Phishing attacks can affect individuals and organizations and are among the most common methods hackers use to attack accounts and networks. Over the years, they have become more sophisticated and challenging to detect. According to Verizon, in 2020, 22% of data breaches involved phishing. While attacks already occur commonly, there tends to be an increase during times of crisis. The COVID-19 pandemic brought a unique and unprecedented opportunity for attackers to mimic official sources such as expert organizations and government officials. To be prevent falling victim to an attack users can educate themselves on the many types of phishing attacks.
What is Phishing?
Phishing attacks are a method of social engineering that often comes in the form of a spoofed email or website. The attacker mimics a trustworthy website such as a bank and then sends an email appearing to be from a reputable source with links that redirect the unsuspecting user to their website. Although this generally defines phishing, there are multiple different types of phishing attacks, each possessing their own unique ways to spot, and counteract them.
Email phishing is one of the most well-known attacks that threat actors use. Attackers will create an email impersonating someone the user trusts or knows is a reputable source. Then they will include a link or download that is malicious with the intent of gaining user credentials or infecting their system. These emails usually also include some sort of urgency, that prompts the victim into taking action.
Email Phishing Indicators
Due to email phishing attacks being some of the most well-known attacks, the security industry has formulated easy ways into preventing getting hooked. Any email that prompts a user to click on a link or download a file should be mentally marked as suspicious. Following this, the user should confirm the identity of the sender, before proceeding any further. If the sender is who they claim to be and they are reputable, the user can continue with their download or link, however if they are not, the user should not interact with the email anymore because they have discovered that a threat actor was attempting to possibly phish their credentials.
For personal use these steps are a great way to protect an individual. However, most phishing attacks are aimed at organizations due to the increased amount of information and access they have compared to a single user. To protect and monitor a whole business against email phishing, NuHarbor has partnered with Proofpoint to provide high-quality email security and protection services. Their extensible email security platform blocks malware, and non-malware email threats such as specific types of phishing. To learn more about how to protect your organization, talk to one of our experts.
The similarities between email phishing and spear phishing are plentiful, the main difference that separates the two, is the target. Spear phishing is designed to target one specific person, which means that an attacker needs to formulate an email to exploit the victim’s trust. This method of phishing heavily relies on open-source intelligence gathering (OSINT) because of how much information the threat actor may need to know. Another unique detail about spear phishing is that the email will appear to be from someone internally in the target’s organization.
Spear Phishing Indicators
Although identifying an email from a spear phishing attempt can be more difficult, knowing what to look for can increase the odds that a victim’s credentials won’t be compromised. When receiving emails from internal sources at work, be sure to watch out for any abnormal requests from co-workers. If a user isn’t sure if a request is legitimate or not, they should send an email to a known email of the co-worker. To protect themselves, users should also be weary of password protected documents and shared drives, both of which can steal credentials or infect a user’s system.
An even more specific version of spear phishing is whaling. While more specific, it can potentially be more dangerous due to the target being executives and people with power within an organization. However, whaling can be identified by the same indicators as spear phishing making education and training not much more difficult. Therefore, CEOs and executives must be just as diligent as employees in their security practices regarding email to avoid whaling.
Phishing doesn’t have to occur specifically in email, in fact phishing can take place over the phone as well. Voice phishing, or vishing, is another type of phishing that a threat actor can use to compromise a victim’s credentials. A common vishing attack that takes place around tax season every year is the fake IRS calls you might receive. While these calls may seem legitimate, there are some telltale signs they are not.
Indicators for vishing can vary from call to call, however the threat actor will always have an end goal. If information or action is requested from a number that a user isn’t familiar with, even if they claim to be from a reputable source, they should not provide them with it. Additionally, users can expect these calls around an event or time of the year where people may be panicked or need more information such as tax season or a presidential election. Finally, when the target of a vishing attack receives a call, the threat actor may induce a false sense of urgency for the victim to react to, this is the primary cause for a victim’s credentials to be stolen.
Vishing isn’t the only phishing type that occurs on mobile devices, another type can be SMS phishing. Smishing (very original) is the practice of phishing through text messages. Chances are you’ve been on the receiving end of a smishing attack before, because traditionally they are sent out in bulk to numbers located in a data breach. Smishing attacks utilize the same techniques as other phishing attacks, however users on the receiving end of a smishing attack shouldn’t respond in any way, or open the message, if possible. This might deter the attacker by making them think the number isn’t active and would be a waste of resources to attempt another attack.
Another type of phishing that utilizes mobile devices as a medium is angler phishing. Focusing specifically on social media, angler phishing preys on unsuspecting users to open direct messages and attachments from friends. While people think that social media is safe, these phishing attempts can steal credentials and then post on their behalf spreading the phish to even more people. When using social media users should stay diligent when receiving messages and notifications to secure their social media profile.
While phishing attacks can vary in their medium, targets and techniques, they can all be stopped with similar practices. Users can increase their cyber hygiene and protect themselves from phishing attacks by being mindful of links they open and who they are from. However, the average consumer isn’t the only target for phishing attacks, businesses are just as susceptible. If your organization is looking for assistance in dealing with phishing attacks and tightening up their cybersecurity talk with one of our experts today.