Phishing is one of the most frustrating threats we face. Most of know what it is and how it works, but we still get caught out.
The scam, which involves criminals sending messages that masquerade as legitimate organisations, targets hundreds of millions of organisations every day. The messages direct recipients to a bogus website that captures their personal information or contain a malicious attachment.
Although the crooks’ ultimate goal is always the same, they’ve found many ways to launch their attack. Here are some of the most common ways in which they target people.
1. Email phishing
Most phishing attacks are sent by email. The crook will register a fake domain that mimics a genuine organisation and sends thousands out thousands of generic requests.
The fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’.
Alternatively, they might use the organisation’s name in the local part of the email address (such as firstname.lastname@example.org) in the hopes that the sender’s name will simply appear as ‘PayPal’ in the recipient’s inbox.
There are many ways to spot a phishing email, but as a general rule, you should always check the email address of a message that asks you to click a link or download a attachment.
2. Spear phishing
There are two other, more sophisticated, types of phishing involving email. The first, spear phishing, describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the following information about the victim:
- Their name;
- Place of employment;
- Job title;
- Email address; and
- Specific information about their job role.
One of the most famous data breaches in recent history, the hacking of the Democratic National Committee, was done with the help of spear phishing.
The first attack sent emails containing malicious attachments to more than 1,000 email addresses. Its success led to another campaign that tricked members of the committee into sharing their passwords.
Whaling attacks are even more targeted, taking aim at senior executives. Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler.
Tricks such as fake links and malicious URLs aren’t useful in this instance, as criminals are attempting to imitate senior staff.
Scams involving bogus tax returns are an increasingly common variety of whaling. Tax forms are highly valued by criminals as they contain a host of useful information: names, addresses, Social Security numbers and bank account information.
4. Smishing and vishing
With both smishing and vishing, telephones replace emails as the method of communication. Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.
A common vishing scam involves a criminal posing as a fraud investigator (either from the card company or the bank) telling the victim that their account has been breached.
The criminal will then ask the victim to provide payment card details to verify their identity or to transfer money into a ‘secure’ account – by which they mean the criminal’s account.
5. Angler phishing
A relatively new attack vector, social media offers a number of ways for criminals to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware.
Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks.
In 2016, thousands of Facebook users received messages telling them they’d been mentioned in a post. The message had been initiated by criminals and unleashed a two-stage attack. The first stage downloaded a Trojan containing a malicious Chrome browser extension on to the user’s computer.
When the user next logged in to Facebook using the compromised browser, the criminal was able to hijack the user’s account. They were able to change privacy settings, steal data and spread the infection through the victim’s Facebook friends.
Your employees are your last line of defence
Organisations can mitigate the risk of phishing with technological means, such as spam filters, but these have consistently proven to be unreliable.
Malicious emails will still get through regularly, and when that happens, the only thing preventing your organisation from a breach is your employees’ ability to detect their fraudulent nature and respond appropriately.
Our Phishing Staff Awareness Course helps employees do just that, as well as explaining what happens when people fall victim and how they can mitigate the threat of an attack.
A version of this blog was originally published on 9 July 2019.