Communication in the digital business world is hardly imaginable without e-mail. Within a very short time, digital letters including attachments can be transported from one end of the world to the other, enabling an efficient and global exchange of information. However, these advantages can also be abused for malicious purposes:
Since receiving and sending e-mails is already firmly anchored in many people's everyday working lives these days, employees or even management positions in companies represent particularly attractive phishing targets. If an attacker succeeds in deceiving the victim, depending on the target of the attack, he or she can gain access to the victim's internal company data or login information, or even take over the target's system and thus penetrate the internal network.
The attackers usually have a financial motivation here, but in some cases the focus is also on simply damaging a company. By infiltrating so-called ransomware, after a successful attack that grants access to the target's system, the attacker encrypts the file system and then demands a ransom for decrypting the data. In scenarios where the attacker was able to obtain the victim's credentials or company internals, these are usually used for further attacks or sold on to third parties.
A good phishing email can appear deceptively genuine at first glance and motivate the victim to click the link before the authenticity of the mail could even be doubted. However, there are some aspects under which the authenticity of a received e-mail can be evaluated without much effort.
One feature is the sender's address. In most cases, the sender's address is either a conspicuously foreign address or it differs only very subtly in the domain part from trustworthy websites, for example, by means of optically similar letters. However, sophisticated attackers also try to distract the victim from the sender address used by using fake sender names or exploit DNS misconfigurations to also forge the sender address without the mail being filtered or marked as spam.
Another feature is the formatting of the mail's content. If, for example, strange formatting, outdated logos or a different language is used for no apparent reason, this may indicate a possible phishing attempt.
However, the most crucial feature is the content of the received mail. If, for example, you are asked to open a link below and log in to do something or to download and execute a file, this can often indicate a possible fraud attempt. In this case, you should first check which page this link really refers to by hovering your mouse over the link or check the legitimacy of the attached files.
A common attack scenario is so-called "credential harvesting", in which an attacker clones the login page of a known service or a service used in the company and hosts it on the Internet. In the mail, the link to the cloned page is then sent along with the request to log in to the service again for reasons. The goal here is for the phishing victim to enter their credentials on the cloned site, which are sent to the attacker when they attempt to log in, instead of the user logging in. To disguise the deception attempt, the victim is redirected to the real login page of the respective service after submitting the credentials, so that the next login attempt succeeds and no suspicion is aroused.
Another very common attack scenario is malicious mail attachments. Attackers usually distribute Microsoft Office files here, which can automatically execute malicious code on the victim's system via macros. The goal of this attack scenario is to gain access to the phishing victim's system via the executed malicious code. However, in current versions of Office products, markos are disabled by default and require the user to explicitly enable them by clicking the button in the warning. In order to make the victim take this step, attackers pretend, for example, through contrived compatibility issues or something similar, that enabling the macros is necessary for editing or viewing the file. In addition, anti-virus programs make it difficult to successfully execute the malicious code by blocking the macro before execution if malicious signatures are detected. However, the macro can also act as a so-called "stager", which first downloads the malicious code from a target server and then executes it on the system, making it harder for anti-virus programs to detect and block the executed malicious code.
As mentioned previously, attackers can exploit DNS misconfigurations so that mails with spoofed sender addresses are delivered anyway and not filtered or flagged by spam filters. The DNS records to protect a domain from such tricks are "Sender Policy Framework" (SPF), "DomainKeys Identified Mail" (DKIM) and "Domain-based Message Authentication Reporting and Conformance" (DMARC). All three DNS records are created as TXT records and, in combination, can guarantee the authenticity and integrity of the mails sent and received and enable automated filtering of mails that contradict the rules defined in the records. In addition, such incidents can also be reported simultaneously to a stored mail address. Another technical measure for protection against phishing attacks are anti-virus programs and endpoint detection and response (EDR) solutions, which can prevent the execution of malicious code on client systems or at least make it more difficult. It also allows further targeted protection measures to be initiated in a timely manner should alert messages be triggered.
However, the most important protection against phishing attacks is the responsibility of the end user. Especially in everyday work, mails should always be treated with foresight and a healthy degree of suspicion. It is also helpful to communicate suspicions of current phishing attacks to colleagues and, for example, to create attention and awareness via a circular email or the "hallway radio". Complementary to this, targeted awareness training and phishing simulations can significantly refresh and improve the security of the entire company.