Let’s briefly review the three main stages of a phishing attack and then discuss the role malware plays in helping attackers access sensitive information.
The 3 Stages of a Phishing Attack
In its simplest terms, think of a standard phishing attack occurring in three stages: bait, hook and catch.
1) Bait
In this first stage, hackers prepare the “bait” for their attack.
Depending on the sophistication and style of attack, they may do varying levels of background research on their targets.
Most phishing attempts are “quantity over quality,” meaning attackers simply scrape the internet for email addresses to create bulk lists of tens of thousands to millions.
In some cases, phishers are more targeted and their research is more involved meaning attackers they detailed research into behaviors, hobbies, known associates, or determining where their targets work or live.
Again, preparation and research depend on the type of information they are after. If attackers want to perform a quick financial scam, they might only need access to your and thousands of other email addresses.
If, however, they’re looking to initiate a more involved social engineering scheme, attackers may spend weeks doing background research in order to more effectively imitate a known or reputable contact or communication source.
For example, let’s assume you operate a B2B business that ships medical equipment to urgent care centers in the rural Southwest.
While preparing the bait for a phishing attempt, an attacker might discover a list of suppliers you frequently source from and then make an effort to imitate one of those suppliers.
They could do this by using an email address similar to your point of contact at that supplier, any formatting that the company might use in their emails (like HTML headers), that person’s usual email signature, etc.
2) Hook
Once an attacker has prepared the bait, it’s time to prepare the hook and cast the lure.
Phishing attempts usually require targets to perform a specific action (i.e. click a link, download a file, reply to an email). In an effort to get them to respond immediately, attackers create a false sense of urgency. The intent is often to manipulate their victims into acting quickly without thinking.
Again, most phishing attacks are broadly targeted at thousands of people, so often hooks are as simple as “you have a payment past due” or “you have yet to reclaim your refind” style emails, sometimes from companies and vendors you’ll recognize you work with or buy things from. Sometimes not.
To continue our example of the rarer, more targeted style of phishing from above, let’s assume the attackers effectively imitate one of your medical equipment suppliers and send you an email indicating there’s a problem processing your payment on file that looks completely legitimate.
They continue by asserting that in order to get the shipment out the door in the next hour for on-time delivery, they need you to re-enter your billing information via a “secure page” (that they also created based on their background research to mimic your actual supplier’s website).
3) Catch
After the attacker’s performed their research and baited their hook, they wait for their targets to take the bait. The attacker’s next steps depend on the nature of the phishing attempt.
Most of the time, this means simply waiting for a few thousand targets to click a link in their bait email.
From their, they’ll either get credit card or banking information (eg the link goes to a website that asks for this information under the guise of needing to issue a refund or get a payment), or secretly install malware on their targets’ computers to get this sort of information when they enter it into a legitimate site later.
Sometimes they’ll be phishing for more information to gain access to your email inboxes or company databases, or they might be seeking banking information in order to perform financial fraud.
To conclude our example of a targeted phishing attack from above, say you receive the email from the attacker. After quickly reading through the email, you recall that the urgent care location mentioned in the email had recently placed an order.
Without thinking about it, you click the link in the email and enter your credit card information to ensure on-time delivery. With this information captured, the hacker can now make fraudulent purchases using your corporate credit line.
While it seems overly simplistic, almost all phishing attacks follow the “bait, hook, and catch” pattern. This basic approach to phishing schemes is all that it takes for an attacker to easily gain access to sensitive information.
Need help identifying gaps in your company’s security? Commprise offers IT security and compliance auditing, including phishing tests. Book a call.