Introduction to phishing
Definition
Phishing is a fraudulent technique in which a cybercriminal sends an email impersonating a well-known third party – such as Google, Amazon, or Microsoft. Their goal is to trick the recipient into clicking a link or downloading a file in order to steal information, money, or install malware.
The Most Common Types of Phishing
CEO Fraud
CEO fraud (also called CEO scam or CEO fraud) is a targeted scam technique in which an attacker impersonates a company executive (often the CEO or CFO) to deceive an employee into making a fraudulent banking transaction.
How does CEO fraud work?
Identity Theft: The fraudster sends an email (or calls) impersonating a high-ranking employee within the company.
Emergency scenario: This often involves an urgent, confidential, and sensitive situation (e.g., an acquisition, a payment to a strategic supplier, a legal emergency, etc.).
Psychological pressure: This involves pressuring the employee, usually from the accounting or finance department, to act quickly without following standard procedures.
Fraudulent transfer: The goal is to trick the victim into transferring money to an account controlled by the scammers, often located abroad.
Why does it work?
The email appears credible (professional language, a very similar fake email address, the CEO's signature, etc.).
The targeted employee is often isolated, under pressure, or intimidated by management.
The attack is highly targeted (the fraudsters research the company, its executives, and its internal practices).
What are the outcome? Significant financial losses; reputational damage; Legal liability if protections are not in place
How to protect yourself?
Raise awareness among all employees, especially those in sensitive departments (finance, HR, etc.)
Implement a strict internal validation procedure for transfers
Activate technical protections: SPF, DKIM, DMARC, anti-spoofing filters
Systematically verify any unusual request through a secondary channel (phone, video conference, in person)
Phishing for credential theft
You receive an email that creates a sense of urgency: an unexpected expense, a suspended account, a password change. By impersonating a known third party, the attacker tries to trick you into clicking as quickly as possible on a link that redirects you to a fraudulent website.
You enter your credentials on the website and the attacker obtains them: this website looks legitimate, but actually belongs to the attacker. In fact, when you enter your credentials, you're not actually logging in, but rather handing them over to the attacker.
You don't realize you've been attacked: generally, you don't even realize it's happening. You'll see a screen saying 'Incorrect credentials' and be redirected to the legitimate website so that the next login is successful.
Phishing with attachments
This type of attack, more sophisticated and therefore less frequent, allows the hacker to take control of an employee's workstation, the entry point to the company's IT system.
To do this, they must trick you into downloading a PowerPoint, Excel, or Word document and enabling macros. There are two main strategies for this:
Sending you an enticing document directly via email
Sending you a malicious document via a file transfer platform. If the document's macros are enabled, the attacker will then have control of the workstation.
Best practices
As soon as you receive an email asking you to download an attachment, make a transfer, or enter a password: be vigilant.
Check the sender's domain name The sender's email address may look familiar, but it could be spoofed. If so, you'll find spelling mistakes or other anomalies. Pay particular attention to the number The domain name (the part after @): if it doesn't match the real sender's name letter for letter, it's a phishing attempt.
If you're redirected to a website, check the domain name. The issue is similar: if the attacker redirects you to a fake website they control, it means that the website isn't the real one and therefore doesn't have the same address (URL) when you look at it in your browser's address bar.
Verify the information through an alternative channel. Request confirmation from the sender through another method: by SMS, by contacting customer service, or by going directly to the website in your browser. This may seem tedious, but many attacks occur due to negligence and a lack of communication.
How to mitigate this risk?
A few simple steps can drastically reduce the risk of phishing and the consequences of a successful phishing attack.
Anticipating and limiting the risk of phishing:
Team awareness: 73% of cyberattacks originate from phishing an employee (CESIN). Raising awareness is therefore key to maintaining a good level of cybersecurity.
Implement two-factor authentication (2FA): Most phishing attacks aim to steal a user's credentials. But if they have a second authentication factor, stealing their credentials will not be enough to impersonate them.
Implement a password manager: Password managers verify the domain names of websites that request credentials. If their credentials are compromised, no password will be pre-filled, and the user will be immediately alerted that an abnormal event is occurring.
And what if phishing happens?
If the user has provided credentials:
Change the password for the compromised email account or service, as well as the passwords for all other services where this same password (or a weaker version) is used;
Implement two-factor authentication for the compromised email account or service
Notify Stoik so we can verify that the attacker has not left themselves any other means of returning.
If the user has downloaded a malicious attachment:
Turn off the device to limit the spread of the virus; Notify Stoik so we can remove the virus from the device and verify that it has not spread.
Last updated
Was this helpful?