Trivon Paul

CYS 227

Cybersecurity Research Paper - Phishing attacks

11/6/2022

 Paul 2

Table of Contents

Table of Contents .............................................................................................................................2

Introduction ......................................................................................................................................3

Discussion ........................................................................................................................................3

Conclusion .......................................................................................................................................6

Works Cited .....................................................................................................................................8

 Paul 3

Introduction

What is a phishing attack? As a quick introduction, a phishing attack is the use of social

engineering that enlist its victims to give up information that threatens the integrity of one's

security. There are many types of phishing attacks like spear phishing, voice phishing, social

media phishing, and whaling. With the CIA triad in mind, a phishing attack mainly affects

Confidentiality since it attacks its victims by giving up certain sensitive information. When it

comes to cybersecurity social engineering attacks account for 98% of cyber attacks. Phishing

attacks are the main threat to basic cyber security.

Discussion

What is the process of a phishing attack? As listed before a phishing attack can come in

many forms. The most basic form is where someone pretends to be someone of a trusted

organization or a trusted person to then get information about their victim. A good example of

this is someone sending you a text pretending to be a bank stating that someone has made an

unauthorized purchase with your account begging you to click a link to log in to your account to

clear it up. Unfortunately, by clicking that link and entering your login information for your bank

account you just gave up your bank login. With this information, they can gain access to your

account and empty your account or sell your financial information. The financial impact of this

kind of attack is huge as you can see, by giving an attack absolute control over a particular

system. The most common interaction we get with phishing attacks is robot calls, spam emails,

and spam text messages.

 Paul 4

How do phishing attacks affect the CIA triad? The CIA Triad is the main principle of

cybersecurity where C is for Confidentiality, I is for Integrity, and A is for Availability.

Confidentiality talks about how secure is the data, that only parties that need access to that data

have it and keep it away from everyone else. Integrity talks about how correct the data is and that

it hasn’t been modified by a malicious party. Availability talks about the availability of the data

and that those who have access to it can get to the data. Phishing attacks mainly affect

Confidentiality within the CIA triad due to the fact it requires the attacker to obtain private

information that they weren’t able to access. It can affect Availability where an attacker can use

Confidential information like specific credentials to a system to restrict access to others. It may

also affect integrity with attackers making modifications to certain records or data that are

necessary for an organization to run. This compromise in security can cause reputable damage to

a single person or a whole organization.

What are the different types of phishing attacks? For the many different phishing attacks,

you have the most common one spear phishing then, you have voice phishing, social media

phishing, and whaling (Cisco). Spear phishing is the process of an attacker focusing then,

targeting a specific individual to appear more trustworthy. With this type of attack, it has a

success rate of 95% in gaining access to enterprise networks. Voice phishing is the act of using

telecommunication services to enlist its victims to be susceptible to a phishing attack. Since we

are used to phone calls coming from a trustworthy party we tend to believe what we are being

told. A good example of this is a person calling to be a part of the fraud division of your credit

card company calling to warn you that your identity has been stolen. At that moment you are in a

 Paul 5

sense of panic because you have seen movies and news articles that becoming a victim of

identity theft is a huge burden. The person would then push you to sign up for a program that the

fraud division is offering to prevent this from happening. At this point, this is when they will ask

for PPI(Personal Identifiable Information) to verify your information. This will give the attacker

access to all of your PPI and could then steal your identity. With the rise of robocalls, this has

become the new common form of a phishing attack. Another form of a phishing attack is social

media phishing which is the act of conducting a phishing attack through a social media platform

like Snapchat, Instagram, Twitter, or LinkedIn. A phishing attack through LinkedIn is extremely

damaging with you believing you’re talking to a potential new employer but in reality, you are

talking to an attacker who just wants your PPI. You’re more likely to give it to them in a form of

an I9 form. Whaling's main objective is to target senior executives for a phishing attack. This

type of attack can come in the form of an email or robocall. The idea of social engineering Is still

being used to carry out these attacks. With these different kinds of attacks, the theme remains the

same where attackers try to trick their victims into giving up valuable information about

themselves or an organization.

What is the impact of a phishing attack? As mentioned above the effects of a phishing

attack is huge with compromised data to the availability of systems. Some examples of notorious

phishing attacks are the Colonial Pipeline Shutdown, The Nordea Bank Incident, and the FACC.

The most memorable attack was the FACC phishing attack that caused the company 47 million

and the dismissal of the CEO of the Austrian aerospace parts maker. So how did the attacker get

away with 47 million dollars? It started all with a fake email posing to be the CEO demanding

 Paul 6

the employee transfer money to an account for a fake acquisition project. “The supervisory board

came to the conclusion that Mr. Walter Stephan has severely violated his duties, in particular in

relation to the ‘fake president incident’,” FACC said (Reuters). The impact of this attack caused

this company to operate at a huge loss. This all could have been prevented if the employee could

have done extra vetting to ensure it was the CEO that was making this request. At the same time

the CEO not investing in more employee training to avoid attacks like this causing this to

happen. This is just one of the many controls that the company could have implemented to

prevent this.

After looking at the pitfalls of the FACC phishing attack, what are some controls that

could be put in place to prevent this from happening? The CEO of the FACC could have

implemented more cybersecurity training, especially on how to handle certain emails that an

employee might get. Another control is email filtering which only allows employees to receive

emails from certain organizations. Companies should have certain policies that warn employees

of links that they might click within emails to make sure they are staying compliant with

organization policies on how they must handle emails.

Conclusion

To conclude, phishing attacks are the main threat to basic cyber security with 1 in 10

attempts being successful. The impact of phishing attacks on US organizations is 15 million per

year (Proofpoint). The only way to mediate these kinds of attacks is by educating users and

implementing controls to prevent users from falling victim to these kinds of attacks. Having

 Paul 7

good antivirus software can also help by making sure a phishing attack doesn’t harm more

important systems through a virus or a worm. At the end of it, the only way to prevent these

phishing attacks is through education and to make sure users know who and what to trust.

 Paul 8

Works Cited

“Austria's FACC, Hit by Cyber Fraud, Fires CEO.” Reuters, Thomson Reuters, 25 May 2016,

https://www.reuters.com/article/us-facc-ceo/austrias-facc-hit-by-cyber-fraud- res-ceo-

idUSKCN0YG0ZF.

“Famous Phishing Incidents from History.” Famous Phishing Incidents from History |

Hempstead Town, NY, https://www.hempsteadny.gov/635/Famous-Phishing-Incidents-

from-History.

Irwin, Luke. “The 5 Biggest Phishing Scams of All Time.” IT Governance Blog En, 7 Oct. 2022,

https://www.itgovernance.eu/blog/en/the-5-biggest-phishing-scams-of-all-time.

“What Is Phishing? Examples and Phishing Quiz.” Cisco, Cisco, 28 July 2022, https://

www.cisco.com/c/en/us/products/security/email-security/what-is-phishing.html#~how-

phishing-works.

“The 2021 Ponemon Cost of Phishing Study: Proofpoint Us.” Proofpoint, 14 Sept. 2021, https://
www.proofpoint.com/us/resources/analyst-reports/ponemon-cost-of-phishing-study.

fi