Phishing attacks are one of the biggest threats to both individual and organisational privacy and security. A 2019 Cyber Breaches Survey published by the UK Government notes that 80% of cyber breaches are a result of a phishing attack. User training is often a key component of minimising the effectiveness of such attacks. Phishing is a practice by which an attacker will try to gain access to information or systems by sending an individual a communication (e.g. email, SMS or instant message) with the aim of inducing the individual to click on a link that will attempt to compromise their security.
Why is phishing hard to spot?
Phishing attacks can be hard to spot because the attacker is often masquerading as an individual or organisation that the recipient should trust. This can be achieved in several ways – for example, an attacker may fake an email address or use a similar domain name of an organisation. Phishing attacks are a type of social engineering attack and will often use carefully constructed language to convince the receiver of the veracity of the message and the trustworthiness of the sender. As we’ve seen from the Cyber Breaches Survey, with 80% of breaches stemming from a phishing attack, it is a highly effective means of breaching the security of an organisation.
What are the different types of phishing?
All phishing attacks are not equal – some may be sent specifically to target certain individuals, some may be for a wider audience, sent with the hope of anyone taking the bait. The following are common types of phishing attacks:
- Email Phishing – usually involves messages sent to many people with the aim of encouraging recipients to click on a link;
- Spear Phishing – This is when a message is sent to a specific individual, usually based on their role, with the intent of leveraging that particular individuals’ abilities or access to information. Useful details can often be found on the organisation’s website or an individual’s LinkedIn profile;
- Whaling – a whaling attack is a form of spear phishing, focusing on high-level senior executives such as CEOs, CFOs, and COOs. These are highly targeted attacks looking to leverage the executive’s authority and access within an organisation. These attacks are often more successful than you might expect, as senior executives often don’t follow organisational procedures expected of operational staff;
- Smishing and Vishing – smishing refers to using SMS messaging as the form of delivery for the phishing attack. It is often a successful technique as SMS can be a notoriously difficult method to determine the trustworthiness of the sender. Banks for example often use many different SMS numbers for communication with customers. Vishing is when an attacker uses voice messaging (e.g. telephone), to execute a phishing attack. Automated calling and masking of telephone numbers are common techniques that are used with this tactic.
The identity verification gap
Phishing attacks are often successful because an identity verification gap exists that enables a malicious actor to gain the trust of their victim in order to execute an attack. Often, this is because the attacker successfully masquerades as a source that the victim would trust. The victim is then lured into taking a step that enables the attacker to compromise their target. This identity verification gap exists in many different contexts, and depending on that context, it can cause varying degrees of harm to the individuals that are targeted including causing financial loss, reputational loss and emotional distress.
SOTER – closing the gap
The SOTER project aims to contribute to closing the identity verification gap by developing a biometric-based authentication and identification digital onboarding platform. A holistic approach is taken to addressing SOTER’s goals, combining technical innovation with consideration for the human factors involved, including the development of a competence catalogue and training manual for the financial services sector.
Initially intended for use in the financial services sector, SOTER has the potential for broader application in contexts where achieving a high level of assurance is required for the participants involved in a transaction. It is where this identity verification gap exists that the SOTER Digital Onboarding Platform has the potential to contribute to enhancing organisations’ cyber resilience and protecting individuals from actors that would take advantage of the identity verification gap.
Author: Alan Mac Kenna, Trilateral Research