According to the 2021 State of Phish report, 75% of organizations around the world experienced some kind of phishing attack in 2020 alone. Moreover, 65% of organizations experienced business email compromise attacks, while 35% of businesses experienced spear phishing attacks. What’s more, these phishing attacks cost businesses millions of dollars.

Despite their high frequency, most businesses are not prepared to deal with these attacks. Not only do they fall behind on the protection front, they also don’t know how to react and respond if they come under a social engineering attack, such as phishing. This further exacerbates the situation.

For the cherry on top, most employees are completely oblivious to these attacks, which means that they can become inadvertent victims. There are instances when a single employee has become a victim on multiple occasions. This can be a big pain in the neck for organizations. So, how can you tell whether your employees have fallen victim to a phishing attack or not? By launching an investigation.

Here, we teach you the five steps to effectively investigate phishing attacks.

1.   Data Analysis

The first thing you need to do is to start analyzing the data. Identify the type of phishing attack and carefully evaluate the timeline and distribution method, as well as the malicious content it contains. What are the primary indicators of that phishing attack?

In most cases, it is either an email, malicious code or a phishing website, which is used by cyber attackers. You should also keep an eye on the server and host-based phishing content. This is why it is imperative that you scan ports and look for an open directory or subdomain and keep an eye on SSL certificates.

Remember, the core objective of analyzing the data is to find a clue about the phishing attack. On the other hand, cybercriminals will try to hide their identity by using every trick in the book. They will use fake email addresses, addresses and even phone numbers to avoid being tracked. The more clues you can find, the easier it is for you to connect the dots, and in turn, to see the big picture.

2.   Know The Enemy

The best advice someone can give you when investigating a phishing attack or any type of cyberattack would be to think like a hacker. Put yourself in the shoes of cybercriminals and anticipate their next move. Will they launch a delayed phishing attack or use a traditional phishing method? Once you start thinking like cybercriminals, you have a much better chance of catching them.

Yes, this will require a big shift in mindset but it works. If that seems too daunting for you, you can also spend some time and money knowing more about cyber attackers. Do your research and you will be able to tell the difference between different types of hackers and the different tactics they use to launch phishing campaigns.

3.   Connect The Dots

You now have a sneak peek into what cybercriminals might be thinking and what their next move may be. Once you have reached this point, it is time to connect all the dots and create a vivid image that can help you visualize all the possible scenarios.

Instead of assumptions, your visualizations would be based on hard facts, which makes them as near to reality as possible. Harness the power of open-source threat intelligence and it will guide you in the right direction. Network graph analysis tools, as well as attribution systems, can give you useful information about the infrastructure attackers might be using to launch phishing attacks targeting your business. Since these threat intelligence databases are updated regularly, identifying threat actors won’t be an issue.

4.   Validating Connections

Once you have successfully connected the dots, you will get the chain of phishing activity from a cyber attacker to the victim. Even if you get conclusive evidence about the main culprit, verify it with independent information, which can prove them guilty. Repeat the same process with at least three sources before you can actually put your hands on the cybercriminals.

5.   Catch The Culprit

You are finally within striking distance but you have to play your cards right or all your efforts could go down the drain. This makes it the toughest step, as you might need cross-border collaboration and support of concerned authorities to catch the culprit. Report the case to concerned authorities and present your findings in front of them. Follow up regularly about the progress. All the stakeholders need to be on the same page in order to bring cybercriminals to court, otherwise they can easily get away with their malicious actions.

How do you investigate phishing attacks? Share it with us in the comments section below.