What are Capital Asset Pricing Models (CAPM)?
A capital asset pricing model, known as CAPM, outlines the relationship between systematic risk and the expected return of the asset, explaining …
Email phishing occurs when malicious actors pose as reputable entities and send fraudulent emails to deceive recipients.
Ultimately, these scams aim to exploit the recipient’s trust to gain unauthorised access to accounts, steal personal information or install malware.
In 2023, phishing attacks were the most common type of scam in Australia with over 108,000 reports.
Before we delve into how email phishing works, it is important to explain social engineering and why it is critical to the success of email scams.
Social engineering is a form of psychological manipulation that motivates people to perform a certain action or reveal sensitive information. In short, it takes advantage of the fact that certain emotions and behaviours have the potential to override rational thought.
Here are just some of the ways the tactic is utilised.
Attackers may pose as a bank, government agency or well-known company and replicate logos and email templates in email correspondence.
Others may send emails that appear to come from someone the recipient knows, which also adds credibility.
To create a sense of urgency and/or fear in the victim, fraudsters send an email that conveys a need for action.
To that end, the fraudster may claim that the recipient’s account is at risk of imminent closure if they don’t confirm their details.
They may also:
Attackers also craft emails that elicit sympathy or excitement, such as charitable donation requests after a disaster or notifications of a prize win.
Whatever the message, the intent here is to exploit the recipient’s emotions and provoke a reaction that clouds their judgement.
Personalisation is one of the more common social engineering techniques.
Criminals gather personal information about the victim from social media (or past communications) to make the deception more convincing.
They may also pose as an authority figure within the company and use that sense of trust to deceive the victim.
Phishing scams that involve technical deception take advantage of minor differences in email addresses or URLs that are hard to notice.
For example, a fraudster may substitute an “m” for “rn” and make users believe they are interacting with a legitimate email account or website.
In the latter case, victims may be directed to a duplicate site and be prompted to enter their credit card details, bank account numbers or other sensitive information.
Phishing as a term has been around since the 1990s and once described hackers who used email to “fish for” information from their victims.
Like many types of online fraud, however, phishing has grown in both sophistication and diversity and there now exist various sub-types.
The standard form of email phishing is also the most common. Here, fraudsters send mass emails that impersonate legitimate organisations and hope that a few victims take the bait.
The objective is to deceive recipients into revealing confidential information, clicking malicious links, or both.
An email purportedly from a well-known bank informs a customer that their account has been compromised.
The email asks the user to click on a link to verify their account details. However, it leads to a fake website (that resembles the bank’s official site) where the customer’s username and password are captured.
Spear phishing uses technical deception to target specific individuals within an organisation.
Attackers personalise emails with information about the victim to make them more persuasive, and these victims tend to be personnel with access to the resources the fraudsters want.
Sony was the victim of a coordinated spear phishing attack in 2014.
Fraudsters researched employee names and titles on LinkedIn and then posed as co-workers in emails that contained malware. Systems engineers and network administrators with access to Sony’s network were asked to verify their Apple IDs because of purported unauthorised activity.
Ultimately, the perpetrators managed to steal over 100 terabytes of company data consisting of everything from financial reports to recently released films and information about employees and their families. The attack cost Sony an estimated $150 million.
Whaling is a type of spear phishing where the CEO, CFO and other C-suite personnel or executives are targeted.
A CEO receives an email that appears to be sent by a law firm that mentions a confidential and urgent legal matter.
The email includes a link to download important documents which, when clicked on, installs malware on the executive’s computer.
In a clone phishing attack, fraudsters duplicate an email sent by a trusted organisation and replace attachments or links with malicious ones.
A user receives an email in the form of a shipping notification from a courier service they’ve used before.
The email includes a familiar tracking link and features the courier’s logo, but the link downloads malware onto the user’s device. Other attacks may clone legitimate invoices and alter the account details to redirect funds to their account.
Detection and prevention of email phishing requires a multi-faceted approach.
Employees need to be aware that such scams exist, but they must also have an understanding of common social engineering tactics and how they are used to convince and persuade.
Since phishing attacks rely on human error, staff must be trained to look for:
Aside from staff training, various other best practices can help prevent email phishing. Software should always be kept up to date, and suspicious emails should always be marked as spam.
Domain-based Message, Authentication, Reporting and Conformance (DMARC) is an email authentication protocol that enables businesses to protect their domains from unauthorised use.
When used with two other authentication mechanisms in SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail), businesses can:
Multi-factor authentication (MFA) should also be enabled if credentials are compromised and a fraudster attempts to gain access to sensitive information.
Summary:
A capital asset pricing model, known as CAPM, outlines the relationship between systematic risk and the expected return of the asset, explaining …
Control risk is the risk that a company’s internal controls will not properly protect or detect material misstatements. An internal control is …
A disbursement is the act of paying out money, typically in relation to business or financial transactions. It involves the distribution of …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.