Avoiding Phishing Attacks – Part 1
If Phishing wasn’t bad enough, in addition, we now have – Spear Phishing, Whaling, Smishing & Vishing, Angler Phishing, Catphishing, Catfishing, Clone Phishing, Tabnabbing. Oh, and let’s not forget Pharming!
The word phishing was first used in the mid-’90s by hackers stealing account information and the term came from an analogy from angling, they were using lures, setting out hooks to “fish” for information from the “sea” of Internet users. While most users didn’t take the bait, a few did and Phishing was born!
Most of us have heard of Phishing, but we still get caught out so it’s worth reminding ourselves of all the different ways we could get hooked.
Typical phishing attacks are from scammers sending dodgy emails to thousands of people, asking for personal information or containing links to rogue websites. Typically, they ask you to send money, take your details to sell on or to reuse to gain access, some have political or ideological motives and some for obtaining business information.
At the end of the day, the scammer wants to extort money, harvest information for fraudulent use or to gain a competitive advantage and there are many ways they lure users into doing that. It can lead to malware or ransomware being installed on users’ systems and these can be used to damage and encrypt company information on servers leading to a very serious issue.
They are getting more difficult to spot, and some will still get past even the most observant users. So, given the prevalence of attacks, it’s almost certain that you will receive phishing attacks at some point.
Common Phishing Attacks:
Here are some pointers to help you identify the most common phishing attacks but be aware that there is a limit to what you can expect your staff to be able to do. So be prepared for the worst-case scenario – a security breach!
All these descriptions are very real methods used by criminals. Some may seem irrelevant to you – however, they should all be understood by all your staff and be part of your cyber awareness training.
- Phishing is a fraudulent attempt to obtain sensitive information or to entice a user to open a malicious file or web site by a perpetrator disguised as a trustworthy entity in an electronic communication. It’s an example of social engineering techniques used to deceive users and is typically an email spoof instant messaging or text messaging.
- Spear Phishing is directed at specific individuals or companies and it differs from mass phishing in that attackers use personal information about their target to maximise their probability of success. Personal and company information is collected and reused in the attack that leverages friendship information from social networks. This type of attack has a very high success rate.
- Whaling is a sophisticated spear-phishing attack directed specifically at senior executives. It will often be presented as a legal document, tax form or some form of a high-profile complaint from a 3rd party organisation and they tend to be very subtle in nature.
- Smishing & Vishing (Voice and SMS Phishing), here the phone is used instead of emails, Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and Vishing involves a telephone conversation. Frequently the scam involves a fake claim about a bank or credit card breach where the victim is asked to provide card details, to transfer money or visit a bad web site.
- Angler Phishing is a new method used by criminals and takes advantage of the information found on social media or to present fake and cloned websites. A mix of other methods are also incorporated, including posts, tweets and instal messages and all used to entice users to pass on sensitive information. Sometimes the information in users’ posts is gathered to create a Spear or Whaling attack.
- Catphishing (with a PH), is where a criminal gets to know someone closely to gain control over that person and then access to information or resources.
- Catfishing (with an F), involves a person creating a social network presence as a fictional person to entice someone into a relationship where information is divulged or money extorted. This usually begins online, with the hope or promise of it progressing to real-life romance.
- Clone Phishing, with this type of attack an earlier email with a link or attachment is being copied and resent from a spoofed email address with a malicious file or link. This typically requires the sender or recipient to have been previously hacked.
- Tabnabbing relies on the fact that the user no longer remembers that a certain browser tab was the result of a link unrelated to the login page because the fake login page is loaded in one of the long-lived open tabs in their browser. It relies on the ability of browsers to navigate across a page’s origin in inactive tabs a long time after the page is loaded.
- Pharming, with this type of attack users, are sent to a fraudulent website that appears to be legitimate. This is achieved by the criminal changing the hosts’ file or poisoning the DNS settings on a victim’s poorly protected computer which can be a home computer, rather than a corporate business server.
Find out here about steps you need to help identify and avoid common phishing attacks, other points to consider when training your staff members and read on our Cyber Security Guide to help protect your valuable business information.