Phishing attacks can affect both individuals and organizations and are among the most common methods hackers use to attack accounts and networks. Over the years, they have become more sophisticated and challenging to detect. According to Verizon, in 2020, 22% of data breaches involved phishing. While attacks already occur regularly, there tends to be an increase during times of crisis. The COVID-19 pandemic brought a unique and unprecedented opportunity for attackers to mimic official sources such as expert organizations and government officials. To prevent falling victim to an attack, users can educate themselves on the different types of phishing attacks.
What Is Phishing?
Phishing attacks are a method of social engineering that often comes in the form of a spoofed email or website. The attacker mimics a trustworthy website such (e.g., a bank) and then sends an email appearing to be from a reputable source with links that redirect the unsuspecting user to their spoofed website. Although this generally defines phishing, there are multiple different types of phishing attacks, each possessing their own unique ways to spot and counteract them.
Email Phishing
Email phishing is one of the most well-known attacks that threat actors use. Attackers will create an email impersonating someone the user trusts or knows to be a reputable source. They'll include a link or download that is malicious with the intent of gaining user credentials or infecting their system. These emails usually include some message of urgency that prompts the victim into taking action.
Email Phishing Indicators
Given the frequency of email phishing attacks, the security industry has formulated easy ways to preventing getting hooked. Any email that prompts a user to click on a link or download a file should be mentally marked as suspicious. Following this rule of thumb, the user should confirm the identity of the sender before proceeding any further. If the sender is who they claim to be and they are, indeed, reputable, the user can continue with their download or link. But if they're not, the user should cease interaction with the email because a threat actor is attempting to possibly phish their credentials.
These steps are a great way to protect an individual with a personal account. However, most phishing attacks are aimed at organizations due to the increased volume of information and access they have compared to a single user. To protect and monitor an entire business against email phishing, NuHarbor partners with Proofpoint to provide high-quality email security and protection services. Their extensible email security platform blocks malware and non-malware email threats (i.e., types of phishing). Talk to one of our experts to learn more about how to protect your organization.
Spear Phishing
There are many similarities between email phishing and spear phishing, but the main difference is the target. Spear phishing is designed to target one specific person, meaning that an attacker needs to formulate an email to exploit a particular victim’s trust. This method of phishing relies heavily on open-source intelligence gathering (OSINT) because of how much information the threat actor may need to know. Another unique detail of spear phishing is that the email will appear to be from someone internally in the target’s organization.
Spear Phishing Indicators
Although identifying an email from a spear phishing attempt can be more difficult, knowing what to look for can increase the odds that a victim’s credentials won’t be compromised. When receiving emails from internal sources at work, watch out for any abnormal requests from co-workers. If a user isn’t sure if a request is legitimate or not, they should send a separate email to a known email address of the co-worker. To protect themselves, users should also be weary of password protected documents and shared drives, both of which can steal credentials or infect a user’s system.
Whaling
An even more specific version of spear phishing is whaling. It can potentially be more dangerous because it targets executives and people with power within an organization. However, whaling can be identified by the same indicators as spear phishing making education and training similar. To avoid whaling, CEOs and executives must be just as diligent as their employees when it comes to email security practices.
Vishing
Phishing doesn’t have to occur specifically in email; it can take place over the phone as well. Voice phishing, or vishing, is another type of phishing that a threat actor can use to compromise a victim’s credentials. A common vishing attack that takes place around tax season every year is widespread fake IRS calls. While these calls may seem legitimate, there are some telltale signs they are not.
Vishing Indicators
Indicators for vishing can vary, but the threat actor will always have an end goal. If information or action is requested from an unfamiliar number, even if the caller claims to be from a reputable source, it should not be provided. Users can expect these calls around an event or time of the year where people may be panicked or need more information, such as tax season or a presidential election. Finally, when the target of a vishing attack receives a call, the threat actor may induce a false sense of urgency, which is the primary instigator for successful credential theft.
Smishing
Vishing isn’t the only type of phishing that occurs on mobile devices. SMS phishing, or smishing, is the practice of phishing through text messages. Chances are, you’ve been on the receiving end of a smishing attack, as the messages are traditionally sent out in bulk to numbers located in a data breach. Smishing attacks utilize the same techniques as other phishing attacks, however, users on the receiving end shouldn’t respond in any way, or even open the message, if possible. This might deter the attacker by making them think the number isn’t active and would be a waste of resources to attempt another attack.
Angler Phishing
Another type of phishing that utilizes mobile devices is angler phishing. Focusing specifically on social media, angler phishing preys on unsuspecting users by driving them to open direct messages and attachments from friends. While people think that social media is safe, these phishing attempts can steal credentials and attacks can then post on a user's behalf, spreading the phish to even more people. Social media users should stay diligent when receiving messages and notifications to keep their social media profile secure.
Don’t Bite!
While phishing attacks can vary in their medium, targets, and techniques, they can all be stopped with similar practices. Users can improve their cyber hygiene and protect themselves by being mindful of links they open and who they're from. However, the average consumer isn’t the only target for phishing attacks; businesses are just as susceptible. If your organization is looking for assistance in dealing with phishing attacks and tightening up cybersecurity, talk with one of our experts today.
