It takes one click on a link to put an organization’s data at risk for a breach.
Phishing attacks often disguise themselves as people we trust, thus lowering our defenses. No industry is safe from the threat of cyber attacks.
Businesses make prime targets due to the amount of sensitive data they store. It is vital to understand how to identify phishing. Read this article to learn more about the types of phishing attacks and protection tactics with examples.
What is a Phishing Attack? A Definition
The term phishing defines attempts by outside parties to gain access to private information about users. Hackers seek passwords, credit card numbers, bank account info – or any information capable of being used to access data.
Most successful phishing campaigns end with the user downloading malware into their system.
How Do Phishing Attacks Work?
Phishing typically involves casting a wide a net as possible hoping a few people will take the bait. Attackers turn to more targeted methods when going after individual companies. They also look to rope in specific individuals with access to valuable information.
The Facts Behind Phishing
A report from the Anti-Phishing Working Group (APWG) showed that companies responding to their survey experienced a steady stream of phishing scams during the first half of 2018. The most targeted business sectors were:
- Payment Providers
- Financial Institutions
- SAAS/Webmail
- Cloud Storage/Cloud Hosting
Popular Phishing Methods
Responses to the APWG survey showed the below methods being used the most:
Emails – The most popular tool for attackers at an average of 98,723 per month.
Websites – Attempts using this method averaged 48,516 per month.
Phishing URLs – Averaged around 18,113 attempts per month.
Hackers targeted a small number of brands at an average of 443 times per month. APWG contributor PhishLabs noted an uptick in free web hosting sites being used to build malicious websites. They do this to lend credibility to the site being built by using an established provider.
76% of companies experienced some type of phishing attack. That number rose in the first quarter of 2018 to 81% for US companies. Businesses saw a rise in malware infections of 49%, up from 27% in 2017.
Other security stats suggest that spear phishing accounted for 53% of phishing campaigns worldwide. That number went up to 57% for the United States. Phone calls and text messages, on the other hand, accounted for 45% of phishing attempts worldwide.
Things have come a long way since the days of the Nigerian prince scam emails. Hackers use more sophisticated phishing email methods.
They come with stolen or altered business logos to trick the recipient. Or they infiltrate social networking platforms, disguising themselves as a friend or someone who shares your interests.
Common Types Of Phishing Attacks & How To Identify
Email Phishing
Email remains a popular choice for most attackers. They mimic a popular brand or institution reaching out to you to help you resolve an issue. The official-looking communication asks you to confirm a password or other account information.
More sophisticated deceptive phishing emails make the sender address match those of people or businesses you communicate with regularly. They contain malicious attachments or links designed to deliver malware to your device.
Spear Phishing Attacks
Cyber attackers use this phishing technique to target particular businesses. They go beyond sending out mass emails or blanketing random sites with ads. They tailor their efforts toward people who work in an industry they find valuable.
Target became the victim of a spear phishing attack when information on nearly 40 million customers was stolen during a cyber attack. Hackers went after a third-party vendor used by the company. They captured their credentials and used them to access the customer information from a database using malware downloaded from a malicious attachment.
Whaling
John Podesta, the chairman of Hillary Clinton’s presidential campaign, found out about whaling the hard way. His account received an email purporting to be a Google alert letting him know his system had been compromised. It was urgent that his credentials be reset immediately at the link provided.
His assistant did just that after receiving erroneous information from their IT person that it was legitimate. That is all it took for malicious spyware to be released into their systems. Thousands of document and emails were stolen by Russian hackers.
Whaling attacks target high-level executives with credentials giving them access to a wide range of information. Factors like human error and lousy advice play a big part in the success of these type of attacks.
Clone Phishing
Cloning involves mimicking a trusted site a user frequents. People receive emails warning them about an issue with their account. Hackers create an entire malicious website that looks like the one the user logs into regularly.
The attackers hope to fool users into providing them with personal credentials. Many users of Reddit fell victim to clone phishing. A clone of the site popped up with the apparent intent of tricking people into thinking they were logging into the regular Reddit site.
Phone and Text Phishing
Not all attacks come over the internet. Many businesses use automated voice messages to alert people to things like an upcoming doctor appointment. Hackers use this method to leave voicemails warning you about an issue. They may reference your bank account or a company you’ve obtained services from.
Hackers employ similar methods using text messages. This allows them to send you malicious links directing you to a phishing website. Once you get there, they mask the address bar with a picture of a real URL to fool you into thinking you are on an actual site.
Social Media
Phishing attacks tend to go after a large pool of targets on platforms like Facebook or other favorite social media sites. You receive a request from a friend asking you to respond to a quiz. It asks questions like “What are your favorite vacation spots close to home?” or something equally innocuous.
The information you give out may seem like nothing. You might reference where you live and places you like to visit. Hackers need only a small bit of data to gain more information about you. That is enough to figure out your passwords and hack your accounts.
Thieves use the pictures posted to your Instagram or Snapchat account as sources of information. Korean officials at the 2018 Winter Games warned people not to post pictures of their tickets since they contained a barcode. Hackers could scan the pictures and capture all of their personal data.
Fraudulent Websites
Hackers build fake phishing sites designed to steal your information. For example, people searching for a site that lets them update a passport get fooled by a login page that appears legitimate. The credentials they enter end up being used to compromise other personal accounts.
Scammers also lure visitors to these sites by creating fake ads on sites like Google or Craigslist. Bitcoin users fooled by fake ads on Google have been frequent victims of theft in recent months. The problem got so bad that Facebook recently banned all ads related to cryptocurrencies from their site.
False or Fake Advertisements
Websites make a significant amount of revenue by designing ads that get your attention. Hackers use this to their advantage by embedding these ads with malware. Clicking on the ads allows the software to embed itself in your system and go to work.
How to Prevent Phishing
It only takes one moment of inattention to make yourself or your company the victim of identity theft. While there is no easy way to prevent phishing, a multi-pronged approach to combating the threat can minimize the risk.
1. Protect Your Inbox
The best defense is a good offense. Stop potentially damaging emails from entering company inboxes by using strong email spam filters and following email security best practices. Most security software companies offer versions compatible with both computer and mobile devices.
Your software should automatically scan any links or attachments. This prevents new or unrecognizable URLs from sneaking past company safeguards. New computer network security threats show up every day. Hackers also continuously work to evolve and hide malware. Keeping your software updated and running continuously is essential.
2. Analyze Web Traffic
Attackers love to find vulnerable points when users access personal accounts on their work computers. Check any access attempts to non-company websites or email servers. It does no good to have top-level security on a work email account, only to have someone download malware by clicking on a Facebook ad.
3. Raise Employees’ Security Awareness
Human error still accounts for the majority of data breaches. Hackers only need one person in an organization to click on the malicious link in an email to cause damage. Multiple steps should be taken to train employees on how to recognize phishing and handle them appropriately.
First of all, employees need to understand that they are all potential victims of cybercrime. They need to be educated on the most common threats. Companies should provide comprehensive training on how to recognize a phishing message, social engineering tactics, and suspicious web addresses.
The training should also cover identity management, as well as cloud security and mobile security to enable employees to protect themselves.
4. Test Employees on how to identify a phishing email
Establish a security awareness program.
Target specific people within different areas of your company with test phishing emails. Track those who correctly identify suspicious emails versus those who do not. Interview them to gain insight as to why they did or did not recognize the problems within. Use that feedback to modify or redesign your cyber security training courses.
In addition to testing employees, you should also regularly check the stability of your critical infrastructure. If you are hosting your data with a third-party data center provider, you should ensure it provides advanced protection against the most common threats such as DDoS, phishing, and ransomware attacks.
If your entire infrastructure is managed internally, you need to ensure you have all these systems in place to keep your data safe. You should also consider running a penetration test every once in a while to be confident about your platform’s security.
5. Communicate Effectively Between Departments
One of the easiest ways to manage passwords is with a corporate password management solution.
Make sure your employees understand the recommended cybersecurity best practices for companies and receive frequent reminders about their importance. Coordinate across all departments so that everyone gets the same education.
6. Use A Variety of Teaching Methods
Everyone absorbs information differently. Some prefer visual cues, while others like thing documented in a manual to refer back to. You also have those who prefer to gain knowledge audibly. Provide your employees with different options to obtain online security education.
7. Make Phishing Training Personal
Employees often cannot comprehend how their actions could hurt the entire company. Bring it down from an abstract and show how it affects them. Demonstrate how the damage done by malicious software impacts their job.
8. Create a Tutorial On What Not To Share
Cyber thieves continuously scour social media for information posted by employees of companies they are targeting.
Advise them to avoid sharing information like:
- Birthdays
- Personal Address
- Phone Numbers
- Vacation Days
- Online Banking and Credit Card Details
Attackers use this information to guess at passwords they use to access accounts at work. Letting people know when you will be away from your computer gives hackers a window of opportunity to target you while you are not there.
9. Establish a System to Report Threats
Inform employees on what to do if they encounter a fraudulent email. They should report even if they are unsure if the message is a threat. They should also beware random text messages seeming like official communications from the company.
10. Celebrate Cybersecurity Due Diligence
Show employees your appreciation for following security protocols. Prepare a luncheon or off-site event to show your company’s appreciation for the dedication shown by workers to keeping company information safe.
Types Of Malware Used In Phishing Attacks
Hackers come up with new types of malware every day. The term malware covers various types of malicious software designed to gain access to information on a user’s device.
Botnet Malware
Hackers in recent years started using computer networks designed to take control of devices in your home or business to launch malicious attacks. Remote controllers manipulate these malevolent botnets to turn your devices against you.
The laptop you use for work become a tool to steal your information. New technology like Amazon Echo speakers also presents new frontiers for hackers. The growing attacks on IoT (Internet of Things) devices make the consequences of phishing more severe.
The threat of botnets increased in 2018 with over 40% of automated login attempts to websites being malicious. The hospitality sector was the hardest hit with an 82% malicious login rate. Botnets leverage the fact that most people use the same account credentials to access multiple sites.
After obtaining credentials, the botnets attack site after site. This only stops once the user becomes aware of the theft and changes their information.
Ransomware
The rise of ransomware in the last decade brought a new type of danger to deal with. This software locks users out of the files in their system. Hackers demand payment in exchange for removing the malware and giving back access.
Sony Pictures found itself the victim of such an attack in 2014 and again in 2017. It is not just businesses being targeted. The government of the town of Yarrow Point in Washington grappled with frequent ransomware attacks throughout 2018. Find out how to protect yourself from ransomware.
Computer Viruses
Code or software engineered to disrupt the way a device functions. They attach themselves to legitimate programs for code execution, often corrupting or destroying system files along the way.
Trojan horse
A trojan horse disguises itself as a legitimate program within an email. They open the door to access the user’s information once executed.
Spyware
These programs embed themselves in your device to record your activities. They track sites you visit and capture any personal details entered by you.
Worm
These programs require nothing from your system. They are self-sustaining and duplicate themselves everywhere without needing human interaction.
Learn To Identify Phishing Attacks
The best defense against all types of phishing attacks is to learn to identify them.
Learn about the deceptive tactics used to obtain information. Do not let your company become a statistic and being used as an example to other businesses.