“Phishing is a hacker attack that usually tries to use email to convince a user in the organization, in the company, that it is a normal email,” explains Aaron Hartel, commercial director of Trufflepig Forensics. But hidden in this email is a link that leads the recipient to a fake website. It looks the same as the page the user expected when clicking on the link. But instead of the familiar page, hackers are sitting at the other end, ready to tap any data the user enters.
Typical phishing attacks also include, for example, email attachments that contain malicious code. “Office files that also contain a macro are very common. When you click on it, it is executed. This results in a code execution, an executable program on the computer that can execute the malware,” warns Hartel. For such phishing campaigns, fraudsters usually don"t even have to spend a lot of money: standard campaigns are often used, for example, a supposed bank login page. An email is then sent to the victim"s email address, informing them that there is a problem with their account and asking them to log in. Without realizing it, the victim then provides the fraudsters with their personal bank details.
In addition to standard campaigns, hackers also use spear phishing, which is tailored to the targeted victim. “Spear phishing is a targeted attack on an individual, on a person, usually with the help of publicly available information,” explains Hartel. In the run-up to the attack, the fraudsters try to find out, for example via social media, which places or institutions the victim has recently visited. They then send an email purporting to be from a recently visited restaurant, booked hotel or similar, asking the victim to transfer money there. The actual employer can also be used as the supposed sender of such an email: “These can also be emails in which a fake superior, for example, asks an employee to transfer money to this or that account.” The fraudsters use seemingly logical justifications for this, reports Hartel. One scenario could be: “I can"t go through the normal channels here. It has to be done super fast and only you know about it. So please do it in two hours and don"t tell anyone about it. We"ll talk about it again in a week or so when I get back.” Hackers try to put the employee under time pressure and thus offer him less time for logical considerations or questions. Depending on the campaign, the conscious generation of fear or curiosity can also be part of the strategy to manipulate the victim and to bring him to action.
The number of (spear) phishing attacks is growing rapidly, campaigns are continuously being improved and refined – and more and more companies are falling victim to such scams. “If you"ve been trained to do so, you can usually recognize such emails relatively well,” explains Hartel. And that is particularly important: “Phishing emails can be the initial entry point for the hacker, giving him a foot in the door of the company for the first time, from which he can then use lateral movement in the company"s infrastructure to secure more and more privileges. Ultimately, the hacker is then able to launch an encrypted ransomware attack.”
Trufflepig Forensics is therefore keen to raise awareness of phishing attacks in your company. This can be achieved in two ways: one option is the classic simulation – we develop a plan tailored to your company, send phishing e-mails to employees and try to persuade them to enter data or click on links. If the employee falls for one of the tricks, they are informed that a real hacker would have been successful at this point with their phishing attack. “And that"s actually where the biggest learning effect occurs,” summarizes Hartel.
Alternatively, Trufflepig Forensics also offers employee training – incidentally, mandatory certifications such as ISO 27001 also require employee training in IT security. »We offer companies the complete planning and implementation of such a phishing awareness campaign. This means that we design the campaign, the simulation itself, set it up, carry it out and report the results," explains Hartel.
The measure can also be subdivided according to the individual company departments, depending on requirements. “For example, the IT team may already be somewhat educated and therefore the rate of employees who click on such phishing links is lower there than in the marketing team, where more educational work still needs to be done,” Hartel explains. “This can be quickly determined using the Trufflepig Forensics campaign and then targeted training can be provided for the respective company department using context-specific and therefore more realistic e-mails.”
After the training, employees should have a heightened awareness of the issue of phishing attacks and their various forms, be able to recognize suspected attacks more easily, and thus become more adept at dealing with phishing campaigns overall. Your company should be better protected against phishing campaigns in the long term.
