Phishing attacks represent a malicious way of trying to obtain sensitive details, such as credentials, personal identifiable information (PII), company data, credit card details or directly money by impersonating a trusted entity.
There are multiple techniques that a malicious actor can use in order to perform a phishing attack:
The most common and often encountered type of phishing, is the email one.
A typical attack scenario often involves banks, credit card providers, tax or mailing providers. These emails are purposely crafted to trick you into providing credit card data or credentials for various services. They usually do this by adding a link that leads to a bogus website designed to look like popular services, such as PayPal or Facebook. These websites might not only steal your credentials, they can also install malware directly onto your device.
Spear phishing represents a very well-documented type of attack. The malicious actors know exactly who they’re after. In order to make the e-mail look as credible as possible, the attackers already did their homework – they know the person’s name, where he/she is working, what his/her job title is and maybe even some of their hobbies, depending on how much the victim already shared publicly on social media. This is a slighlty more dangerous type of phishing, as it might be getting more difficult to tell this one apart from the rest.
Whaling is a term for describing phishing attacks where the malicious actors go after high-ranking executives in a company, such as Chief Officer positions. This time, the attackers perform even more research, the fake e-mail must appear to be send from trusted sources, such as various employees close to the target or outside agencies. At other times, the attacker might even spoof the CEO’s email and ask for an emergency fund transfer to an unknown location. Usually, the employees, let’s take someone from the financial department, here in our example, might execute this order without asking any further questions. This is a big mistake. You might think that the CEO will be mad at you, if you don’t transfer the funds quickly. Pressure is a common technique. If something doesn’t look right, then it probably isn’t. Better to double check, than to fall for this scam.
Smishing is a type of attack where the scammers will send a text message and vishing involves a telephone conversation. Remember to always check the number where you’re receiving the text message from, and if it contains a link that urgently prompts you to click it, then don’t. Don’t click anything until you’re 100% sure that’s an SMS that you’re expecting to receive and that the sender is legitimate. Your phone can get compromised as easily as your computer. As for vishing, the attackers will try to get sensitive information from you directly on the phone, for example pretend to be an employee from the bank and ask for your financial information to „verify your identity”. At other times, they might pretend that they urgently need money by invoking various reasons.
As the name implies, this type of malicious activity involves various pop-up ads trying to trick a user into installing malware on their computer or convince them that their device is already infected and they have to to purchase a fake antivirus solution, that they don’t actually need. The common tactic here is the scare one. A huge pop-up appears on your screen warning you that your computer has been infected, but that they have the solution. They claim that only their antivirus will help you get rid of the „threats”. You might be tempted to believe this, under all the pressure. At times they might even put up a phone number with a fake call-center, in order to make their scam appear more trust-worthy.
There are certain patterns that give away phishing e-mails. They often contain spelling errors, odd phrasing, wrong grammar, and generic greetings such as “Dear User” or “Dear client.” If they send the same e-mail to 10,000 people, hoping that at least 1 or 2 of them would take the bait, then the attackers cannot accurately get everyone’s names.
Another common tactic is to create a fake website with URLs that are being spelled just a bit differently from the institution’s legitimate website. You have to watch out for those. If we’ve got a word with a hyperlink, hovering with the mouse over will show the actual link. You can easily notice the fake crafted domains from the e-mail’s sender. They would often add an extra letter, an extra word (such as support for example), or change the top-level domain. At other times, the sender’s email addresses might even be the correct one, given the right circumstances for an attacker, where let’s say, that the legitimate company has a misconfigured DMARC policy.
If you don’t recognize the sender of an email, or it simply looks suspicious, then we recommend deleting it. If you do decide to read it, be careful not to click on any links or download any attachments. PayPal, credit card companies and banks will never reach out to you by email to request any personal information. Instead of clicking on links in emails, we strongly advise to log into your account on your own. If there is a legitimate request, you’ll see it once you’re logged in. Alternatively, you can call your bank’s support center and directly clarify the situation.
Other tricks involve the very well known too good to be true offers, such as incredibly cheap offers and calls for immediate action. Malicious actors want you to act quickly, without analysing the email too much. Never reply hastily to an email containing an emergency request.
Large organizations have always been at risk of phishing attacks. Should one of them be successfully, then the entire company can get compromised. Once in a system, attackers will try to move literarily and affect as many devices as possible, get as many credentials as possible, get the keys to your kingdom basically.
- organizations should periodically assess how vulnerable they are to phishing attacks through red team assessments and security awareness training programs. We cannot emphasize enough how important it is to educate your employees. Moreover, make sure they are aware and clearly understand what a CEO fraud is;
- a must-have solution is a spam filter that detects suspicious emails, can discover viruses in attachments and blacklisted senders;
- an antivirus solution will easily help you monitor the status of all equipment. Should one of your computers get infected, you’ll be able to see the alert and handle it further. Antivirus solutions will also check your every downloaded files, can detect fileless malware, and offer you the option to have web filtering enabled – they’ll warn you if the website you’re trying to visit is rather suspicious, or known malicious;
- ensure that all your systems have the latest security patches and updates. An existing vulnerability will keep your doors open to malware. Most of the updates often contain security patches of known vulnerabilities, some of them already exploited in the wild;
- have a clear password policy. Ensure your passwords are strong enough and change them often. Don’t re-use them. Always have 2 Factor Authentication enabled. Even if one pair of credentials will get leaked, you wouldn’t have to worry about losing full access to your account, as the attacker doesn’t have your mobile phone, or access to your personal e-mail. Just make sure you’re quickly changing the passwords afterwards, and if you think you might’ve used that one already on other platforms, then go there and change it as well.