Phishing attacks remain one of the primary digital security risks. If in doubt about whether an email you received is legitimate, always get in contact with its sender directly through another channel.
Be particularly wary if the email includes emotive or alarmist language. Remember, legitimate organizations will never ask for personal information via email.
Introduction to Phishing
Phishing has long been one of the most infamous cyber attacks and is linked to some of the largest data breaches ever experienced – like Target in 2013. Phishing has also led to numerous infamous email leaks like that of John Podesta from Hillary Clinton’s campaign chair John Podesta’s campaign chair John Podesta’s campaign chairman position.
Phishing involves coaxing victims into giving away sensitive data by impersonating legitimate companies in emails, ads or other online communications. Crooks lure you in by clicking a link leading to an impostor website where you’re asked for personal details or your login username/password; all data entered here goes straight into criminal hands’ hands.
Though phishing has been around for nearly 20 years, its wide adoption didn’t occur until 1995. A famous attack called Love Bug in 2000 first made people aware of phishing: this attack spread malware across millions of computers when potential victims opened an attachment titled “ILOVEYOU,” as well as unleashing a worm which overwrote image files and sent copies to victims’ contacts.
What is phishing?
Phishing refers to any cyber attack which uses social engineering techniques to deceive unwary victims into divulging personal information or clicking a malicious link, in order to steal personal data, financial accounts and/or network credentials.
attackers use emails, phone calls and texts from fraudulent organizations to target victims with scams that convince them to provide their account or credit card numbers voluntarily. Such scams typically ask victims to click a link or call an identified number before providing account or credit card data that will allow attackers to gain entry to accounts belonging to victims and cause financial loss.
Spear phishing attacks oftentimes target specific people or businesses – hence its name. Attackers collect or purchase detailed information on an individual and then craft an email that appears genuine enough to trick victims. This tactic is known as man-in-the-middle attacks and one of the most dangerous types of phishing.
Types of phishing attacks
Phishing attacks occur when criminals use deceptive emails, websites or ads as bait to con unsuspecting users into providing personal information such as usernames, passwords, credit card numbers and other valuable details that they would normally keep confidential. Phishing is a play on words from fishing as these criminals “fish” for victims to take the bait offered them by criminals dangling such fake lures for them to “bite.”
Phishing involves sending emails or links with malicious attachments or hyperlinks designed to lure victims onto fake websites that pose as trusted institutions like banks, workplaces and universities in order to collect private data from victims.
Cybercriminals may spoof popular brands to make their attacks seem more convincing and create short links specifically targeting mobile users. Another type of phishing attack called watering hole phishing occurs when an attacker exploits vulnerabilities in third-party websites to inject malware, and uses that compromised site to either phish for information or distribute further malware to visitors. Man-in-the-middle attacks provide another layer of sophistication as an attacker intercepts and modifies communications between two unaware parties in an effort to alter them without their knowledge or alter them at their cost.
1. Bulk phishing emails
Bulk phishing attacks occur when attackers pose as well-known brands and attempt to lure recipients into clicking dangerous links, often via emails designed to create trust or create urgency in recipients. Their aim is often the theft of valuable information such as login credentials or credit card details; such messages often create trust by building rapport; these can also contain malware which will download onto a target’s device.
Hackers may clone legitimate emails sent to victims and replace the links with ones leading to dangerous websites, as well as falsify email addresses in order to make it look like the message comes from an authentic source – this form of attack is known as spear phishing.
Businesses Email Compromise (BEC) attacks involve hackers gaining access to an executive or employee account of a company and using it for email-phishing campaigns against vendors or in order to direct lower-level employees in transferring money or sharing confidential data. BEC attacks are more complex than mass phishing campaigns as they involve high-level targets that may be difficult to spot.
2. Spear phishing
Spear phishing is an attack used by attackers to gain confidential information or install malware onto a target’s device. An attacker identifies their target through social media posts, online platforms such as social networking services like LinkedIn or other sources that share user data and creates a false urgent request for sensitive details or account credentials from that victim.
An attacker could pose as a coworker and send out an urgent request for money. By using public profile photos and the victim’s work email address, he or she might have managed to verify they work at the company; additionally they could have obtained details on family, friends or coworkers through social media posts or other sources online.
Spear phishing attacks differ from regular phishing in that they require extensive research from attackers. Spear phishing works best when targeted towards highly-privileged employees with access to sensitive data or who have approval power over large wire transfers; such attacks are known as whaleing attacks and often tied with Business Email Compromise (BEC).
3. Business email compromise BEC
Business Email Compromise, or BEC attacks, involve cybercriminals using an organization’s digital identity to lure employees into taking certain actions for them – usually transferring funds or information into their attacker’s account. BEC attacks are extremely damaging and cost organizations billions annually.
Cybercriminals using BEC attacks must first gain access to a company’s servers. Once inside, they use tools like email address spoofing and pretexting to impersonate employees within it and send fake invoices or financial statements containing fake attachments as ways of making their emails look legitimate – often instructing victims not to contact this purported sender through other communication channels.
BEC attacks can be difficult to identify due to their highly targeted nature and use of social engineering techniques, making employee education vital in reducing risks from BEC attacks. Implementing policies requiring independent verification before performing high-risk actions such as transferring funds or sharing sensitive information may further help mitigate them.
How do I protect against phishing attacks?
Phishing attacks work by exploiting what many consider cybersecurity’s weakest link: people. Attackers use trust and urgency to lure unwitting victims into clicking malicious links or entering fraudulent websites.
Preventative measures exist that can effectively deter phishing attacks. First and foremost, training employees on identifying suspicious emails and what steps to take if one arrives can help stave off future attacks.
Establishing an email and network firewall solution is vital in combatting phishing. These tools help block suspicious traffic from entering networks while also alerting users to potentially harmful attachments or URLs that enter.
Another key step is backing up data regularly, to protect against possible attacks that infiltrate devices with malware and provide files needed to recover. Finally, it is also crucial that browsers are up-to-date and running with all available security patches as hackers and phishers may attempt to exploit weaknesses through which hackers access devices and install malware.
Phishing Techniques and Tactics
Phishing is a type of social engineering attack which utilizes fear and urgency to overcome victims’ better judgement and get them to take an action. Cybercriminals regularly adjust their tactics in order to stay one step ahead and avoid detection.
Attackers use shortened links to obscure their destination URL and appear legitimate, as well as link manipulation techniques like using domains with an “s” in them.
1. Voice phishing or vishing
Vishing scammers impersonate banks, employers or government agencies to gain information from individuals. Vishing operators often employ psychological pressure such as fear or greed to convince targets into divulging private details.
Vishers employing more sophisticated attacks can use voice cloning software to mimic their target’s accent and gender, as well as alter their caller ID so it appears as though they’re calling from a trustworthy number.
Vishing attacks, like spear phishing, can target specific groups within an organization. A vishing attacker might pose as an executive and ask for credentials that allow them to authorize money transfers or steal tax data. To mitigate vishing attacks, employees should have adequate security awareness training both at work and home to be alert for suspicious calls.
2. SMS phishing or smishing
This type of attack reaches victims through text messages (SMS). An attacker poses as a legitimate institution such as a bank, government agency or well-known company to create an urgent or intimidating message that tricked victims into acting quickly or provided links that look similar but actually asked for personal data from them.
Smishing attacks can result in data collection or malware deployment if victims take any action that prompts an attacker. Attackers tend to target people who use SMS messaging frequently or have poor impulse control, such as 18-25-year-olds with limited technological fluency and higher stress levels who use SMS frequently. The best defense against smishing attacks is never responding; rather independently verify each request through known channels before responding.
3. Application or in-app messaging
Attackers rely on deceptive content to lure victims into downloading malware or visiting fraudulent websites. Attackers typically combine both malicious and benign code, bypassing email filters or fooling Exchange Online Protection (EOP), by creating a fake website similar to one created by genuine websites so as to gain entry to sensitive data entered by victims thinking they’re visiting it.
Attackers employ more targeted approaches when conducting spear phishing campaigns. For instance, an attacker could research specific groups or individuals and mount spear phishing campaigns against them. A perpetrator might for example target the departmental project manager of an organization’s marketing team with an attempt to gain access to their Q3 invoices by impersonating a C-level executive – this type of attack is known as business email compromise (BEC), and is one of the primary causes of data breaches costing companies millions each year.
4. Social media phishing
Social media platforms like Instagram, Twitter and Facebook have become essential parts of our everyday lives, yet attackers continue to find ways to use these networks against us. One such exploit involves social media phishing – using websites which appear legitimate but tempt victims into entering sensitive data such as user IDs and passwords into fake websites that look real.
Attackers use link manipulation techniques such as shortening URLs that obfuscate their malicious intent, as well as creating fake email or domain addresses and domains with the intention of sending victims to fake websites that collect credentials or personal data from victims.
Alternately, attackers can utilize spear phishing to target high-value targets. To accomplish this goal, they conduct in-depth research about their victims before sending personalized emails that appear genuine to appear credible and reach more senior executives with access to sensitive data.
How to avoid Phishing?
To mitigate risks, implement security software which identifies known malicious domains and scans attachments, email encryption, multifactor authentication, and password policies are effective ways of mitigating risks posed by attackers that attempt to steal credentials that lead to malware infections or data breaches.
Make sure your email and web browser are up-to-date with the latest software and security patches, and use security training and phishing simulations to educate employees about cyber threats and how to recognize them.
Be wary of any suspicious behaviors such as unfamiliar language, generic greetings or spelling errors. When in doubt, call the business or organization directly and verify any requests or clickable links – especially any communication which requires changing banking passwords or account information should raise red flags.
Final Thoughts
Digital attackers use various tactics to target employees, often disguised as business email compromise (BEC) attacks. One BEC attack against drug company Upsher-Smith Laboratories involved an attacker posing as its CEO and instructing its accounts payable coordinator to wire payments of up to $39 million into account controlled by him/her.
To prevent similar attacks in the future, companies should require all employees to take part in security awareness training regularly and implement email security solutions capable of detecting malware within emails.
As part of their financial authorization processes, companies should integrate multi-factor authentication channels in order to reduce the number of BEC attacks that slip through. A comprehensive cybersecurity solution including email security software, behavioral analysis engines and detection technologies that detect sophisticated threats may provide the best defense. Integrated communications applications or collaboration platforms could also detect such attacks even when no one is accessing an organization’s network directly.