Phishing attacks don’t show any sign of slowing down. Per its 2019 Phishing Trends and Intelligence Report, PhishLabs found that total phishing volume rose 40.9 percent over the course of 2018. These attacks targeted a range of organizations, especially financial service companies, email and online service providers and cloud/file hosting firms. It’s, therefore, no surprise that Verizon’s 2019 Data Breach Investigations Report (DBIR) found phishing to be the top threat action variety in all breaches analysed during the reporting period.
The growth of phishing attacks poses a significant threat to all organizations. It’s important that all companies know how to spot some of the most common phishing scams if they are to protect their corporate information. Towards that end, we at The State of Security will discuss six of the most common types of phishing attacks below as well as provide useful tips on how organizations can defend themselves.
1. Deceptive Phishing
Deceptive phishing is by far the most common type of phishing scam. In this type of ploy, fraudsters impersonate a legitimate company in an attempt to steal people’s personal data or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing what the attackers want.
As an example, PayPal scammers could send out an attack email that instructs recipients to click on a link in order to rectify a discrepancy with their account. In actuality, the link redirects to a fake PayPal login page that collects a victim’s login credentials and sends them to the attackers.
The success of a deceptive phish hinges on how closely the attack email resembles a piece of official correspondence from the abused company. As a result, users should inspect all URLs carefully to see if they redirect to an unknown and/or suspicious website. They should also look out for generic salutations, grammar mistakes and spelling errors scattered throughout the email.
2. Spear Phishing
In this type of ploy, fraudsters customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender. The goal is the same as deceptive phishing, even so: trick the victim into clicking on a malicious URL or email attachment so that they will hand over their personal data. Given the amount of information needed to craft a convincing attack attempt, it’s no surprise that spear-phishing is commonplace on social media sites like LinkedIn where attackers can use multiple data sources to craft a targeted attack email.
To protect against this type of scam, organizations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that analyze inbound emails for known malicious links/email attachments. This solution should be capable of picking up on indicators for both known malware and zero-day threats.
3. CEO Fraud
Spear phishers can target anyone in an organization, even executives. That’s the logic behind a “whaling” attack. In these scams, fraudsters try to harpoon an exec and steal their login details.
In the event their attack proves successful, fraudsters can choose to conduct CEO fraud. As the second phase of a business email compromise (BEC) scam, CEO fraud is when attackers abuse the compromised email account of a CEO or other high-ranking executive to authorize fraudulent wire transfers to a financial institution of their choice. Alternatively, they can leverage that same email account to conduct W-2 phishing in which they request W-2 information for all employees so that they can file fake tax returns on their behalf or post that data on the dark web.
Whaling attacks work because executives often don’t participate in security awareness training with their employees. To counter the threats of CEO fraud and W-2 phishing, organizations should mandate that all company personnel—including executives—participate in security awareness training on an ongoing basis.
Organizations should also consider injecting multi-factor authentication (MFA) channels into their financial authorization processes so that no one can authorize payments via email alone.
Until now, we’ve discussed phishing attacks that rely solely on email as a means of communication. Email is undoubtedly a popular tool among phishers. Even so, fraudsters do sometimes turn to other media to perpetrate their attacks.
Take vishing, for example. This type of phishing attack dispenses with sending out an email and instead goes for placing a phone call. As noted by Comparitech, an attacker can perpetrate this type of attack by setting up a Voice over Internet Protocol (VoIP) server to mimic various entities in order to steal sensitive data and/or funds.
These vishing attacks have taken on various forms. In September 2019, for instance, Infosecurity Magazine reported that digital attackers launched a vishing campaign to try to steal the passwords of UK MPs and parliamentary staffers. Not long thereafter, The Next Web covered an attack where vishers masqueraded as the boss of a German parent company to scam a UK subsidiary firm out of $243,000.
To protect against vishing attacks, users should avoid answering calls from unknown phone numbers, never give out personal information over the phone and use a caller ID app.
Vishing isn’t the only type of phishing that digital fraudsters can perpetrate on a phone. They can also conduct what’s known as smishing. This method leverages malicious text messages to trick users into clicking on a malicious link or handing over personal information.
Like vishers, smishers pose as various entities to get what they want. Back in February 2019, for instance, Nokia warned its users to be on the lookout for a smishing campaign in which digital attackers posed as the Finnish multinational telecommunications and sent out text messages informing users that they had won a car or money. The bad actors then asked recipients to send over money as a registration payment for their new car, reported Bleeping Computer.
Later in the year, WATE covered the story of a Knoxville woman who fell for a smishing attack. The woman had cancer, and the scammers claimed that she could receive a federal grant to assist her in paying for treatment. She just needed to submit a down payment and pay taxes on the grant first, the fraudsters told her.
Users can help defend against smishing attacks by researching unknown phone numbers thoroughly and by calling the company named in the messages if they have any doubts.
As users become wiser to traditional phishing scams, some fraudsters are abandoning the idea of “baiting” their victims entirely. Instead, they are resorting to pharming. This method of phishing leverages cache poisoning against the domain name system (DNS), a naming system that the Internet uses to convert alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses so that it can locate and thereby direct visitors to computer services and devices.
Under a DNS cache poisoning attack, a pharmer targets a DNS server and changes the IP address associated with an alphabetical website name. That means an attacker can redirect users to a malicious website of their choice. That’s the case even if the victim enters the correct site name.
To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also implement anti-virus software on all corporate devices and implement virus database updates on a regular basis. Finally, they should make sure to stay on top of security upgrades issued by a trusted Internet Service Provider (ISP).
Using the guide above, organizations will be able to more quickly spot some of the most common types of phishing attacks. Even so, that doesn’t mean they will be able to spot each and every phish. Phishing is constantly evolving to adopt new forms and techniques.
With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives can stay on top of phishing’s evolution.
Credit: David Bisson, Tripwire.com