Phishing scams that involve technical deception take advantage of minor differences in email addresses or URLs that are hard to notice.

For example, a fraudster may substitute an “m” for “rn” and make users believe they are interacting with a legitimate email account or website.

In the latter case, victims may be directed to a duplicate site and be prompted to enter their credit card details, bank account numbers or other sensitive information.

The most common types of email phishing

Phishing as a term has been around since the 1990s and once described hackers who used email to “fish for” information from their victims.

Like many types of online fraud, however, phishing has grown in both sophistication and diversity and there now exist various sub-types.

Email phishing

The standard form of email phishing is also the most common. Here, fraudsters send mass emails that impersonate legitimate organisations and hope that a few victims take the bait.

The objective is to deceive recipients into revealing confidential information, clicking malicious links, or both.

Example

An email purportedly from a well-known bank informs a customer that their account has been compromised.

The email asks the user to click on a link to verify their account details. However, it leads to a fake website (that resembles the bank’s official site) where the customer’s username and password are captured.

Spear phishing

Spear phishing uses technical deception to target specific individuals within an organisation.

Attackers personalise emails with information about the victim to make them more persuasive, and these victims tend to be personnel with access to the resources the fraudsters want.

Example

Sony was the victim of a coordinated spear phishing attack in 2014.

Fraudsters researched employee names and titles on LinkedIn and then posed as co-workers in emails that contained malware. Systems engineers and network administrators with access to Sony’s network were asked to verify their Apple IDs because of purported unauthorised activity.

Ultimately, the perpetrators managed to steal over 100 terabytes of company data consisting of everything from financial reports to recently released films and information about employees and their families. The attack cost Sony an estimated $150 million.

Whaling

Whaling is a type of spear phishing where the CEO, CFO and other C-suite personnel or executives are targeted.

Example

A CEO receives an email that appears to be sent by a law firm that mentions a confidential and urgent legal matter.

The email includes a link to download important documents which, when clicked on, installs malware on the executive’s computer.

Clone phishing

In a clone phishing attack, fraudsters duplicate an email sent by a trusted organisation and replace attachments or links with malicious ones.

Example

A user receives an email in the form of a shipping notification from a courier service they’ve used before.

The email includes a familiar tracking link and features the courier’s logo, but the link downloads malware onto the user’s device. Other attacks may clone legitimate invoices and alter the account details to redirect funds to their account.

How to detect and prevent email phishing

Detection and prevention of email phishing requires a multi-faceted approach.

Employees need to be aware that such scams exist, but they must also have an understanding of common social engineering tactics and how they are used to convince and persuade.

Since phishing attacks rely on human error, staff must be trained to look for:

• Suspicious sender email addresses – is the email from an authentic address or are there minor variations such as an extra letter or a different domain? To verify an email, employees should follow up with the supposed sender on another channel.
• Generic or atypical greetings – many phishing attacks use greetings such as “Dear customer” in the subject line.
• Urgent or threatening language – any email that claims an employee must click, call or open an attachment immediately should be treated as suspicious. Employees can verify the urgency of a situation with a superior.
• Suspicious links and attachments – employees should hover over links and view the URL. If in doubt, avoid link and attachments.
• Poor grammar and spelling – these are mistakes a legitimate organisation would not have in their communications.

Preventing email phishing

Aside from staff training, various other best practices can help prevent email phishing. Software should always be kept up to date, and suspicious emails should always be marked as spam.

Domain-based Message, Authentication, Reporting and Conformance (DMARC) is an email authentication protocol that enables businesses to protect their domains from unauthorised use.

When used with two other authentication mechanisms in SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), businesses can:

• Specify whether to accept, quarantine or reject emails that fail DMARC checks.
• Create detailed reports about rejected emails that can be used to investigate future phishing attempts.
• Verify that emails sent from authorised servers have not been tampered with, and
• Ensure that only authorised senders can send emails on behalf of the domain.

Multi-factor authentication (MFA) should also be enabled if credentials are compromised and a fraudster attempts to gain access to sensitive information.

Summary:

• Email phishing occurs when attackers send fraudulent emails that appear to come from legitimate sources. The intent of every phishing attack is to deceive recipients into divulging sensitive information or otherwise acting in a way that compromises security.
• Fundamental to the success of email phishing is social engineering. Recipients are psychologically manipulated to perform undesirable actions via various techniques, such as when a criminal creates a false sense of urgency or fear.
• Employee knowledge and awareness are the most effective defence against email phishing. However, multi-factor authentication (MFA) and various email security features are also important.