How to Identify and Thwart Phishing Attacks Against Your Customers and Employees

Phishing is a popular social engineering tactic used by hackers, typically intended to dupe users into clicking on a link, opening a malicious file and/or giving away some sort of personal info. Sometimes the phishing attempt is the primary goal of the attack, like tricking a user to download ransomware. Other times, it’s part of a larger attack, like having someone submit their credentials on a fake login site, allowing the hacker to use them later to access confidential data.

In either scenario, phishing attacks can be very effective at targeting both employees and customers because hackers often use popular brands to trick users. This can be a major challenge for companies, because it’s their responsibility to keep their customers safe, yet they have little control over how hackers might use their brand to run phishing schemes.

Here is how you can help identify and take down phishing attacks before they are ever launched against your customers or your employees.

Identifying Phishing Attacks in the Planning Phase

In order to stop phishing attacks, organizations must use the planning phase to their advantage. Hackers often collect information about their targets using Dark Web forums in order to make their attacks more targeted and successful. By monitoring sources across the surface, deep and dark web, you can identify these key indicators of phishing attacks, enabling you to prepare your organization and take down phishing attempts before they are carried out.

Common Phishing Attack Indications

So what should you monitor for in order to identify and take down phishing attacks? Here are some common indicators that your organization is being targeted.

Suspicious Domain Registered (Bonus: MX Records Added)

Every phishing attack needs to use a domain name in order to send an email and/or deliver a malicious payload. Cybercriminals often use domain names that are similar to popular brands or websites (for example, in order to appear legitimate. As an organization, you need to know when domains similar to yours are registered, as they are key steps in the phishing attack process.

In addition, if MX records are added, that typically indicates the domain will be used to send emails, which is another key indication the domain may be used in a phishing attack.

To protect your customers and employees, you need to have some sort of monitoring process in place to track when similar domains are registered and if MX records are added. If a potential phishing domain is registered, be sure to block that domain in your URL filtering system and work with the registrar to take it down before it’s used in an attack.

Fake Email Address

The key to a successful phishing attack is getting the user to believe an email is legitimate and engage with it in some way. Hackers often do this by mimicking key employees (like the CEO for an employee attack) or popular brands (for a “consumer” attack). Therefore, companies should also monitor for fake email addresses that use key employee or executive names (e.g. CEO’s name), or email addresses that use brand names (e.g. FedEx Shipping Notification).

If one of these addresses is discovered, be sure to block the domain in your mail relay system and again, work with the registrar to have the domain taken down.

Fake Mobile Application or Social Media Account

While email is a popular attack vector for phishing schemes, it’s not the only one. More recently, hackers have started using social media and mobile app stores to impersonate popular brands and trick users into giving away their information.

Users aren’t always careful with what applications they download or which social media pages they engage with, and as a result, this has become an increasingly successful attack vector for cybercriminals.\

Companies need to monitor various social media sites to identify fake pages and alert the site if one is found. Additionally, they should monitor mobile app stores, especially the non-official app stores, to look for and take down fake mobile applications using their brand.

Leaked Employee Credentials

There is no shortage of leaked credentials these days across the dark web. Not only do hackers use these credentials to access corporate systems and confidential information, they can also be used to send phishing emails to employees within the organization. For example, if a hacker wants to install malware on a CEO’s computer, rather than sending them an email from a phishing domain, they may try to purchase an employee’s email credentials on the dark web in order to send the CEO a malicious link. Alternatively, they may try to phish email credentials from employees in order to access their email account.

These types of phishing attacks can be very successful because email systems don’t typically block emails from within the organization.

Leaked credentials are often used as the starting point of a phishing attack. Therefore, organizations need to monitor the dark web for leaked employee credentials. Not only will this help you protect against phishing attacks, but will help you lock down other potentially accessible systems and even identify potential leaks in your organization.

Employees on Phishing Target List

Phishing attacks aren’t always planned in complete isolation. Hackers sometimes post target lists for phishing attacks on dark web forums to coordinate and plan their attacks. Identifying these lists can help you identify who and how an attacker may be planning to launch a phishing attack. In addition, a hacker might solicit help building a website for a phishing campaign, or may even purchase a ransomware program to use in their attacks.

Organizations should monitor dark web forums for these common indications of a planned phishing attack.


Phishing is a fairly simple, yet effective tactic used by hackers, and we’ve seen plenty of creativity in how they attempt to trick users into clicking a link or opening a file. Organizations have a responsibility to their customers to protect them against phishing attacks, even if the organization is not to blame for the attack. However, the planning and coordination of phishing attacks can be used as an advantage. Using cyber threat intelligence, Organizations need to monitor for these key indicators of phishing attacks in order to proactively protect their employees and their customers.

Want to learn more about how the dark web is used to plan cyber attacks?

Download our Dark Web 101 eBook

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.