Back
Cyber Security Training & Software for Companies | MetaCompliance

Products

Discover our suite of personalised Security Awareness Training solutions, designed to empower and educate your team against modern cyber threats. From policy management to phishing simulations, our platform equips your workforce with the knowledge and skills needed to safeguard your organisation.

Cyber Security eLearning

Cyber Security eLearning to Explore our Award-Winning eLearning Library, Tailored for Every Department

Security Awareness Automation

Schedule Your Annual Awareness Campaign In A Few Clicks

Phishing Simulation

Stop Phishing Attacks In Their Tracks With Award-Winning Phishing Software

Policy Management

Centralise Your Policies In One Place And Effortlessly Manage Policy Lifecycles

Privacy Management

Control, Monitor, and Manage Compliance with Ease

Incident Management

Take Control Of Internal Incidents And Remediate What Matters

Back
Industry

Industries

Explore the versatility of our solutions across diverse industries. From the dynamic tech sector to healthcare, delve into how our solutions are making waves across multiple sectors. 


Financial Services

Creating A First Line Of Defence For Financial Service Organisations

Governments

A Go-To Security Awareness Solution For Governments

Enterprises

A Security Awareness Training Solution For Large Enterprises

Remote Workers

Embed A Culture Of Security Awareness - Even At Home

Education Sector

Engaging Security Awareness Training For The Education Sector

Healthcare Workers

See Our Tailored Security Awareness For Healthcare Workers

Tech Industry

Transforming Security Awareness Training In The Tech Industry

NIS2 Compliance

Support Your Nis2 Compliance Requirements With Cyber Security Awareness Initiatives

Back
Resources

Resources

From posters and policies to ultimate guides and case studies, our free awareness assets can be used to help improve cyber security awareness within your organisation.

Cyber Security Awareness For Dummies

An Indispensable Resource For Creating A Culture Of Cyber Awareness

Dummies Guide To Cyber Security Elearning

The Ultimate Guide To Implementing Effective Cyber Security Elearning

Ultimate Guide To Phishing

Educate Employees About How To Detect And Prevent Phishing Attacks

Free Awareness Posters

Download These Complimentary Posters To Enhance Employee Vigilance

Anti Phishing Policy

Create A Security-Conscious Culture And Promote Awareness Of Cyber Security Threats

Case Studies

Hear How We’re Helping Our Customers Drive Positive Behaviour In Their Organisations

A-Z Cyber Security Terminology

A Glossary Of Must-Know Cyber Security Terms

Cyber Security Behavioural Maturity Model

Audit Your Awareness Training And Benchmark Your Organisation Against Best Practice

Free Stuff

Download Our Free Awareness Assets To Improve Cyber Security Awareness In Your Organisation

Back
MetaCompliance | Cyber Security Training & Software for Employees

About

With 18+ years of experience in the Cyber Security and Compliance market, MetaCompliance provides an innovative solution for staff information security awareness and incident management automation. The MetaCompliance platform was created to meet customer needs for a single, comprehensive solution to manage the people risks surrounding Cyber Security, Data Protection and Compliance.

Why Choose Us

Learn Why Metacompliance Is The Trusted Partner For Security Awareness Training

Leadership Team

Meet the MetaCompliance Leadership Team

Careers

Join Us and Make Cybersecurity Personal

Employee Engagement Specialists

We Make It Easier To Engage Employees And Create a Culture of Cyber Awareness

MetaBlog

Stay informed about cyber awareness training topics and mitigate risk in your organisation.

The Elements of a Convincing Phishing Attack

Spear phishing

about the author

Share this post

Cassie Chadwick was a fraudster at the turn of the 20th century. Chadwick committed an early version of identity theft to carry-out wire fraud, convincing banks that she was Andrew Carnegie’s illegitimate daughter to take out loans against this claim. In 1905, Cassie was sentenced to ten years in prison for defrauding a bank. Successful scams, like Chadwick’s, become the stuff of legend. Over the centuries, fraudsters have used social engineering and similar scams to amass vast sums of money by tricking their targets. Today, fraudsters use modern communications such as email to carry-out scams. However, they still need to use the elements of a convincing story to make sure that a phishing email successfully tricks its recipient. Here are the elements of a convincing phishing attack.

Why Focus on Phishing Attacks?

Phishing attacks have been around since the early days of email. This makes sense as email can be used as the connecting point between a hacker and the corporate network; aka, a communication gateway that can open that network by helping to steal passwords, usernames, and email addresses or deliver malware. Phishing remains the “most common attack vector” according to the latest UK government research presented in the report “Cyber Security Breaches Survey 2021”. The reason for the continued use of phishing is because it continues to be highly successful with up to 32% of employees clicking on a phishing email link and up to 8% not even knowing what a phishing email is. A single employee clicking a phishing email link then entering login credentials puts the entire company at risk of a data breach or malware infection. Even employees with lower access privileges can still lead to privilege escalation and data breaches. Phishing is a main point of attack, and as such, cybercriminals put effort into making this attack vector convincing to ensure success.

Elements of Success for Phishing Employees

To successfully phish an employee, a fraudster needs to make sure the entire phishing campaign is convincing from the look and feel of the email, right the way through to any spoof site that the phishing links take the employee to. The elements of a convincing phishing campaign are increasingly sophisticated and involve:

Brand Impersonation

Brand spoofing has been used since the advent of email phishing. Certain brands are popular with companies, and they are consistently used to trick recipients into believing the email is legitimate and handing over their personal information. Check Point carries out regular research into the most popular brands that are used as a basis for phishing campaigns. One of the most spoofed brands in 2021 was Microsoft, the brand being used in around 45% of phishing campaigns in Q2 of 2021.

Rogue, Long, and Redirected URLs

Hovering over a link in an email is not always a sure-fire way to spot a malicious link. Recently, fraudsters have started to use ‘rogue URLs’ to mask the malicious nature of a phishing link. This typically involves hiding the true address of a link using special characters. A URL Encoder is used to change a URL by adding percentage signs, i.e., starting a URL string with a % character to hide the true nature of a web address. These URLs are accepted by Google so is hard to prevent using static content filters. Very long URLs are also used to mask a malicious web address. Email links on mobile devices are notoriously difficult to see, and very long URLs are making it even more difficult to spot suspicious links. The use of multiple links and redirects is also now used to confuse users. A recent multi-redirect phishing campaign took users through a series of redirects, ending in a Google reCaptcha page that then finally redirected to a spoof Office 365 page where login credentials were stolen.

False Security Signals

People can no longer rely on the use of security signals to indicate a website is trustworthy. For example, the lock symbol seen on certain websites and is associated with the S at the end of HTTP, i.e., HTTPS. This indicates that a website uses a digital certificate (SSL certificate) as a signal that it is a secure site. However, the Anti-Phishing Working Group (APWG) identified that 82% of phishing sites used an SSL certificate in Q2 of 2021.

Social Engineering Tricks

All the above tactics are backed up by several well-tested social engineering tricks that catch out employees, moving them to the next level of the phishers campaign game. It is the social engineering aspect of phishing that allows cybercriminals behind the campaign to kickstart the process that ends in ransomware, data breaches, and other types of cyber attacks. Social engineering is a coverall term that uses a variety of techniques to manipulate employee behaviour; typical methods include:
  • Urgency: a phishing email or text message might use an urgent request to perform a task. Business Email Compromise (BEC) that applies phishing components in the attack often uses this trick. An example is a spoof email that may look like it is from a high-level executive with an urgent request to transfer money to a new client or risk losing the client.
  • Other emotional triggers: fraudsters play with people’s emotions to make them perform tasks such as clicking on a malicious link in an email or providing sensitive information. Curiosity, concern over security, wishing to please, and wanting to do a job well, are all used as phishing bait.
  • Spear phishing and reconnaissance: to perfect their phishing attacks, fraudsters may use spear phishing. This targeted form of phishing is behind many attacks, but it does require more effort by fraudsters as they create emails that closely reflect the role of the individual being targeted. To make spear phishing emails a success, fraudsters typically carry out reconnaissance of the target before creating the phishing campaign.
Cybercriminals are masters at creating successful phishing campaigns and the statistics prove this. A report by the APWG said that “after doubling in 2020, the amount of phishing has remained at a steady but high level.” The elements of a convincing phishing attack are tried, tested, and trusted by fraudsters. By understanding these elements an organisation can more effectively mitigate them.

How To Defend Your Organisation Against a Phishing Attack 

Increasingly, the elements of a successful phishing attack are based on applying techniques to evade traditional anti-phishing technologies such as content filters. This doesn’t mean to say that content filters do not play a part in protecting a company against sophisticated phishing campaigns. However, they cannot be relied upon. Phishing campaigns continue to use the human in the machine as their way into a corporate network. We should expect this situation to continue, and for phishing campaign developers to always find ways around technology. A layered approach to phishing control is to empower your workforce with the tools to prevent successful phishing. By using a mix of Security Awareness Training coupled with the use of ongoing phishing simulation exercises, a workforce is primed to spot a phishing email before it becomes an entry point.
Risk of ransomware

Other Articles on Cyber Security Awareness Training You Might Find Interesting