Phishing – How Many Ways Can You Be Baited?

Every data breach and online attack seems to involve some kind of phishing attempt to steal password credentials, to launch fraudulent transactions, or to trick someone into downloading malware. According to a Verizon cybersecurity report, an attacker sending out 10 phishing emails has a 90 percent chance that one person will fall for it.

Do you know the different forms of Phishing threatening your organization?

Phishing attacks get their name from the notion that fraudsters are fishing for random victims by using spoofed or fraudulent email as bait. But not all phishing scams work the same way — some are generic email blasts while others are carefully crafted to target a very specific type of person. This fact makes it hard to train users to know when a message is legitimate or if it’s malicious.

The most common form of phishing is the general, mass-mailed type, where someone sends an email pretending to be someone else, and tries to trick the recipient into actions like logging into a website or downloading malware. These attacks are usually executed through email spoofing, where the email header is forged to make it appear as though the message is coming from a trusted sender. Examples of these type of emails include a UPS delivery notification, a warning message from PayPal about your account being locked out, or an Office 365 email about storage quotas.

Spear phishing takes phishing one step further. By using a more targeted campaign, the attackers go after specific high-value victims and organizations. These attacks tend to be extremely successful because the attackers spend a lot of time crafting information specific to the recipient, such as referencing a conference the recipient may have just attended or sending a malicious attachment where the filename references a topic the recipient is interested in. Remember, the more personal and relevant the email topic, the more likely someone will believe it.

Whaling is a concept of “going after the big one.” These are typically phishing attacks where a company’s top executives is specifically targeted. Since the account credentials belonging to a CEO will often time open more doors than an entry-level employee, CEO’s are considered high-value targets, with the hope of being able to steal sensitive data, employee information, and money. Whaling is often a bigger payout, which for the attacker makes the necessary additional research they have to perform worthwhile. In order to know who the intended victim communicates with and the kind of discussions they have, attackers often start with social engineering to gather information about the victim and the company before crafting the phishing message that will be used in the whaling attack.

Vishing stands for “voice phishing” and it typically entails the victim receiving a call with a voice message disguised as a communication from a financial institution. The message might ask the recipient to call a number and enter their account information or a PIN for security purposes, however, the number actually goes to the attacker and not the legitimate institution. Other vishing scams include criminals calling victims and pretending to be Apple or Windows tech support, or the IRS in an effort to take advantage of the person’s fears of being hacked or having a judgment against them.

Phishing attempts have even gone mobile with the use of text messages or smishing. This attack takes vishing to the next level, where scammers send a text to your phone disguised to be from your bank or other financial institution. It might warn that your account has been suspended and immediate action is required by clicking on a link. Or the text message may ask you to call a phone number, which will connect you to a live person who pretends to be someone from your bank, requiring your personal information to verify your account.

Regardless of the scenario, the core of the any phishing scam is social engineering. These attacks work because the fraudster attempts to hack the human and not the device. Remember, being security conscious isn’t a technical skill. YOU are the best defense against scammers.

 

Call M.A. Polce Consulting, Inc. today to find out how our custom Security Awareness Training program can help protect you and your users from falling victim.