When it comes to phishing attacks, all it takes is one dirty hook set in one employee to snatch up your vital data.
According to NTT’s recent Threat Intelligence Report, 25% of insider threats are hostile with the remaining 75% due to accidental or negligent activity. In other words, you can do everything in your power to keep the bad guys out of your environment, but if one of your people with the keys to the kingdom leaves the door open, the hackers have the run of the roost.
No matter how strong your firewall, network infrastructure, or IT/security team, there is always one employee in every organization who will click on every link and attachment sent to them. Verizon’s cybersecurity report states an attacker distributing 10 phishing emails has a 90% chance of one user being hooked.
When Alcoa was breached in a phishing scam a couple years back, only 19 employees received the email sent by Chinese hackers impersonating CEO Carlos Ghosn. By impersonating an executive, the hackers only needed to convince one employee that the "meeting agenda" attached to the infected email was legitimate. Once that employee clicked the email, they had access to over 2,907 emails and 863 attachments containing critical company information and intellectual property. Considering the scope and frequency of cyberthreats in the Digital Age, all it takes is one employee to click on the wrong link; and there is one employee in every company.Training personnel on different types of social engineering attacks is one of the best forms of cybersecurity. Why hack a computer when you can trick a human? Below are seven types of phishing attacks and how to identify them.
1. Mass Market Emails – Don't Be Fooled
The most common form of phishing is the general, mass-mailed type, where someone sends an email pretending to be someone else and tries to trick the recipient into doing something, usually logging into a website or downloading malware. Attacks frequently rely on email spoofing, where the email header — the from field — is forged to make the message appear as if it was sent by a trusted sender.
However, phishing attacks don’t always look like a UPS delivery notification email, a warning message from PayPal about passwords expiring, or an Office 365 email about storage quotas. Some attacks are crafted to specifically target organizations and individuals, and others rely on methods other than email.
2. Spear Phishing – Going After a Specific Target
Phishing attacks get their name from the notion that fraudsters are fishing for random victims by using spoofed or fraudulent email as bait. Spear phishing attacks extend the fishing analogy as attackers are specifically targeting high-value victims and organizations. Instead of trying to get banking credentials for 1,000 consumers, the attacker may find it more lucrative to target a handful of businesses.
Spear phishing attacks are extremely successful because the attackers spend a lot of time crafting information specific to the recipient, such as referencing a conference the recipient may have just attended or sending a malicious attachment where the file name references a topic the recipient is interested in.
3. Whaling – Going After The Big One
A phishing attack specifically targeting the enterprise’s top executives is called whaling, as the victim is considered to be high-value and the stolen information will be more valuable than what a regular employee may offer. The account credentials belonging to a CEO will open more doors than an entry-level employee. The goal is to steal data, employee information, and cash.
Whaling also requires additional research because the attacker needs to know who the intended victim communicates with and the kind of discussions they have. Examples include references to customer complaints, legal subpoenas, or even a problem in the executive suite. Attackers typically start with social engineering to gather information about the victim and the company before crafting the phishing message that will be used in the whaling attack.
4. Business Email Compromise – Pretending To Be The CEO
Aside from mass-distributed general phishing campaigns, criminals target key individuals in finance and accounting departments via business-email compromise (BEC) scams and CEO email fraud. By impersonating financial officers and CEOs, these criminals attempt to trick victims into initiating money transfers into unauthorized accounts.
Typically, attackers compromise the email account of a senior executive or financial officer by exploiting an existing infection or via a spear phishing attack. The attacker lurks and monitors the executive’s email activity for a period to learn about processes and procedures in the company.
The actual attack takes the form of a false email that looks like it has come from the compromised executive’s account being sent to someone who is a regular recipient. The email appears to be important and urgent, and requests that the recipient send a wire transfer to an external or unfamiliar bank account. The money ultimately lands in the attacker’s bank account.
5. Clone Phishing – Copies Are Just As Effective
Clone phishing requires the attacker to create a nearly identical replica of a legitimate message to trick the victim into thinking it is real. The email is sent from an address resembling the legitimate sender, and the body of the message looks the same as a previous message. The only difference is that the attachment or the link in the message has been swapped out with a malicious one. The attacker may say something along the lines of having to resend the original, or an updated version, to explain why the victim was receiving the “same” message again.
This attack is based on a previously seen, legitimate message, making it more likely that users will fall for the attack. An attacker who has already infected one user may use this technique against another person who also received the message that is being cloned. In another variation, the attacker may create a cloned website with a spoofed domain to trick the victim.
6. Vishing - Phishing Over The Phone
Vishing stands for “voice phishing” and it entails the use of a phone. Typically, the victim receives a call with a voice message disguised as a communication from a financial institution. The message might ask the recipient to call a number and enter their account information or PIN for security or other official purposes. However, the phone number rings straight to the attacker via a voice-over-IP service.
Recently, criminals have started calling victims pretending to be Apple tech support and providing users with a number to call to resolve the “security problem.” Like the old Windows tech support scam, these scams take advantage of user fears of their devices getting hacked.
7. Snowshoeing - Spreading Poisonous Messages
Snowshoeing, or “hit-and-run” spam, requires attackers to push out messages via multiple domains and IP addresses. Each IP address sends out a low volume of messages, so reputation (or volume-based) spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it to the email inboxes before the filters learn to block them.
For more information, check out Social Engineering Red Flags!