23 experts discuss the most common phishing attacks that businesses face and how you can protect against them.
Read on to learn more about the most common phishing attacks and how you can best protect your business against them.
Anton Kioroglo
Anton Kioroglo is the Chief Security Officer for Security First IT, LLC. Security First IT is a Charlotte-based IT management and security firm that specializes in solving the cybersecurity and IT needs of small and medium-sized businesses throughout the country.
"In the world of phishing, there are generally three most common types of emails…"
Cybercriminals are incredibly smart – remember, stealing information and causing damage is the way that they feed their families. Phishing has come far from princes in far-off lands notifying you that you’ve inherited millions of dollars or won a lottery.
1. Mimicking a Service or Website
These emails will spoof a widely recognized service such as Amazon, eBay, Netflix, PayPal, or online banking. They look incredibly similar, or exactly similar, to correspondence from these sites – however, the links embedded within them lead to a lookalike site set up purely to collect information from or download a virus onto the PC of unsuspecting victims.
“This is the support team at Amazon.com. We’ve shipped 50 gallons of mayonnaise to your home address. Need to cancel this order? – sent from Amaz0n.co”
How Do I Protect Myself or My Business?
- Check the domain name. An official domain should be associated with the service, such as Amazon.com. Criminals cannot gain access to this domain, so they will often swap out or add letters and numbers, such as Amaz0n.com or Amazone.com.
- If in doubt, log into your account and contact the originating service directly to verify that they were attempting to contact you.
What If I Accidentally Filled in My Information?
- Change the password for the account that has been compromised and monitor its activity.
- The scammer will likely continue using the email address to send phishing emails, because it has now been “verified.” Do not fill in any information on links sent to that email address.
2. Urgent Emails
Criminals have also been known to use publicly available information in conjunction with stolen information to launch email campaigns against businesses in the form of spoofed pleas for help from bosses and co-workers.
“I’m at a conference in New York and have lost my wallet. Can you send $500 to my PayPal account? I can’t get into any hotels without it!!!”
Of course, this is not coming from the supposed source but is a criminal looking to prey on the sense of urgency to fool the victim into sending money.
How Do I Protect Myself or My Business?
Should you receive one of these emails, admittedly, it could be true. The best policy is to use an alternate contact method to contact the distressed individual. Follow through to call, text, message them on social media, or communicate through some alternate form of contact. This should help you to verify the situation directly with them. A phone call is the suggested route, as social media accounts could have been compromised in the attack as well.
What If I Accidentally Filled in My Information?
- Immediately take the appropriate action for a stop-payment.
- File a report with the service used to contact you originally with the phishing email.
- Should funds have been sent, file a police report.
- Report the incident to the appropriate supervisor or department, should this have happened in a business environment.
3. Financial Hijacking
Emails spoofed as new vendors or in-house departments have been used to scam funds into criminals’ bank accounts from unsuspecting employees, straight out of their employer’s bank accounts.
“This is Angela, office manager at Quality Plumbing. I was instructed to get in contact with you about setting up a new wholesale account. Your CFO placed an order for a crate of 5,000 pipes. Could you please send $25,000 to account number XXX-XXX-XXX? We can’t deliver until it is paid, and he says it is urgent. Thanks for handling this promptly!”
The email isn’t truly originating from Angela at Quality Plumbing, but instead is a criminal attempting to goad the victim into transferring funds, thinking that the charge is a legitimate business invoice.
How Do I Protect Myself or My Business?
The best policy is to have a clear roadmap for financial requests set up. With established policies, even if an attack is launched, roadblocks will interrupt the flow, allowing additional chances for trained employees to catch on. These policies can include time holds on payment requests, required verbal approval from certain department heads, or allowing funds to transfer in or out of only certain accounts.
What If I Accidentally Filled in My Information?
- Immediately take the appropriate action for a stop-payment.
- File a report with the service used to contact you originally with the phishing email.
- Should funds have been sent, file a police report.
- Report the incident to the appropriate supervisor or department.
By knowing these three types of common phishing attacks, you can spot them before it is too late. It is critical that businesses take the time to train their staff to sense attacks before damage is done.
Sean Haugh
Sean Haugh is a Campaign Executive at Bionic Group, helping small businesses save on their expenses.
"As a business, you are only as strong as your weakest link, and this is especially true in regard to cyber security…"
Spam filters and other technology can aid us in protecting our businesses against phishing attacks, but the biggest security risk is employee ability to detect and avoid these attacks. There are many types of phishing attacks and employee awareness and consistent education is key to mitigating the threat.
Email phishing is the most common type of phishing attack. The attacker’s main goal for this type of attack is to pose as a genuine organization and send out thousands of generic requests in the hope that someone falls for the trap and inputs personal details.
This can be done by creating a new domain similar to the genuine organization they are posing as, or more commonly, they use the organization’s name in the local part of the email address to give the victim the impression that they are being contacted by a reputable organization.
As this is the most common phishing attack and can be easily spotted by someone with knowledge of these attacks, continuous employee education is essential to mitigate the risk of these kinds of cyber attacks.
Spear phishing is similar to regular email phishing, but the criminal tailors their attack to a specific person. These types of attacks are more sophisticated, where the attacker researches the victim and uses their personal details, making their phishing email seem more legitimate. It is likely that this type of attack is more successful than a regular phishing email.
Whaling attacks are an even more sophisticated attack that specifically targets executives. These attacks are a lot subtler, thus making them even more dangerous than the above.
Smishing and Vishing and Angler Phishing
Phishing attacks are generally associated with email, but telephone calls and text messages can also be a threat to your business. In more recent times, a new type of phishing attack using social media has become evident. Criminals tactically persuade unexpecting people into revealing sensitive information or simply use data that people post on social media to aid them in their attack.
Continuous employee education is the key to preventing phishing attacks, but in addition, here is a list of other security measures you can implement to protect your business against Phishing attacks:
- Monitor suspicious activity on your network.
- Update software regularly.
- Know where your sensitive data resides.
- Monitor log files and wire data.
- Perform penetration assessment.
- Prepare for the worst case scenario with cyber insurance.
Godswill William
Godswill William is a Java instructor and full stack web developer currently trying to demystify web development with Android.
"A phishing attack is defined as a type of social engineering attack habitually used to steal user data, including login credentials and credit card numbers…"
It occurs when an attacker, camouflaged as a trusted entity, swindles a victim into opening an email, instant message, or text message. The user is then tricked into clicking a malicious link, which can lead to the installation of spyware and malware. This spyware enables the perpetrator to obtain concealed information about the recipient’s computer activities by transmitting data covertly from their hand drive.
Most Common Phishing Attack
For businesses, I think spear phishing is most common, even though email phishing is still effective for attackers. By spear phishing, I mean the attackers are targeting a specific individual or enterprise. In this kind of phishing, the attackers carefully study and have a relative knowledge about a person or an organization, including its power structure.
For example:
- A perpetrator in his research gains access to the newest scheme and invoices and discovers key employees within an organization, whose credentials can open up access to lots of sensitive information.
- Posing as the manager, the perpetrator may email this employee, using a subject line that reads, ‘Review Updated Invoice for Q2 Campaigns.’ The text, style, and included logo duplicate the organization’s standard email template.
- A link in the email redirects to a password-protected internal document, which is actually a spoofed version of a stolen invoice.
- The employee is requested to log in to view the document. The perpetrator steals his credentials, gaining full access to sensitive areas within the organization’s network.
By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of an Advanced Persistent Threat.
As I said earlier, email is still effective for some attackers.
For example, in 2011 an attacker sent out an email titled “2011 recruitment plan” to a small group of employees within a cybersecurity company. The email was loaded with a virus-contaminated Excel file. One of the employees opened this file, which gave the attacker access to other employees’ passwords, and thus the whole system became vulnerable.
This gave the attacker access to many US government departments and US defense supplier networks.
How to Protect Against Phishing
- Two-Factor Authentication: This is an effective way to counter phishing attacks, as it adds an extra verification layer when logging into sensitive areas. This sort of system would not only require a user’s password to allow access but also makes use of other user credentials to allow access. For instance, the system may require a thumbprint as an additional security check, so even when the attacker has the recipient’s password, he may not be of any threat to the organization.
- Implement Effective Email Security: Implementing a Secure Email Gateway should be any organization’s first line of defense against phishing attacks. Email Gateways act as a firewall for email communications, blocking any emails containing malicious content. They can also detect domain spoofing, protecting users from emails that are impersonating their legitimate contacts.
- Educational Campaigns: Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links.
Steven J.J. Weisman, Esq.
Steven is a lawyer, college professor at Bentley University where he teaches White Collar Crime, and one of the country's leading experts in cybersecurity. Among his books is Identity Theft Alert. He also writes the blog www.scamicide.com, where each day he provides newly updated information about the latest scams, identity theft schemes, and cybersecurity developments.
"Phishing occurs when someone receives an email that lures that person into…"
Downloading an attachment with malware or clicking on a link in the email that automatically downloads keystroke logging malware that enables the hacker to steal all the information from the computer of the victim. In other instances, malware such as ransomware is downloaded through phishing emails. Most major data breaches have occurred as a result of phishing or the more specifically tailored spear phishing email, where the sender adapts the email with information about you to make it seem more legitimate and trustworthy.
At one time, phishing emails appealed to standard subjects that would interest people at work with roaming minds such as free video games or music. However, in recent years, spear phishing emails have gotten more sophisticated. Often, the emails are made to appear as if they come from upper-level management of the targeted company. LinkedIn is often a source of information that can be manipulated to aid hackers in creating spear phishing emails using the names of specific people inside the company. Hackers may look up a company online and find profiles of individual employees that may contain their email addresses. After viewing a few employee profiles, a hacker can determine the protocol used for emails within a particular company, such as the initial of the first name, last name, and company name, such as jsmith@companyname.com. Using this information, the hacker can send a legitimate-appearing email to a company employee that looks like it comes from within the company, luring the real employee to either click on a tainted link or enter a username and password. Other times, hackers may scour social media of employees to find what interests the employee and leverage that interest to create a spear phishing email.
Phishing emails can be easily made to appear as if they are coming from legitimate source, such as banks, government agencies, or many popular companies such as Netflix. It takes little talent to create a counterfeit logo on an email to make it look official. Scam artists, the only criminals we refer to as artists, have a knowledge of psychology that would have made Freud envious, and they know how to lure us into clicking on the infected links.
Companies need to educate employees about the dangers of spear phishing and how to recognize it. Sending out test phishing emails to employees is also a good practice. Ultimately, employees should learn my motto, “Trust me, you can't trust anyone.” Employees must be trained never to provide personal information, download an attachment, or click on a link unless they have absolutely confirmed that it is legitimate. Some security software will help recognize some phishing emails, but no security system will avoid all phishing emails.
Marty Puranik
Marty Puranik is the Founder, President, and CEO of Atlantic.Net.
"Phishing is a tactic employed by scammers…"
Common phishing attempts come by way of email. A scammer will email you from what appears to be a trusted email address, when in fact it is fake. The best rule of thumb is to avoid clicking on links from random email addresses. If you receive an email from a website you normally visit, rather than clicking the potentially dangerous link, just go directly to the site from your browser. Or, if you need to click the link, you can hover over it first to make sure that it's sending you where it claims. Another red flag is if the email doesn't contain your name at the beginning. It might say “Dear Customer” or “Hello.” If it's authentic, it will almost always contain your name. Lastly, phishing emails will often try to get you to divulge sensitive information by filling out a form. Try to avoid sending any kind of personal or financial information over the Internet. Again, if you're in doubt, simply go to the main website of the company in question. Or, pick up the phone and give them a call.
Christopher Gerg
Christopher Gerg is the CISO and Vice President of Cyber Risk Management at Tetra. He is a technical lead with over 20 years of information security experience. He has experience in the challenges of information security in cloud-based hosting, DevOps, managed security services, e-commerce, healthcare, financial, and payment card industries.
"Apart from the normal ‘flavor’ of targeted phishing emails that pose a problem with an Amazon order or a new login on your Netflix account, there are a couple of new wrinkles in the phishing world…"
One type targets shared email accounts like sales@somecompanyname.com. These emails hit multiple targets, are easy to guess or obtain with web searches, and are harder to protect with multi-factor authentication and other safeguards. These shared inboxes, by their nature, often receive unsolicited email, increasing the chances of malware being accidentally unleashed.
Another type is called lateral phishing. This type of attack uses a single compromised email account to spread to others – often in the form of seemingly innocuous (and not particularly targeted) emails like “New work schedule attached. Please distribute to your teams.”
The main defense against phishing attacks are both technical and “soft” controls. Two-factor authentication is a good preventative measure against business email account compromise. Another foundational control is to keep all computers and services up to date with patches (this is all in addition to a good anti-spam and anti-malware gateway and software). The “soft” control that is arguably huge is awareness of the kinds of threats facing the people receiving email. There should be regular reminders and awareness efforts to keep the end users very aware and cautious.
Greg Kelley
Greg Kelley, BS, ENCE, DFCP, is the Chief Technology Officer at Vestige Digital Investigations.
"The most common phishing attacks involve emails that mimic Office 365 logins or logins from other providers…"
The goal is to get a user to click on the link and provide their credentials. At that time, the perpetrator immediately uses those credentials to gain control of that mailbox and use it for fraudulent purposes such as accessing financial accounts or facilitating fraudulent payments.
There is no silver bullet to protect from this attack. Protection comes from multiple fronts.
First, educating users to spot these fraudulent emails. Part of that identification can be assisted by IT. Unique banners can be put on emails that truly come from Office 365 or another provider of yours. Teach users that if you don't see that banner, report the email or delete it.
Second, do you have multi-factor authentication set up on your accounts? If not, why not? It may be inconvenient, but how inconvenient will it be to lose $100,000? Granted, there are phishing scams out there that look to circumvent 2FA, but if you utilize 2FA, you'll stop the ones that don't.
Third, review policies regarding changes in financial transactions or authorizations of large payments. Accepting just email notification for important financial decisions is no longer good enough.
Nelson Gomes
Nelson Gomes is the Head of Networks at NEC New Zealand and is responsible for the Communications and Security areas of the business including cybersecurity, network security, networking, microwave technologies, and optical transport. NEC is working on next generation security solutions which will deliver a predictive threat mitigation plan, allowing enterprises to self-heal.
"Despite being around for years, phishing is still one of the biggest threats to cybersecurity, and according to Avanan, one in every 99 emails sent is a phishing scam…"
Email is undoubtedly the go-to tactic for phishing scammers. There are a number of different types of email phishing scams and these can be both widespread or targeted. As well as targeting individuals through personal email accounts, attacks can also target businesses, and these can have some serious implications for cybersecurity in the workplace.
Email Phishing Scams
Email is the primary method of phishing scams and there are a number of different approaches as highlighted below:
Deceptive Phishing
This is the most common type of phishing scam and usually adopts a ‘spray and pray’ approach where a phishing email is sent to thousands of people in the hope that one of two will fall foul of the scam.
In this type of phishing scam, cyber criminals impersonate legitimate accounts in an attempt to steal your personal details or login credentials. These types of attacks target both personal and business email accounts and will often use a sense of urgency or even a threat in order to trick people into clicking on a link. Cyber criminals have become more sophisticated over time in replicating official emails and templates from legitimate brands and organizations, making it more difficult for people to spot a real email from a fake.
What to look out for:
You should look out for things like generic greetings (e.g., ‘Hello there’). Any emails that are sent to you would usually be addressed specifically to you, so watch out for these generic introductions. Also, be very wary of emails that are littered with spelling mistakes or grammatical errors. True corporate emails will never be sent out with these types of errors, so this is a clear warning signal about the validity of the email.
Spear Phishing
While deceptive phishing takes the approach of emailing thousands of inboxes, spear phishing is a much more targeted approach, and there is usually a reason why an individual has been targeted.
The proliferation of personal information now available online has made spear phishing a much more lucrative option for cyber criminals. Personal information can be pulled more easily from social media sites like Facebook; however, it tends to be in the business world where spear phishing is deployed more successfully.
LinkedIn is a huge source of personal information about employees. Job title, company, phone number, and work emails can all be sourced now and used to craft very specific and targeted emails which seem genuine.
How to protect your business:
Training is the key to reducing the threat of spear phishing scams. Staff need to be educated both in terms of what to look out for in this type of targeted email attack and on their responsibility to the business when it comes to sharing personal and corporate information on social media platforms. You can, of course, also invest in solutions that analyze inbound emails for known malicious links and flag these before the individual gets the chance to click on any potentially damaging links.
Whaling
Taking spear phishing to the next level, whaling is a type of phishing scam that is specifically targeted at high-level business people, politicians, and celebrities.
In the case of businesses, cyber criminals will often target CEOs or other high-ranking officials in order to gain high-level access to an organization’s network. By stealing the login details of these individuals at the top of a business, they will often get access-all-areas login details, including financial records, employee records, and more.
From here, cyber criminals will often use the compromised email accounts of high-ranking executives to authorize payments or wire transfers to specific accounts.
How to protect your business:
The reason whaling attacks are often so successful is that many CEOs and top execs do not go on staff training courses where staff are educated around cybersecurity risks. There is a strong argument that the people at the top of any business are the ones that this sort of training should apply to the most. They are the ones with the most power and the most to lose if their login credentials are compromised, so it would be prudent to ensure every member of staff, from top to bottom, is put through cybersecurity awareness training.
Recognizing Phishing Scams
Phishing emails, whether widespread or targeted, tend to have a lot of common elements which can really help to identify them and ensure you deal with them appropriately. Here are some of the most common things we see in phishing emails:
- Claim that there is a problem with your account
- Identify suspicious activity on your account or unauthorized login attempts
- Ask you to confirm personal information
- Ask you to click to make a payment
- Say there was an issue with your payment so your account in on hold
These types of emails will often appear to come from a brand or organization that you do have an account with – your bank, credit card company, social media site, or an online store. They can appear very real; however, there are some tell-tale signs to look out for:
- Do you have an account with the brand?
- What is the email address of the sender? Does this match with the URL of their official website?
- Does it have a generic greeting like ‘Hi there’?
- Does it request some sort of urgent payment?
- Are there other contact options available?
Part of any company training plan should include examples of all types of phishing scams and what to look out for. That way, people become more aware of the risks both at work and with their personal email accounts, thus reducing the threats.
How to protect yourself and your business from phishing:
Training is the best way to protect your employees from phishing scams – making sure they don’t fall foul in the first place; however, there are other steps you can take to protect your business from phishing scams:
- Protect your network and all connected devices by using security software.
- Ensure your network and applications are up to date.
- Use anti-virus software that is sufficient for the size of your business.
- Organize regular training sessions, highlighting new threats and reinforcing key messages.
- Enforce use of more complex passwords and use of two-factor authentication.
While some of these tactics cover a broader approach to cybersecurity, ensuring you are protected in the worst-case scenario of a breach via an email phishing scam is going to be crucial. If you are concerned about your level of protection, you should speak to a cybersecurity specialist to see what solutions are available for your business.
Sean Ferrel
Sean Ferrel is the CEO of Managed Solution.
"The most common type of phishing is deceptive phishing…"
We've likely all seen this one. This is when the hacker tries to impersonate a legitimate company or organization in an attempt to steal your personal or financial data. These emails typically have a sense of urgency stating that you've won a prize or that your account has been hacked.
The best way to protect yourselves from these types of phishing attempts is threat protection, whether on your device itself or programs that are specific to your email.
The most important thing to do is to train your employees so that they are educated enough to know what a phishing email looks like. Things to look out for include the email not matching the name of the person, hovering over links to ensure legitimacy of URLs (most will be long and bogus when it's phishing), misspellings and generic greetings. As a general best practice, all individuals should always have multi-factor authentication enabled whenever possible, so that if a hacker does get your password, you are protected by your second method of obtaining access.
Nicole Rogerson
Nicole works in Business Development at Packetlabs Ltd.
"The most common phishing attacks today lead to ransomware or wire fraud…"
Both of these use phishing to gain access into an organization to execute malicious software that will encrypt data, or they will sit and watch emails across the organization to understand key employees involved in the wire transfer process.
There are typically three common phishing techniques that we see:
1.Email Phishing (en-masse)
Sometimes, adversaries or attackers may use mass email phishing across many different organizations in the hopes of getting one click to download malware and surrender their credentials.
2. Spear Phishing
Spear phishing is a little more dangerous in the sense that it is a targeted email by somebody who already has some knowledge or information about their target, unlike en-mass phishing where there are no specific targets. Messages with this type of phishing are modified to specifically address that victim, making it harder for the victim to catch on. A notable case is the hacking of the Democratic National Committee in the summer of 2015 and the spring of 2016.
3. Whaling
This attack has an interesting, but fitting name. The main difference between a spear phish and whaling attack is about how high profile the target is and therefore, this attack can be more subtle than the other two. The messages are seemingly very urgent and potentially disastrous if they do not respond quickly, so the recipient feels compelled to act quickly. One of the main ways whaling is different from mass email phishing or spear phishing is that rather than using malicious links and malware to gain a foothold on their victims, someone nefarious is going to be impersonating a high-ranking person (e.g., C-Suite executives) to make a request.
At the end of the day, security is only as good as your weakest link, and phishing campaigns are often successful even after security awareness training. That said, employee training is still very important. Companies should train their employees regularly to look out for the following:
- Check that the sender's email is what you expect it to be. If your co-worker is emailing you something work-specific, that email should be from your work domain (not Gmail or Outlook). Check that the domain is your work domain, and not misspelled (e.g., @yuorcompany.com instead of @yourcompany.com).
- Does the grammar and punctuation match that of the sender? If it doesn't, it may be someone else pretending to be them.
- Is the email expected or unordinary? Is it a request usually asked of you? Or is this an unusual request?
- How urgent is the request? For phishing to succeed, attackers request that the task is completed immediately. When these urgent requests occur, it is best to confirm with the sender using an alternative method (e.g., phone call).
- Are there attachments? These attachments can be used to install malicious software and lead to system compromise. Do not open anything you are not expecting.
- Hover over the hyperlink to identify the website they want you to visit is what you expect it to be. For example, yourcompany.com can be hyperlinked to malicious.com and you'll only know if you hover your mouse over the link before you click it.
Additionally, the security controls currently in place may require some tuning to catch these phishing attempts. We recommend reviewing vendors for their anti-spam capabilities and choosing a vendor that will satisfy your requirements.
Burton Kelso
Burton Kelso is a tech expert and the chief technology expert at Integral. He appears on TV educating home and business users how to get the most from the technology they use. He’s read all the manuals, he loves technology, and he’s serious about making technology easy to understand for everyone!
"The most common way that people get phishing attacks is by email…"
True, there are bots and malicious programs that scour the Internet trying to infect your devices. 99% of hacking requires user interaction. This means that users have to click on an email attachment or link in an email to allow hackers to get access to their devices and valuable information. That’s why phishing schemes have risen dramatically over the past few years. Everyone has access to email and has an email address, which makes email phishing attacks attractive to cyber criminals. With the way that email is constructed, it’s easy for a hacker to disguise an email to make it look like it comes from a legitimate source.
HTML coding in email makes it simple for criminals to personalize emails and have them carry the brands and logos of major, trusted companies. The best defense against phishing emails is to think before you click. Scour the email to verify that it has all the right identifiers, such as a valid email address and a valid web address. For people who are unfamiliar with how to defend themselves against phishing attacks, there are tests that people can take online that will allow people to brush up on their phishing and cybersecurity skills.
Shannon Wilkinson
Shannon Wilkinson is the CEO and President of Tego Cyber Inc. She has been in technology for over 20 years, starting her career with the United Nations. She became more involved in cybersecurity in 2015 when she co-founded a cybersecurity company in Las Vegas, which she exited in June 2019. In September, Shannon launched a new cybersecurity firm called Tego Cyber Inc., which offers cybersecurity consulting services in addition to a threat intelligence platform.
"One of the most common phishing scams that businesses face is that of payment redirection to a vendor…"
A scammer will send an email to someone in accounts payable or the finance department requesting payment of an invoice, either with the fraudster's bank account information on the invoice or with a request to change the banking information for the vendor. In many cases, the employee in the finance department does not think twice about paying the invoice or sending a payment to a new bank account, especially if the invoice looks legitimate. This vendor-type of phishing scam has resulted in millions of dollars in losses for companies, educational institutions, and local governments across the US in recent years.
For businesses to protect themselves, they need to establish procedures for paying vendors that include verification of requests for bank account changes. A simple phone call to the accounting department of a vendor can quickly defeat a vendor phishing email scam, but finance departments should be cautious to call the known phone number of the vendor, not necessarily the one listed on the invoice, because scammers are more than happy to confirm that they did indeed request the change if they receive the phone call instead of the real vendor.
Abdul Rehman
Abdul Rehman is a cybersecurity editor at VPNRanks.com.
"Phishing is not going anywhere in 2021, that's something we can all agree on…"
Let's see some of the common phishing attacks that are launched almost every day and how we can prevent them.
Some of the most common phishing attacks:
Pharming
This phishing technique depends more on technical manipulation than psychological manipulation. In this, the guy behind the attack would change the IP behind a DNS name to redirect you to a malicious website of his choice. (DNS is a naming system for websites; it translates the IP addresses of websites to names, so a specific IP would translate to Google.com)
How to prevent it?
- Look for the https in the URL, and don't trust sites that don't have it.
- Always look for suspicious re-directions.
- Use a good antivirus software.
Vishing
This is the most old-school technique where the person behind the attack calls you and pretends to be someone else to extract important data from you. For example, it can be someone pretending to be from a law enforcement agency asking about your whereabouts or your financial information.
How to prevent it?
- Avoid calls from unknown numbers. If someone calls you from an unknown number, always verify their identity, record the call, and never overshare.
- Don't trust people easily.
Sanjay Patoliya
Sanjay Patoliya is a full-stack software engineer with more than 10 years of experience in software, web and mobile application development, deployment, and maintenance. Sanjay is the Founder and Director of Teclogiq with more than 6 years of experience in offering splendid IT services to worldwide clients.
"There are 7 most common phishing attacks that may attack businesses…"
Let's understand them one by one and how to protect against them.
1. Email phishing
This is the most common and most widely known phishing variant. With this variant, the cybercriminal sends the unsuspecting user a seemingly innocuous email with an embedded link. Clicking on the link within the email initiates the download of a virus or malware which then infects the user's device. Following this, the cybercriminal can then steal the user's credentials and access the network freely. To increase the chances of the corrupt link being clicked, cybercriminals try to make the email as realistic as possible, often using a name that the user is familiar with as the sender.
Good observation is the best way to safeguard against this phishing variant. Pay close attention to any spelling mistakes or bad grammar in an email, as these may be signs of a phishing email. As much as possible, avoid clicking on embedded links within an email. Train your employees on how to identify attacks and how to avoid them.
2. Vishing
With vishing, cybercriminals attempt to make users give up their network credentials over the phone. They may claim to be someone in authority, salespeople, or account representatives, among others. They are often very convincing such that unsuspecting users readily offer up their network credentials.
To guard against this phishing variant, you should never provide your credentials to anyone over the phone, especially your password. As a general rule, any request to provide your password over the phone should be treated with suspicion.
3. Smishing
Smishing is similar to vishing and email phishing, the only difference being that the user is sent a text message with an embedded link. Once the link is clicked, a virus or malware is downloaded to the user's device, corrupting it and thereby allowing access to the network.
The only defense against this form of phishing is to avoid clicking links in text messages when you are not familiar with the sender.
4.Pharming
With pharming, cybercriminals install malware on a server or computer such that when users type in the correct web address, they are redirected to a bogus site instead. These users, thinking they are on the correct website, then enter their account credentials which are subsequently stolen by cybercriminals.
Pharming is one of the more difficult variants of phishing to detect. The best way to guard against this is to look for the lock symbol next to the url or the s in https. The absence of these is a strong indicator that a website is not secure.
5. In-session phishing
With this technique, a fake pop-up is generated as users browse on legitimate websites. The pop-up typically requests for account credentials or other personal information. Users, thinking that the pop-up is tied to the website they are browsing, enter their information which is then retrieved by the cybercriminals.
The best defense against this phishing technique is to always ensure that your browsers have pop-up blockers enabled.
6. Watering-hole attacks
Watering-hole attacks are a passive form of phishing attacks. In this instance, the attackers infect legitimate websites and simply wait for unsuspecting users to access these sites. Once these sites are accessed, the attackers are then able to retrieve the users' account credentials.
This type of attack is extremely difficult to detect and guard against since the website appears legitimate and there’s no way to identify the phishing attempt.
7. Search engine attack
Also known as search engine poisoning, cybercriminals attempt to manipulate search engine results so that infected websites are at the top of search results. Users, believing the websites returned through their search are genuine, enter their credentials into these websites, and by doing so, offer up their account information to the cyber attackers.
This type of attack is also difficult to detect and guard against since a user doesn’t typically think about the websites in the search engine being dangerous to their computer.
Luka Arezina
Armed with a degree in Philosophy and an obsession with technology, Luka has combined his prowess at making complicated topics accessible with his passion for data safety. The result is DataProt: a project that helps folks retain the basics of a fundamental human need – privacy.
"One type of phishing attack that has become more common is through…"
Social media messaging, and these types of scams are difficult to prevent since scammers use social engineering tactics.
In other words, a LinkedIn message will come from a friend or trusted connection whose account was compromised, making it seem like a genuine message. The unsuspecting victim will then be asked to open a link or download a file in order to trigger a virus to start hacking their computer, which can then compromise the entire company network.
The best way to spot this is by common sense, so if a friend you haven't messaged in several months randomly starts a conversation asking to open a link, don't open it. Only open links and attachments from friends that you interact with on a daily or weekly basis and are in context with your conversation.
Another way to tell is by the bad grammar and use of the English language since many cybercriminals don't really use finesse, and these Facebook messages are sent en-masse to several recipients. So, if all of a sudden you receive a big block of text from someone random, and a link at the bottom, do not open it!
Attila Tomaschek
Attila Tomaschek is a Digital Privacy Expert at ProPrivacy.
"By far, the most common type of phishing attack is conducted via email…"
Phishing scams can, however, also be launched via SMS and via telephone, commonly known as smishing and vishing, respectively. Businesses need to be aware of the risks associated with phishing attacks, know how to spot them, and know what they can do to protect against them. A typical phishing attack will target businesses through emails sent to company executives or employees. The email message will often appear to be coming from an official, legitimate source, such as PayPal or Apple, for example. Often the message will indicate that there is an issue with the user’s account and urgent action is needed to resolve the issue, or that the user qualifies for a special offer. The user is then directed to download an attachment to claim the offer or click on a link to login to their account to resolve the issue. The link, however, will likely contain malware, and the link will invariably lead to a phishing site where the user’s confidential, sensitive information is harvested.
What’s even more frightening is that these types of attacks are getting increasingly sophisticated and highly personalized in their attempts to appear more convincing. Spear phishing and whaling attacks are often targeted at employees and executives at a company and can be personalized with personal information already gathered by cybercriminals from information that is often freely available on the internet like the target’s name, job title, and place of employment. These, more personalized types of phishing attacks can take a more subtle tact and can be very difficult to recognize. For instance, the target could be sent a bogus tax form to fill out which may appear to be an official document but tricks the victim into divulging extremely sensitive personal information and confidential company data.
The most important thing businesses can do to protect themselves against phishing scams is to conduct comprehensive employee education on what everyone within the company should look out for in identifying a potential phishing attempt, what to do when they suspect one, and even more importantly, what not to do. Phishing emails and SMS messages will typically come unsolicited and will often contain misspellings or other grammatical errors. Also, the sender’s email address typically won’t match that of the company from which the message is supposedly originating from, and the actual URL of the link provided won’t match either. It is imperative never to click on any links or download any attachments sent in an unsolicited email or SMS message. Also, never provide any information to any unsolicited caller.
Any unsolicited communication that seems a bit off or any offer that seems a bit too good to be true can often be indicative of a phishing scam. In these cases, it is best to simply ignore the message and delete it.
Businesses should train their employees to recognize phishing attempts and encourage them to limit the amount of personal information they share publicly online. The less a cybercriminal can find out about an individual through a quick internet search, the less of an opportunity they have to launch a convincing, personalized phishing attack against a potential target.
Ilia Sotnikov
Ilia Sotnikov is an accomplished expert in information security and Vice President of Product Management at Netwrix, a vendor of information security and governance software. Netwrix is based in Irvine, CA.
"The most common type of a phishing attack right now is a classic deceptive phishing…"
Just like other phishing attacks, it heavily relies on the human factor: a culprit impersonates a legitimate company and lures a user into clicking on a malicious link in the email. If a victim does so, the culprit gains access to the entire network and is able to compromise as much data as he can reach. While standard deceptive phishing uses a “spray and pray” approach, its more sophisticated variety, called spear phishing, targets specific users with carefully personalized messages, which increases the chance of a successful attack and puts your data at serious risk.
To reduce the likelihood of human mistakes that let hackers compromise your data, you need to conduct comprehensive employee training and regularly test how well your employees have learned these lessons (e.g., by running test attacks). However, user training is only half of the success. To block phishing attacks at early stages and minimize the damage to your systems and data, you should adopt several measures that will help you detect and investigate successful attacks and suspicious user behavior quickly.
First, you need to have visibility into what’s going on inside your network and monitor user behavior to identify any activities that might put your data at risk. Second, you need to classify your data to know exactly which information is the most sensitive and choose appropriate controls to protect it from hackers (e.g., by storing it only in secure locations). Third, you need to regularly review access permissions and withdraw them where necessary to reduce the potential attack surface.
Joe Ferdinando
Joe Ferdinando is Founder of HotHeadTech.com, a family-owned team of business professionals who offer small to mid-sized companies IT support services and solutions that satisfy your company’s needs and expectations.
"One phishing scam is making headway in the business space…"
Fake invoices have reared their ugly head, and more and more companies are falling for it. Instead of getting an email with a link to a virus, an invoice attachment is sent claiming that an invoice needs to be paid for a scope of work that was done by the scamming company. We've seen fake invoices threatening legal action or a disruption in service if not paid by a certain date. Sometimes, opening the email can unleash malware into the system as well.
Joel Debus
Joel Debus is the Director of Email Marketing at FitSmallBusiness.com. He oversees their email marketing efforts and is also helping spearhead some new web security efforts.
"Email is the most common method of phishing attacks…"
‘Phishers’ collect an organization’s email address and contact numerous employees with a colleague's 'From Name.' Typically, these emails request something from the employee, such as a password or financial information. They also attempt to get the email recipient to click on a secretly malicious link.
Recently, phishing attacks have evolved and now appear more realistic. They incorporate less than formal grammar and come across as a typical email from a busy colleague who’s in a rush.
An organization can protect itself by being clear with employees to not respond to any suspicious email and immediately report it as 'spam.' While it seems simple, denoting the 'From Email' can help prevent phishing issues.
Tim Uittenbroek
Tim Uittenbroek is a serial entrepreneur who, since getting out of the “rat race” in late 2015, has built multiple 7-figure online businesses. His greatest passion is experiencing the feeling of taking an idea from its infant stage and turning it into a profitable business. He is currently the owner and advisor of BlinkList, a company dedicated to online privacy education.
"The trend most common these days is to trap executives through phishing…"
Fraudsters see the executives' accounts as the main door to all operations and employees of an organization. Any email, order, or information sent through an executive's account is likely to be executed at the highest priority and not suspected of fraud. So, in this case, fraudsters try to hack the email login details of CEOs or senior executives.
Most of the time, it happens because of the negligence factor. CEOs do not participate in security awareness training often, and they remain unaware of the latest trends. Another thing businesses can do is to apply multi-factor authentication to the company’s financial authorization processes. By doing so, they would remain safe from financial frauds, including W2 phishing.
Manny Hernandez
Manny Hernandez is the co-Founder and CEO of Omni, Inc. He is a consummate marketer and information technology professional with over ten years of experience in the fast-evolving arena of direct response marketing.
"The most common phishing attacks are whaling, spear phishing, malware, pharming, and vishing…"
Employees are the strongest line of defense when it comes to protecting your business. One way to protect your organization from phishing attacks is user education. Education should involve all employees. High-level executives are often a target. Teach them how to recognize a phishing email and what to do when they receive one. Simulation exercises are also key for assessing how your employees react to a staged phishing attack.
Justin Channell
Justin Channell is a marketing specialist for Sucuri, an industry leader in website security. He has covered topics related to website security on Sucuri's blog since 2019. Before that, Channell worked as an editor for the Observer-Reporter newspaper in Southwestern Pennsylvania.
"Phishing attacks come in a few different variants…"
The most common are deceptive email campaigns. In these cases, hackers create fraudulent emails that appear to come from a known sender. Their goal is to trick the recipient into sending confidential information via email. Links to other services like Google Docs may also be used in tandem with these attacks. However, the link will lead to a fake login page where the user's credentials will be stolen.
Spear phishing is similar, but with a very specific target in mind. In these cases, the hacker will do a bit more research on their target when crafting the fake emails and login pages.
The best method for avoiding these attacks is to pay close attention to your emails and login pages. If anything seems off – including suspicious URLs, a lack of HTTPS in the URL, strange wording, typos, or unknown senders – do not share any information. Contact the other party to verify that the email is legitimate. Also, enable two-factor authentication (2FA) on any account that offers it. If a bad actor does succeed in stealing your information, 2FA can prevent them from actually gaining access.
Keri Lindenmuth
Keri Lindenmuth is the marketing manager at KDG. For over 17 years, KDG has been helping businesses improve their processes, their customer experience, and their growth.
"One of the most common phishing attack methods is…"
An email to employees asking them to update their password for something like their Amazon, Gmail, bank, or Office 365 account. The emails look real, but they're covers for ways data thieves can obtain financial data and password info.
The best way businesses can protect against phishing attacks is by training employees. The signs of a phishing email are easy to spot once you know what to look for. For example, ‘Hello Customer,’ instead of your first name, URLs that don't match, Amazon.net instead of Amazon.com, etc.
There are several digital programs available that help train employees through fake phishing tests and webinars. Meanwhile, there are IT teams available who not only help businesses protect their data, but will also offer regular training to employees at risk.
