• ProgIST CyberSec Division

Phishing attacks & how to be safe from them



The history of phishing reveals that the first phishing email originated sometime around the year 1995. Though, then the attacks were not so exceptional but still did the trick. Phishing attacks are often initiated through email communication. The phishing mail includes generic greetings as well as target's name, phone number and other details to make it look genuine.


Technology, banking, and healthcare are the most targeted sectors for phishing attacks. This is because of two main factors: a huge number of users and higher dependency on data


In time, the mediums of phishing have also evolved. Now phishing attacks can be initiated via email, SMS, phone, etc.

32% of the data breaches in 2018 involved phishing activity

Phishing attacks account for more than 80% of reported security incidents

Phishing used in 78% of cyber-espionage cases for the installation of backdoors


Here are five most common types of phishing attacks:


1. Phishing - Email based threat


The first and the original one.! In phishing, scammers personalize the e-mail with the target's name, designation and phone number making the recipient believe that they are receiving the mail from a known sender. These attacks are well thought of. The attacker does a complete research of the target individual / group through social media profiles and company website. Phishing emails are classified in two types: hyperlink based & attachment based.


Example of hyperlink based phishing:


Example of attachment based phishing:


2. SMiShing - SMS based threat

SMS based threats are phishing attacks targeting individuals and groups via text messages with a hyperlink based approach. Tiny URLs are an effective way to hide phishing links by using link-shortening tools like TinyURL to shorten the URL and make it look authentic. These links are malicious in nature and redirect users who click the link to attackers' sites replicating the original sites - thus tricking the users to enter information. People tend to open unknown links from unknown senders under the impression of discounts and sales on their mails and text messages.


Examples of SMS based threats:


3. Vishing - Voice based threat


Vishing refers to phishing done over phone calls. Since voice is used for this type of phishing, it is called vishing. Voice + Phishing = Vishing

This is one of the earliest and the most effective method. Wherein an attacker just needs to sound confident enough to reveal the victim's personal and confidential information. They will talk to you as a friend, relative, help desk executive or any associate of a brand and will ask you to share your confidential information.


Example of Vishing:


4. Removable device based threat


Removable device or USB based threat aims at creation of a scenario by threat actors where the target individuals / groups are lured by placing malicious removable devices at common places or designated desks with an expectation that the victim shall pick up the device and connect it to their machine. The ordinary-at-glance removable device when connected to the victim's machine, infects it, creating either a backdoor or encrypting all the files and acting as a ransomware.


Example of removable device based threat:


5. Social media based threat


Many a times we see people being excessively active on social media, posting every single update, location tags, laying out information to the world related to their whereabouts. On some social media applications, people accept random friend requests and messages sharing malicious stuff, such as opening unknown links under the impression of cashback or some other tempting offers. They are even ready to share their email and contact details at any public place if approached by a complete stranger who states he is conducting survey on some topic. Many a times, one way to get phished is by clicking a hidden links on the buttons reading “CLICK HERE” or “DOWNLOAD NOW” or “SUBSCRIBE”.


These are examples of hidden links, which makes it easier for scammers to launch phishing attacks.


Other common types of phishing attacks include:


Spear Phishing


Unlike traditional phishing which involves sending emails to hundreds and millions of unknown users, spear phishing is typically targeted in nature, and the emails are designed in a way to target a particular user. In spear phishing, scammers personalize the e-mail with the target's name, designation and phone number making the recipient believe that they are receiving the mail from a known sender. Out of the different types of phishing attacks, spear phishing is the most commonly used type of phishing attack on individual users as well as organizations.


Whaling


Whaling is not very different from spear phishing, but the targeted group becomes more specific and confined in this type of phishing attack. In a whaling attack, the hackers target CEOs, VPs, COOs who are commonly referred as whales in phishing terms and send out emails consisting personal information relating to the recipient, familiar (but not identical) company logo, and email domain that tricks the receiver to believe that the message has been originated from the legitimate source.


Normally, the whaling email comes with a subject line saying it as a critical business matter and if the person clicks on the mail or the attachment, the recipient will be led to a fake website where they will be tricked to enter login details and alternatively their computers are infected with malware, which allows hackers to gain confidential data.


Here are a few steps a company can take to protect itself against phishing:


  • Educate your employees and conduct training sessions with mock phishing scenarios

  • Use encryption for data transmission

  • Educate employees to not publish sensitive corporate information on social media

  • Keep all systems updated with the latest security patches

  • Encrypt all sensitive company information

  • Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all devices

  • Deploy a web filter to block malicious websites


Conclusion

Considering the fact that hackers are evolving and finding different techniques and method to infiltrate and steal sensitive information, cyber security awareness plays a significant role in securing the confidential data. It is equally as important to make sure that their employees understand the types of attacks they may face, the risks, and how to address them. Well-educated employees and properly secured systems are the key helping to protect your company from phishing attacks. Following a good cyber hygiene never fails to prevent breaches. A simple care can save us from losing the confidential data and inviting its after effects.

  • LinkedIn
  • Twitter
  • Facebook

© 2020 by Progist.