When it comes to phishing attacks, all it takes is one dirty hook set in one employee to snatch up your vital data.
According to NTT’s recent Threat Intelligence Report, 25% of insider threats are hostile with the remaining 75% due to accidental or negligent activity. Even if you have state of the art email security in place, one misstep leaves the digital door open for anyone to come in and gain access to your most crucial data.
No matter how strong your firewall, network infrastructure, or IT/security team, the most important step that you can take to protect your company's data is providing your team with training that helps them learn and identify new phishing threats as soon as they hit their inbox. Verizon’s cybersecurity report states an attacker distributing 10 phishing emails has a 90% chance of one user being hooked.
Training personnel on different types of social engineering attacks is one of the best forms of cybersecurity - why hack a computer when you can trick a human? Below are seven types of phishing attacks and how to identify them.The most common form of phishing is the general, mass-mailed type, where someone sends an email pretending to be someone else and tries to trick the recipient into doing something, usually logging into a website or downloading malware. Attacks frequently rely on email spoofing, where the email header — the from field — is forged to make the message appear as if it was sent by a trusted sender.
However, phishing attacks don’t always look like a UPS delivery notification email, a warning message from PayPal about passwords expiring, or an Office 365 email about storage quotas. Some attacks are crafted to specifically target organizations and individuals, and others rely on methods other than email. In fact, some phishing scammers are even using the vast reach of social media to tap into new unsuspecting victims.
Phishing attacks get their name from the notion that fraudsters are fishing for random victims by using spoofed or fraudulent email as bait. Spear phishing attacks extend the fishing analogy as attackers are specifically targeting high-value victims and organizations. Instead of trying to get banking credentials for 1,000 consumers, the attacker may find it more lucrative to target a handful of businesses.
Spear phishing attacks are extremely successful because the attackers spend a lot of time crafting information specific to the recipient, such as referencing a conference the recipient may have just attended or sending a malicious attachment where the file name references a topic the recipient is interested in.
A phishing attack specifically targeting the enterprise’s top executives is called whaling, as the victim is considered to be high-value and the stolen information will be more valuable than what a regular employee may offer. The account credentials belonging to a CEO will open more doors than an entry-level employee. The goal is to steal data, employee information, and cash.
Whaling also requires additional research because the attacker needs to know who the intended victim communicates with and the kind of discussions they have. Examples include references to customer complaints, legal subpoenas, or even a problem in the executive suite. Attackers typically start with social engineering to gather information about the victim and the company before crafting the phishing message that will be used in the whaling attack.
Aside from mass-distributed general phishing campaigns, criminals target key individuals in finance and accounting departments via business-email compromise (BEC) scams and CEO email fraud. By impersonating financial officers and CEOs, these criminals attempt to trick victims into initiating money transfers into unauthorized accounts.
Typically, attackers compromise the email account of a senior executive or financial officer by exploiting an existing infection or via a spear phishing attack. The attacker lurks and monitors the executive’s email activity for a period to learn about processes and procedures in the company.
The actual attack takes the form of a false email that looks like it has come from the compromised executive’s account being sent to someone who is a regular recipient. The email appears to be important and urgent, and requests that the recipient send a wire transfer to an external or unfamiliar bank account. The money ultimately lands in the attacker’s bank account.
Clone phishing requires the attacker to create a nearly identical replica of a legitimate message to trick the victim into thinking it is real. The email is sent from an address resembling the legitimate sender, and the body of the message looks the same as a previous message. The only difference is that the attachment or the link in the message has been swapped out with a malicious one. The attacker may say something along the lines of having to resend the original, or an updated version, to explain why the victim was receiving the “same” message again.
This attack is based on a previously seen, legitimate message, making it more likely that users will fall for the attack. An attacker who has already infected one user may use this technique against another person who also received the message that is being cloned. In another variation, the attacker may create a cloned website with a spoofed domain to trick the victim.
Vishing stands for “voice phishing” and it entails the use of a phone or phone system. Typically, the victim receives a call with a voice message disguised as a communication from a financial institution. The message might ask the recipient to call a number and enter their account information or PIN for security or other official purposes. However, the phone number rings straight to the attacker via a voice-over-IP service.
Recently, criminals have started calling victims pretending to be Apple tech support and providing users with a number to call to resolve the “security problem.” Like the old Windows tech support scam, these scams take advantage of user fears of their devices getting hacked.
Snowshoeing, or “hit-and-run” spam, requires attackers to push out messages via multiple domains and IP addresses. Each IP address sends out a low volume of messages, so reputation (or volume-based) spam filtering technologies can’t recognize and block malicious messages right away. Some of the messages make it to the email inboxes before the filters learn to block them.
If you're ready to take the next step towards comprehensive email security, our team at SeedSpark is ready to provide industry-leading security tools and training to your entire organization. Learn more about our company by visiting our website or contacting our team today to learn more.