computer keyboard with blue keys except for a red key with a lock and the word phishing

Don’t get Caught Up in the Latest Phishing Attack

The practice of phishing isn’t gone. It’s just evolving.


Don’t Get Caught Up in the Latest Phishing Attack


If you received an email from a Nigerian prince offering you half his kingdom if you would just wire him $50 to support recapturing his throne, you likely wouldn’t click the link. Or claim your reward.

But what if it was an email that looked like it was from Gmail saying that someone had tried to log in to your account and you needed to immediately change your password?

What is Phishing?

Phishing traditionally refers to the practice of sending out fraudulent emails in order to get an individual to reveal personal information, such as passwords or credit card information.

Yet, as the Internet has evolved, so have attack vectors.

Now, phishing can be done through phone, text, or even social media.

Think you’re immune?

Even John Podesta & Colin Powell fell victim to it. I’d imagine those are two pretty careful guys with pretty careful staff.

How Does it Work? Social Engineering & Exploitation.

Modern attackers have come a long way since the Nigerian prince scam.

Now, phishing emails (or calls or texts) come as messages purporting to be from your bank. Or Apple. Or a colleague who desperately needs you to open an attachment.

Phishers take advantage of the trust garnered between people and institutions and exploit it. It’s social engineering and exploitation.

Attackers mirror relationships you have in your life, then exploit them.

Phishing traditionally refers to the practice of sending out fraudulent emails in order to get an individual to reveal personal information, such as passwords or credit card information.

Really savvy attackers will even go so far as to spoof a landing page that looks like the genuine thing in order to reinforce trust. For example, you click a link to reset your compromised Gmail password and are taken to a page that looks like Gmail. (In fact, this kind of congruent attack is getting even easier, with the prevalence of phishing kits.)

Depending on your browser and device, the actual URL may be hidden once the page loads.

Even so, they often use ‘similar sounding’ URLs so that they overcome any skepticism the user might have.

Of course, there’s always a form on the page and, as the user enters their information, keystrokes are recorded, information is recorded, and/or malware is loaded onto the user’s system. Perhaps for later use in a DDoS attack.

Casting Wide Nets

Phishing works in large part by the law of averages.

Cast large nets, get some people to respond. According to, there are over 100 Billion (yes, with a “B”!) phishing emails sent every day.

Users who fall prey to phishing attacks are not only at risk of having malware loaded onto their machine, but also compromising their friends and contacts whose information might also be on the machine.

Attackers can then use this more specific information to carry out more targeted attacks. With more specific information and more targeted attacks, phishers can make emails, texts, and messages seem that much more authentic, raising the trust quotient that much more, and thus, the vicious cycle compounds.

Yes, You are At Risk

In 2017, Keepnet Labs published a report on phishing (download required). In their report, they ascertained that 91% of system breaches in business are caused by a phishing attack.

Moreover, the same report found that most employees in departments that handle large scale data have trouble recognizing phishing emails.

That means your customer service reps who receive – and respond to – customer, vendor, and partner emails all day are among the most vulnerable attack vectors in your organization.

The success of phishing makes it imminently worth it to attackers; the average attack on a business nets ~$1.6M (ibid.).

What’s more, there is evidence that cybercrime is on the rise, buoyed in part by the success of social engineering and the desire of some foreign actors to influence political outcomes. In fact, Microsoft thwarted a phishing attack linked to Russian agents just ahead of the 2018 midterm elections.

How to Protect Your Organization

Naturally, you want to make sure you have your bases covered; use spam filters, set up user’s browsers to prevent fraudulent websites from opening, and force users to change passwords frequently. Have a firewall.

As with so many potential threats, one of the largest liabilities is your people. You have to make sure that you have a good user education program that helps individuals to recognize what phishing emails look like and how to discern legitimate emails/texts/calls from illegitimate ones. At the very least, circulate’s list of 10 ways to avoid phishing scams.

(As an aside, you may even want to check’s database of phishing attempts to see what brands are most frequently represented in phishing attacks. You can also see, in real time, examples of phishing attack the software is catching.)

What if a User is Compromised?

While preventative software can take you part of the way towards preventing against phishing attacks, the reality is that users are often your most vulnerable attack vector.

In order to mitigate any potential liability, you want to make sure you’ve not only got preventive software, but good backend software to recognize if a threat has taken place. For example, a good SIEM can mine your logs to find aberrations in behavior, browser activity, or other indicators that a phishing attack may be underway or have occurred. If backed by a good security operations team, the appropriate measures can be taken quickly to prevent any real harm – or loss – from occurring to your organization, your employees, or your stakeholders.

Hidden Threats and Cyber Attacks: Reveal and Respond to Some of the Hardest to Detect Cyber Attacks

Jason Miller

Jason Miller, Founder and CEO of BitLyft Cybersecurity, has dedicated his 20-year IT career, including co-founding SaaS pioneer Reviora, to removing cybersecurity barriers for mid-sized enterprises. Establishing BitLyft in 2016, Jason set out to unburden security teams with innovative, approachable, and affordable solutions, a vision which has made BitLyft a respected managed detection and response provider. Outside his cybersecurity pursuits, Jason is an avid tree farmer and outdoor enthusiast, planting nearly 300 trees on his ten-acre plot and finding joy in hiking, hunting, and driving his white Tesla Model 3. His diverse passions mirror the balanced blend of expertise, dedication, and joy he brings to BitLyft.

More Reading

Manufacturing Cyber Attacks
Popular Types of Cyber Attacks In Manufacturing
Cyber attacks are on the rise with one report suggesting that they have increased by 59%. Cyber attacks in manufacturing do not gain as much news coverage or discussion as attacks on retail stores or...
red dots of a particle
How to Protect from Adware
The Internet is awash with advertising. Companies like Google & Facebook earn billions of dollars a year serving ads. The news sites you likely visit serve ads. Blogging moms earn livings serving...
woman looking at tiktok on her phone
The Countdown To The End Of TikTok?
Over the middle few months of 2020 the social media app TikTok has grown rapidly in popularity, and videos appearing on the app have been going viral for some time. But at the same moment the app is...