The Phishing Adventures of Huck Phinn, Plenty of Phish in the Sea

Chapter 1

Chances are you know about the dangers of clicking on fake emails so you carefully scroll through your inbox to delete them. You are especially vigilant before opening any email on business accounts, but no matter how many suspicious emails you spot, they keep coming.

Our “How to Spot a Phish” checklist can help you identify phishing emails and provides advice on what to do with them.

The damage caused by email security breaches is staggering. The FBI says that Business Email Compromise resulted in more than $1.7 billion USD in losses for businesses in 2019; one primary method that attackers use to break in and harvest credentials is phishing. A Verizon 2020 Data Breach Investigation report found 32% of all breaches involve phishing.

Phishing emails generally fall into a few different categories:

• Phishing: Those email attacks that rely on mass emails sent to as many recipients as possible in hopes that any potential victims will be compromised, and if this fails, it’s relatively simple to re-use the recipient list for future attacks.
• Spear-phishing: More carefully crafted attacks that target specific organizations or individuals regardless of the target’s role in the organization.
• Whaling: A type of spear-phishing campaign that targets specific high-value individuals (CEOs, CFOs, etc.) in an organization. These may be especially complex and deceptive.

Despite all efforts to stop these attacks, there are still plenty of phish in the sea, and this tactic requires minimal effort for a potentially large pay-off. What motivates Phishing attackers? Here are a few of the more common ways bad actors can use harvested credentials:

• To sell to other attackers on Dark Web forums
• To support corporate espionage or Intellectual Property theft efforts
• To support theft of funds or wire fraud efforts
• To gather credit card, banking, or other sensitive information
• To steal an individual’s identity
• To make unauthorized purchases
• To gain remote access or to deploy more damaging malware such as ransomware, trojans, or information stealers

In the next chapters of this blog series, we will share real phishing email examples dissected by Ingalls Information Security on behalf of clients.  We’ve changed their names but kept all the details real

Even if you think you’re skilled at spotting a phish when you see one, we hope you can pick up a few more tips and even share this knowledge with others. 

In the meantime, take another look at your inbox. If you see something suspicious, use our “How to Spot a Phish” checklist to help you decide if it’s a phishing email and what to do with it. 

...to be continued.

About Ingalls

Ingalls helps businesses large and small manage security risks and defend against cyberattacks. If you’d like to learn more please contact us here. One of our cybersecurity experts will be more than happy to assist you and answer any questions you may have.