Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. This kind of attack can have devastating results for individuals and organizations – the repercussions includes unauthorized purchases, the stealing of funds and information theft.
It can occur when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, text message or even a call. See below the most common types of phishing attacks:
EMAIL PHISHING – most common one
Sent by email. The criminal will register a fake domain that mimics a genuine organization and sends thousands out thousands of generic requests. The fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’ or use the organization’s name in the local part of the email address (such as paypal@domainregistrar.com) in the hopes that the sender’s name will simply appear as ‘PayPal’ in the recipient’s inbox.
SPEAR PHISHING
This is a more targeted type of attack, criminals who do this will already have some or all the following information about the victim: their name; place of employment; job title; email address; and specific information about their job role.
One of the most famous data breaches in recent history was the hacking of the Democratic National Committee, conducted with the help of spear phishing. The first attack sent emails containing malicious attachments to more than 1,000 email addresses. Its success led to another campaign that tricked members of the committee into sharing their passwords.
WHALING
Whaling attacks are even more targeted, taking aim at senior executives. This one has the same goal as any other kind of phishing attack, the difference is that the technique tends to be a lot subtler. Tricks such as fake links and malicious URLs are not useful in this instance, as criminals are attempting to imitate senior staff to trick people into their scams.
SMISHING AND VISHING
In this type telephones replace emails as the method of communication. Smishing involves criminals sending text messages, where the content of it is much the same as the email phishing, and vishing involves a telephone conversation. A common vishing scam involves a criminal posing as a fraud investigator, either from the card company or the bank telling the victim that their account has been breached. The criminal will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – by which they mean the criminal’s account.
ANGLER PHISHING – most recent
This is a more modern kind of attack as it uses social media for it. Social media offers several ways for criminals to trick people: Fake URLs; cloned websites, posts, and tweets; and instant messaging – essentially the same as Smishing – All can be used to persuade people to disclose sensitive information or download malware. Also, criminals can use the data that people willingly post on social media to create highly targeted attacks.
In 2016, thousands of Facebook users received messages telling them they’d been mentioned in a post. The message had been initiated by criminals and unleashed a two-stage attack. The first stage downloaded a Trojan containing a malicious Chrome browser extension on to the user’s computer. When the user next logged into Facebook using the compromised browser, the criminal was able to hijack the user’s account and were able to change privacy settings, steal data and spread the infection through the victim’s Facebook friends.
Phishing attacks may seem dangerous enough for us to be scare of them, however if we are careful and take the right actions towards this kind of situation is possible to easily avoid falling into this type of trap. Some things that could be done is first to read emails carefully and stay alert to any suspicious email or even normal messages that seem to be out of place, second is to search for giveaways; phishing attacks always have some type of tell that can help you recognized them, see below on the video the most common ones:
It is difficult to keep track of everyone inside your company, the tips above are very helpful and we encourage you to share with your colleagues to help your company prevent these scams.
Phishing scams are very dangerous to your company and your personal information, so it is important that you be careful and keep an eye for these attacks. However, if you read till here and you are still not convinced that is an important matter to take into consideration, here are 5 Reasons to Start Taking Phishing Seriously:
1) The volume of spam emails increased by 400 percent in 2016
2) More than 400 businesses are targeted with business email compromise (BEC) scams every day — Symantec 2017 Internet Security Threat Report (ISTR)
3) Volume of W-2 phishing lures increased 870 percent during the early months of 2017
W-2 scams are a subset of BEC, whereby phishing actors pose as senior company executives and request employee W-2 forms from payroll or HR employees for the purposes of committing tax fraud. Naturally, this type of scam is typically confined to the first few months of the year.
4) Phishing volume grew by a massive 41 percent in Q2 2017 — PhishLabs Phishing Trends & Investigations Report Q2 2017
5) Almost half of all breaches are caused by phishing — Verizon 2017 Data Breach Investigations Report
Extra reason: during this worldwide crisis that COVID-19 has brought to us, is very important that we keep our eyes open for phishing emails using the “Covid” approach. Criminals have no problem using a sensitive subject like this one to mislead you into falling for an email like “The Covid Cure” or “The COvid-19 lies government is tell us”.
Stay alert for all suspicious emails and remember that criminals will use your emotions, information and up to date subjects to deceive you.
Sources: