Phishing attacks have been around since the first email was sent on ARPAnet in the late 70s’. It is still the most popular way for threat actors to get that initial foothold in a targeted company. And now, they are getting more sophisticated to evade our security controls to prevent them. The human is still the best defense when it comes to preventing successful phishing attacks. But what is “phishing,” exactly? An MIT article defines phishing as “the fraudulent practice of sending emails pretending to be from reputable sources in order to steal passwords or sensitive personal or financial information, or to install malware on the target’s computer.”
Now that we know the basics, what are the different types of phishing attacks?
Types of Phishing
To put it briefly, I see two main types of phishing attacks that puts TP employees in vulnerable position: a general phishing attack, and a targeted phishing attack, more commonly called “spear phishing.”
A general attack has bad actors impersonate or mimic real organizations and send thousands of common requests. This is the approach which most of the employees are submitted to on a daily basis, offering different levels of risks depending on their area of work.
A targeted one has attackers using highly personalized messages using information they discover about the specific victim they have targeted. This type of attack usually targets more high-level employees. with fast-paced work environments are most likely to act on impulse.
Phishing attacks can be carried out in several ways:
- Email phishing: Email phishing is considered the least sophisticated phishing attack, but this does not mean that it’s the least effective. It is designed to mimic a legitimate company that sends out generic emails to unsuspecting victims, inviting them to click on a link, download a file, or follow several instructions in the email. Oftentimes, general greetings such as “Dear account holder or Dear valued teammate” are used.
- Spear phishing: A more sophisticated type of phishing, spear phishing targets a specific group or individuals with a goal to infiltrate organizations. Mostly carried out by high-profile hackers, this type of phishing has scammers performing extensive research about their targeted victims to make the attack sound more personal.
- Whaling: A more sophisticated form of spear phishing, whaling is slowly becoming rampant and advanced. This type of targeted attack centers on high-profile business executives, such as CEOs and managers. Like most targeted phishing attacks, whaling has cybercriminals doing research on their targets, addressing them directly in a personalized message that contains a subpoena, a legal complaint, or something that requires urgent action to avoid bankruptcy or getting fired. The target will be sent links to a fabricated login page where login information will be gathered by hackers. In some cases, cybercriminals would also ask victims to download an attachment that contains malware to gain access to the victim’s computer.
- Vishing, or voice phishing target: Instead of sending an email, attackers will get access to banking details or login information by calling victims over the phone. The call could sometimes be about an overdue amount, fake contest winnings, or be from a bad actor impersonating tech support who requests remote access to a computer. The goal is to have victims hand over their bank or credit card details.
- Smishing: Smishing uses text messages or SMS to lure victims into clicking a link that leads to a fake site. The fake site will then fish out personal details and bank account details, making it available to cybercriminals. This has become very popular recently because our employee mobile phones are not monitored by our security team.
- Angler phishing: A new type of phishing, angler phishing uses social media to look for potential victims. Cybercriminals monitor potential victims who post rants or complaints against banks on social media, and then initiate the attack by posing as a customer service representative from that same bank. Armed with specific information gathered from the victim’s social media post, cybercriminals will trick victims into giving their financial details or bank information.
- CEO fraud phishingThe attack’s victims are most likely to be executives occupying finance positions. The email’s message is often marked with urgency, instructing victims to act quickly. Oftentimes, cybercriminals would ask victims to conduct bank transfers, or purchase gift cards for “clients.” Additionally, we see very high level executives targeted with CEO fraud phishing emails with a theme around mergers and acquisitions.
- Search engine phishing: This type of phishing uses legitimate search engines. Attackers will create fake websites that offer fake deals, free items, discounts, or even fake job positions. They will then use search engine optimization techniques to have their fake websites indexed by legitimate sites, available to most users who conduct searches on the internet. Like most phishing goals, attackers would dupe victims into logging into these fake websites using sensitive information which is then harvested.
Next time on this #preventthescam series – learn more about the stages of phishing, and what can be done to avoid a phishing attack.