Why Staff in Singapore Need phishing Simulations
June 25, 2020
ST logistics, a private vendor for Singapore Armed forces (SAF)
responsible for providing third-party logistics such as equipping services and e-mart
retailers, as well as HMI Institute of Health Science, have both reported recent
cybercrime incidents. In December 2019, SAF confirmed that as a result of phishing
activity, the personal data of 2,400 SAF employees could have been compromised, with
projected data based on the total data present in the system possibly affected.
In an unrelated incident, HMI Institute of Health Science reported a
probable compromise of 120,000 individuals’ records, which also included 98,000 records
of SAF employees due to a ransomware attack on one of its servers. The SAF servicemen,
whose personal information was affected, had attended cardiopulmonary resuscitation and
automated external defibrillation courses conducted by the HMI.
Both HMI and ST Logistics carried out extensive forensic
investigation probes into these activities with the assistance of both their own
cybersecurity team and with the support of external cybersecurity experts. The affected
data consisted of personal information such as name, email id, contact numbers, NRIC
numbers, birth dates, and address. Though none of the organizations provided the exact
details regarding the breaches, one common element in both the incidents was the
occurrence of phishing.
What Is phishing?
phishing attacks are the foundation for a majority of advanced and
potent malware attacks. Though follow-up attacks form the important part of any
cyberattack, their ability to cause damage to a system depends upon the success of the
phishing scam. Different types of phishing attacks exist.
10 Types of phishing Attacks
- Spear phishing: Personalized phishing attempts created for a
specific person or organization are called spear phishing. Unlike regular
phishing, threat actors generally conduct reconnaissance, gathering information
about their victim in order to look less suspicious and increase their
probability of success.
- Whaling: Whaling is the next step up in spear phishing attacks,
targeting senior executives and other high-profile employees in an organization,
such as managers or above.
- Clone phishing: Clone phishing is a type of phishing attack
involving extensive reconnaissance into previously delivered emails or
attachments, and the phishing email is developed based on that. Once leaked, the
email or documents are used to create an identical or cloned email. The
attachment or link from the previous email is then replaced with a malicious URL
or malware, and then sent from an email address similar to the original domain.
It appears as a resend of the original or a follow-up.
- Link manipulation: As mentioned above, the method of using
technical deception to make a link appearing to belong to the legitimate
organization is defined as link manipulation. Misspelling the URLs or using
subdomains are the most common ways to administer malicious websites into the
phishing process. Another common trick is to make the displayed text for any
link as legitimate using hypertext markup language, i.e., when you scroll over
to the link it displays the trusted website name.
- Filter evasion: It is essential for phishing emails to evade
mail filters that generally mark them as spam. The general evasion method
involves clone phishing or use of images instead of text, hence making it harder
for anti-phishing filters to detect them, as they commonly rely on the word in
their repository classified for phishing and spams.
- Website forgery: As the name suggests, when scammers create
fake websites that look exactly like the original or sometimes using the
the original. Sometimes existing flaws in a trusted website's scripts are used
against it by the attackers to hijack the webpage. These types of attacks are
also known as cross-site scripting and prompt the user to sign in at the
legitimate web page, where everything from the web address to the security
certificates appears correct but in reality, the website is embedded with
malicious software, making it very difficult to identify without professional
- Covert redirect: Covert redirect is a more sophisticated method
of phishing attacks that makes use of a legitimate website, but eventually
redirects the user to a malicious website. Sometimes malicious browser
extensions are used to redirect users to phishing websites covertly.
- Covert redirect: Unlike normal phishing websites, which are
relatively easy to spot due to the anomalies present in the URL or the website
itself, covert redirection involves an authentic website corrupted with nothing
but a simple popup box that prompts the users to login, thus, stealing their
login credentials and simultaneously redirecting them to the malicious website.
Some of the more sophisticated techniques involve using flaws or the default
behavior of a website towards a third-party link (which is fairly common and
least suspicious), such as the prompt for simple authorization of a application
or website. For example, if you click onto any malicious link embedded into a
website page, the page asks you whether or not you would like to authorize that
specific app or website related to that link. If the user does choose to
authorize, a "token" will be sent to the attacker, which may contain the user's
personal and sensitive information. Information such as email address, birth
date, contacts, search history, name, username, and password could be
compromised, and depending upon the privileged status of the “token”
the threat actor may also be able to control the account access of the user.
- Social engineering: Social engineering involves social reasons
to prompt a person to click on malicious links or attachments. For example, the
recent pandemic of COVID-19 has aroused the interest of many people in reading
news and updates, related to healthcare, and in response, many threat actors
have developed fake news, blogs, health updates or maps to lure people into
clicking those links.
- Voice phishing: Not all phishing attacks require a fake website
or email. Calls or messages that claim to be from a bank or a legitimate
organization prompting the users to reveal their account numbers, PIN, password,
etc., could be termed as vishing or voice phishing.
How to Conduct Phishing Simulations Efficiently
The prevention of phishing for a non-technical person is improved
with anti-phishing education and awareness provided by many reputable organizations,
including EC-Council's Aware, providing
education and training for an organization’s employees against phishing attacks.
Only understanding phishing theoretically is not sufficient because, even if a person
knows phishing is done via malicious/spam emails, one cannot possibly differentiate
between a benign and malicious email. Thus, practical experience of phishing attacks and
how to tackle them is very helpful. Aware
offers virtual simulations for phishing attacks by sending employees phishing emails and
monitoring their response to it, based on their result-tailored education and mitigation
As the user her/himself is the first line of defense against any
cyberattack, the know-how to tackle phishing attacks is highly important. Anti-phishing
education organizations could not only help to educate the employees of any organization
on ways to recognize and tackle phishing emails, but offer the advice and training of
security experts along the way. training the of IT people regarding different types of
phishing modes can be done as:
- Precautions to follow for remote workers on cloud and VPN access.
- Compilation of security policies and guidelines that help in educating the
workers on phishing.
- Educating IT security professionals on handling and mitigating phishing attacks.
- Training for security responsibilities in the event of phishing attacks.
- Training assistance through demo simulations for real-time phishing attacks.
- Education and awareness regarding different types of phishing and its prevention
methods for both technical and non-technical personnel.