Understanding is the first step to combating Phishing: Types, Methodology & Prevention Tips
According to the 2019 Data Breach Investigations Report (DBIR) by Verizon, phishing is the leading cause of data breaches. The data also shows us that phishing is also widely utilized for cyber espionage with more than three-quarters of all known incidents involving phishing.
The statistics are also resonated by IBM’s findings in the 2019 Cost of a Data Breach report, where fifty-one per cent of incidents in all surveyed organizations involved malicious attacks with “malware infections, criminal insiders, phishing/social engineering and SQL injection.”
Clearly, phishing continues to dominate as the one of the most persistent and highly effective tools of cyber-attacks. In this article, we will take an in-depth look at what phishing is, types of phishing and how to protect your business from these types of attacks.
What is Phishing?
Put simply, phishing is merely duplicitous use of electronic communications to dupe users into revealing sensitive and often highly confidential information. The types of sensitive information deemed to be of high value by attackers will depend on the context of the attack but generally includes access credentials, financial or personally identifiable information and more.
Most phishing attacks take place through phone or email where attackers pose as legitimate individuals or organizations that the target is familiar with and uses social engineering to elicit an emotional response. This response is designed to divulge sensitive information possessed by the target. Phishing attacks are distinguished from other kinds of cyber-attacks as the modus operandi involves banking on the trust of users for other people or reputed brands and organizations. They can even exploit an individual’s beliefs by pretending to support a cause the user cares for. For instance, just after the pandemic started, there was a surge of phishing attacks from entities claiming to represent highly reputed philanthropic organizations in order to capitalize on people’s high levels of empathy in response to a global disaster.
Phishing attacks can range from wide net attacks that target hundreds of thousands of individuals across the globe or, they can be highly targeted against individuals or employees working at targeted businesses. Phishing attacks have also been historically used for cyber espionage against businesses or nations.
Types of Phishing
Phishing attacks typically prompt users to take one of the two basic actions:
- Divulge sensitive information – For instance, the email can contain a link to a spoofed website of a highly trusted source, such as a bank, or a payment getaway and ask users to enter their confidential credentials. Fake login page attacks are highly popular and often use exact replicas of highly visible and trusted websites.
- Click on malicious links and download malware – These attacks are more straightforward, usually claiming to reward the user in some way, such as an unexpected prize or, highly innocuous, such as a zip file of a document you actually need, like a biodata/ resume or other work-related documents. Downloading the malware can often result in important system files or entire system or network being hijacked unless the attacker’s demands are met.
Broadly categorized, types of phishing can include:
Highly targeted phishing attacks against individuals are termed as spear phishing. In this type of attack, criminals spy on targets using publicly available information, including social channels and use spoofed email addresses to appear as someone from a trusted source. For instance, if you are the target, the attack could take the form of an email from your boss or department/ branch head asking or ‘instructing’ you to complete a financial transaction.
Whaling is exactly like spear phishing, except that the targets are generally high-profile individuals with key offices or positions in places of power in public or private institutions. These high-value individuals are often under immense time pressure, or simply tend to use their personal emails instead of corporate channels for easier communication. This also leaves them outside the protection offered by the corporate network and leaves them vulnerable. Tricking high-value targets may take time and preparation for attackers, but the high rewards make it well worth the while for attackers.
Business email compromise (BEC)
Imagine you get a mail from the chairman or CEO of your business asking you to take some urgent action. If you aren’t in direct line of sight with the business leader, aren’t you likely to comply with the request at the earliest? This is exactly the sort of response that Business email compromise (BEC) attacks tend to exploit. They often claim to be from high-profile leaders at key businesses, or governance/ financial institutions asking victims to take action such as, log into specific accounts or initiate a financial transaction, such as a lumpsum money transfer to a specific account.
Clone phishing involves building an email communication that is a dead ringer for the original message that the target is familiar with. The only difference between the original and the cloned message is the attachment or link contained in the message that will be swapped out with a malicious one in the cloned copy. Often, cloned attacks are sent following original messages from legitimate sources, claiming to be the ‘updated’ version. Cloned attacks can also involve cloned websites with spoofed domains.
Vishing: Phishing on phone calls
Voice phishing, or vishing, involves voice messages from entities claiming to be legitimate businesses, such as governance or financial institutions, and ask the victim for confidential information such as account numbers or passwords.
Smishing: Phishing via text message
SMS phishing, or smishing, involves duping targets through text messages by appearing to be from trusted sources, such as, individuals or businesses trusted by the user. With people becoming more wary of emails and communicating primarily through texting, smishing is on the rise as a successful tool for duping users into divulging confidential information.
Snowshoeing attacks usually push communication out through multiple domains and IP addresses. Each of these send out the messages in low volumes, so spam filtration systems are slow to detect them. These attacks can also be coordinated to be sent out in high volumes, but shorter timeframes, resulting in hailstorm type attacks.
For more details on evolving types of phishing attack and learn how to protect against them, consider reaching out to providers in IT Support Houston.
What to Do If You Responded to a Phishing Email
If you think you have fallen victim to a phishing attempt, please reach out to IdentityTheft.gov and follow the instructions given therein to report the attack as soon as possible.
If you suspect that you have downloaded malware by accident, consider updating your network or computer’s security software and run a full scan.
Tips on How to Identify Phishing Attacks
As sophisticated as phishing attempts can be, there are always telltale signs in the email copy that can pretty much jump out at you after careful inspection:
- Promises highly lucrative rewards for little effort
- ‘Typos’ in spelling and grammar
- Generic addresses (such as, “hi dear”, “greetings” etc.)
- Highly emotional tone or threat of action (that rings false with usual temperament of sender)
- Unusual attachments, especially executable .exe files
- Additional letters in website or domain addresses
Tips on How to Prevent Phishing Attacks
Your business’ IT department should be proactive enough to prevent phishing attempts and can include many technical measures including:
- Deploy reliable email spam filters that use machine learning and natural language processing techniques
- “Sandbox” inbound email, so users are always protected from clicking on malicious links
- Encourage the use of DMARC protocol to protect against email spoofing
- Enable two-factor authentication an all devices with access to the company’s network
- Monitor and analyse web traffic at all times
- ‘Pen-testing’ your company’s infrastructure to detect vulnerabilities
- Raise awareness among users about potential threats
- Encourage user alertness with rewards for catching phishing emails etc.
- Practice advanced password hygiene and force users to change passwords periodically
Houston IT Services can be a good place to start knowing more about phishing prevention and tactics to safeguard your business from sophisticated attackers.
Author: Scott Young
Scott Young, is the president of PennComp LLC, an IT Outsourcing Houston company. Being a CPA, Six Sigma Master Blackbelt, Change Management Certified and Myers Briggs Qualified, Scott’s expertise is reflected in PennComp as a leading IT company for computer services and network integration. PennComp utilizes Six Sigma methodologies and practices in their service delivery and offers state-of-the-art monitoring and management tools to their clients.