Phishing is a targeted, email-initiated or social media-initiated attack on internet users and their networks of business and sometimes personal contacts. Its ultimate goal is to convince people to divulge sensitive information or to send money, and it does so by targeting people within an organization (example: VP of Operations to Director of Finance) and people across organizations (example: Accounting department of Vendor A requesting payment to a new bank account from Accounting department of Vendor A's Client).
Phishing attacks consists of three parts:
STEP 1: Identifying key decision makers within an organization and their networks of contacts
It is easy to google your name, look you up on a company website, and perhaps look through your social media accounts to identify your network of contacts and web of relationships. Hackers attempting to phish you will conduct this due diligence first, and they will try to determine "who reports to whom" and "who has authority over whom".
STEP 2: Hacking the decision maker's email account and other internet accounts
Once a decision maker or authority figure is identified, the hackers will attempt to crack the password to that individual's mailbox (they use sophisticated software to try thousands of different password combinations a minute). When hackers are successful, it is because the user's passwords are too simple, and because Two Factor Authentication (aka 2FA or MFA) is not enabled on their email and social media accounts.
If the hackers are successful, they can also guess what other online accounts you might use and attempt to hack those as well. What started as an email phishing attack can also morph into a social media attack.
[There is a variation on this approach, in which the hackers create an email account with the name of the decision maker but a different email address. This method is the lazy hacker's approach. They cannot access the decision maker's mailbox, so they instead create an email account with Google, Yahoo, etc (example: firstname.lastname@example.org) but instead of the mailbox having a recognizable name of "Surfer Gal", it has a name of "Jane Doe" (ie. The Decision Maker's Name). The hacker's hope is that the recipient is inattentive to detail and that they will only notice the name the message is coming from, without noticing the email address. If this method is used, Step 3 is not as relevant. And sadly, there is nothing you can do to stop people from creating email accounts that use your name because your name in itself is not unique.]
STEP 3: Commandeering the hacked mailbox to send messages to the decision maker's contacts
Once the hackers have gained access to an account, they can craft an email from the decision maker's mailbox, instructing underlings to wire money to a bank account, often using language that implies urgency. The return path (reply-to address) on that email is modified so that, when the underling tries to confirm the instruction, it goes to the hacker's own mailbox rather that the decision maker's mailbox. The hacker will then provide to the underling a bank account number to wire the money to.
What you can do to protect yourself and those around you:
- Make sure your passwords are unique for each web account you own. Use a password management service like 1Password, DashLane, or LastPass to help you.
- Enable 2-Factor Authentication on all your accounts that allow it.
- Develop processes that require your staff to confirm over the phone or in person any instruction for transfer of funds over a small dollar amount.
A final note about passwords: If you have social media accounts, you have undoubtedly mentioned your pet, child, spouse, or activity you love. Your birthday and other anniversaries are equally easy to discern, and any intelligent person can try to find the correct combination of these to guess the password to any of your accounts. And hackers are quite intelligent.
If you're in the minority of users who utilize a password management service (like 1Password, DashLane, or LastPass) to create unique passwords for every web account you own, go educate your colleagues before patting yourself on the back. Internet security is a shared responsibility. We are only as safe as our weakest link.