Common Phishing attacks don’t show any sign of slowing down. Per its 2019 Phishing Trends and
Intelligence Report, PhishLabs found that total phishing volume rose 40.9
percent over the course of 2018. These attacks targeted a range of
organizations, especially financial service companies, email and online service
providers and cloud/file hosting firms. It’s, therefore, no surprise that Verizon’s
2019 Data Breach Investigations Report (DBIR) found phishing to be the top
threat action variety in all breaches analysed during the reporting period.
The growth of
phishing attacks poses a significant threat to all organizations. It’s
important that all companies know how to spot some of the most common phishing
scams if they are to protect their corporate information. Towards that end, we
at The State of Security will discuss six of the most common types of
phishing attacks below as well as provide useful tips on how organizations can
1. Deceptive Phishing
Deceptive phishing is by far the most common type of phishing
scam. In this type of ploy, fraudsters impersonate a legitimate company in an
attempt to steal people’s personal data or login credentials. Those emails
frequently use threats and a sense of urgency to scare users into doing what
the attackers want.
As an example, PayPal scammers could send out an attack email
that instructs recipients to click on a link in order to rectify a discrepancy
with their account. In actuality, the link redirects to a fake PayPal login
page that collects a victim’s login credentials and sends them to the
The success of a deceptive phish hinges on how closely the attack email resembles a piece of official correspondence from the abused company. As a result, users should inspect all URLs carefully to see if they redirect to an unknown and/or suspicious website. They should also look out for generic salutations, grammar mistakes and spelling errors scattered throughout the email.
2. Spear Phishing
In this type of ploy, fraudsters customize their attack emails
with the target’s name, position, company, work phone number and other
information in an attempt to trick the recipient into believing that they have
a connection with the sender. The goal is the same as deceptive phishing, even
so: trick the victim into clicking on a malicious URL or email attachment so
that they will hand over their personal data. Given the amount of information
needed to craft a convincing attack attempt, it’s no surprise that
spear-phishing is commonplace on social media sites like LinkedIn where
attackers can use multiple data sources to craft a targeted attack email.
To protect against this type of scam, organizations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that analyze inbound emails for known malicious links/email attachments. This solution should be capable of picking up on indicators for both known malware and zero-day threats.
3. CEO Fraud
Spear phishers can target anyone in an organization, even
executives. That’s the logic behind a “whaling” attack. In these scams,
fraudsters try to harpoon an exec and steal their login details.
In the event their attack proves successful, fraudsters can
choose to conduct CEO fraud. As the second phase of a business email compromise
(BEC) scam, CEO fraud is when attackers abuse the compromised email account of
a CEO or other high-ranking executive to authorize fraudulent wire transfers to
a financial institution of their choice. Alternatively, they can leverage that
same email account to conduct W-2 phishing in which they request W-2
information for all employees so that they can file fake tax returns on their
behalf or post that data on the dark web.
Whaling attacks are becoming more common as phishing attacks and work because executives often don’t participate
in security awareness training with their employees. To counter the threats of
CEO fraud and W-2 phishing, organizations should mandate that all company
personnel—including executives—participate in security awareness training on an
Organizations should also consider injecting multi-factor authentication (MFA) channels into their financial authorization processes so that no one can authorize payments via email alone.
Until now, we’ve discussed phishing attacks that rely solely on
email as a means of communication. Email is undoubtedly a popular tool among
phishers. Even so, fraudsters do sometimes turn to other media to perpetrate
Take vishing, for example. This type of common phishing attack
dispenses with sending out an email and instead goes for placing a phone call.
As noted by Comparitech, an attacker can perpetrate this type of attack by
setting up a Voice over Internet Protocol (VoIP) server to mimic various
entities in order to steal sensitive data and/or funds.
These vishing attacks have taken on various forms. In September
2019, for instance, Infosecurity Magazine reported that digital attackers
launched a vishing campaign to try to steal the passwords of UK MPs and
parliamentary staffers. Not long thereafter, The Next Web covered an attack
where vishers masqueraded as the boss of a German parent company to scam a UK
subsidiary firm out of $243,000.
To protect against vishing attacks, users should avoid answering calls from unknown phone numbers, never give out personal information over the phone and use a caller ID app.
Vishing isn’t the only type of phishing that digital fraudsters
can perpetrate on a phone. They can also conduct what’s known as smishing. This
method leverages malicious text messages to trick users into clicking on a
malicious link or handing over personal information.
Like vishers, smishers pose as various entities to get what they
want. Back in February 2019, for instance, Nokia warned its users to be on the
lookout for a smishing campaign in which digital attackers posed as the Finnish
multinational telecommunications and sent out text messages informing users
that they had won a car or money. The bad actors then asked recipients to send
over money as a registration payment for their new car, reported Bleeping
Later in the year, WATE covered the story of a Knoxville woman
who fell for a smishing attack. The woman had cancer, and the scammers claimed
that she could receive a federal grant to assist her in paying for treatment.
She just needed to submit a down payment and pay taxes on the grant first, the
fraudsters told her.
Users can help defend against smishing attacks by researching unknown phone numbers thoroughly and by calling the company named in the messages if they have any doubts.
As users become wiser to traditional phishing scams, some
fraudsters are abandoning the idea of “baiting” their victims entirely.
Instead, they are resorting to pharming. This method of phishing leverages
cache poisoning against the domain name system (DNS), a naming system that the
Internet uses to convert alphabetical website names, such as
“www.microsoft.com,” to numerical IP addresses so that it can locate and
thereby direct visitors to computer services and devices.
Under a DNS cache poisoning attack, a pharmer targets a DNS
server and changes the IP address associated with an alphabetical website name.
That means an attacker can redirect users to a malicious website of their
choice. That’s the case even if the victim enters the correct site name.
To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also implement anti-virus software on all corporate devices and implement virus database updates on a regular basis. Finally, they should make sure to stay on top of security upgrades issued by a trusted Internet Service Provider (ISP).
Using the guide above, organizations will be able to more quickly spot some of the most common types of phishing attacks. Even so, that doesn’t mean they will be able to spot each and every phish. Phishing is constantly evolving to adopt new forms and techniques.
With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives can stay on top of phishing’s evolution.
For more advice on how to prevent a common Phishing attack in your business contact us today.
Credit: David Bisson, Tripwire.com