The Six Main Types of Phishing Attacks and How to Protect Against Them.


Overview

untitled image

Undeniably, the internet has become the worldwide information infrastructure. Even though, numerous security mechanisms and laws exist to protect the extensive network of computers filled with valuable data; they are inadequate if the ‘user’ is actively engaged in efforts to protect their data. Phishing attacks prey on the weakest link: A user who freely gives away their personal data due to their lack of vigilance. In simpler terms, a Phishing Attack meaning is an attempt to trick users into divulging their private information.

Phishing attack often include some form of social engineering, as the attacker masquerades as a trusted entity like your bank, an e-commerce site, the IRS, Dropbox, your local public library, FedEx, or any number of others, but in reality, it is a phishing campaign to trick you in to taking the bait. Once, the recipient is duped in to opening the latest phishing email, the email spoof encourages them to follow or click on a malicious link, leading to the installation of malware also known as revealing of sensitive information. Access to critical information can lead to a ransomware attack which allows the attackers to hold sensitive information such as:
· bank account numbers · credit card info · Social Security number · login IDs, usernames, and passwords · as ransom.

What does a phishing attack look like? Or how to identify a phishing attack?

According to the FBI, phishing attack websites was considered the most common type of cybercrime in 2020- doubling in frequency, from 114,702 incidents in 2019, to 241,324 incidents in 2020. 

untitled image

For individuals, a spear phishing email with a provoking subject line for instance : A delivery attempt was made”, “change of password required immediately”, “Staff Review” etc. Inside, the message encourages you to follow a link to access more information, however, you aren’t paying attention when the link opens automatically in your browser.  The primary goal of a phishing attack is to obtain private data, so it either asks the recipient to reply with personal information or it links to a website that looks remarkably like the original site. Whether it is a user’s login details or credit details, they can then use those credentials to log in to the real website resulting in unauthorized purchases, the stealing of funds, or identity theft.

untitled image
untitled image

In the case of business-focused phishing attack examples, legitimate-sounding requests for money or requests to verify credentials via email are common. After tricking an employee into giving their login and password, the cybercriminals then have free reign over the company’s systems. Additionally, Phishers could also pose as a bank or another financial institution that the company doesn’t hold accounts with. In this case, an employee who falls for a scam sends money directly to the phishers. The frequency of attacks varies industry-by-industry.

An estimated 75% of organizations around the world reported email fraud in 2020. An organization succumbing to such account phishing typically sustains severe financial losses and declining market share, reputation, and consumer trust. Depending on scope, a phishing attack might escalate into a security incident from which a business will have a difficult time recovering.

untitled image

The 6 common “types of Phishing attacks”

In 2020, 74% of organizations in the United States experienced a successful account phishing, which is 30% higher than the global average, and 14% higher than last year.

1) Deceptive Phishing

In this ploy, fraudsters will register a fake domain that mimics a genuine organisation and sends thousands of generic requests with a sense of urgency to scare users into doing what the attackers want.

  • Placing Legitimate links into their email spoof which allows them to evade detection from phishing protection filters.
  • Blending malicious and benign code together to hoodwink Exchange Online Protection (EOP).
  • Malicious actors craft their phishing campaigns to use shortened URLs as a means misleading Secure Email Gateways (SEGs), and “time bombing” as a means to redirect users to phishing attack websites.
  • Some email filters recognize identity theft of an organizations logos by looking out for the HTML attributes. Thus, malicious actors alter an HTML attribute such as its color to fool these detection tools.
  • Placing minimal email content to evade detection by including an image instead of text.

2) Spear Phishing

Spear Phishing meaning, fraudsters customize their spear phishing emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender. It is commonplace on social media sites like LinkedIn where attackers can use multiple data sources to craft a spear phishing email. The most common spear phishing examples:

  • CSO Online reported that digital attackers are increasingly housing their malicious documents on Dropbox, Box, Google Drive and other cloud services.
  • Session hijacking or cookie hijacking. The problem occurs when the attacker steals tokens, to gain access to user accounts (compromising).
  • Explore social media to discover whom they’d like to single out for their targeted attacks. Thus, Malicious actors learn who’s working at a targeted companyto investigate the organization’s structure.

3) CEO Fraud

Also, known as executive phishing where fraudsters harpoon an executive in an organization and steal their login details. If successful, attackers conduct CEO fraud which is the second phase of a Business Email Compromise (BEC) scam. It occurs when attackers authorize fraudulent wire transfers to a financial institution of their choice from the compromised email account of a CEO. Finally, they can also leverage Microsoft phishing email to conduct W-2 phishing attacks with the aim to acquire employees’ sensitive information.

  • Infiltrate the target’s network by use of malware and rootkits.
  • Follow up with a phone call to assuage the victim’s fears. The United Kingdom’s National Cyber Security Centre (NCSC) learned of several instances where attackers followed up with a phone call confirming the email request.
  • Additionally, malicious actors also use information from targets’ suppliers and vendors to make their emails appear more trustworthy.

4) Vishing

untitled image

Vishing is a form of voice phishing attack that dispenses through Voice over Internet protocol (VoIP) servers that mimic various entities. As a result, It allows fraudsters to convince unsuspected users to provide them valuable information.

  • According to Social-Engineer, LLC, malicious actors hope that their mumbling responses are suffice to a question asked by call center agents.
  • Malicious actors Impersonate in-house tech support which convince users because the technical jargon used alludes to things like speed issues, and badging for instance.
  • Twinstate reported that ID spoofing lulls noted targets into a false sense of security because the phone call seems to be coming a legitimate source and area code.

5) Smishing

Likewise, fraudsters can also trick users in to opening malicious text messages that contain malicious links.

  • Use of malicious links which trigger automatic download of phishing app that deploys ransomware which allows remote control of devices.
  • Including deceptive phishing training in to leveraging text messages that convinces users to click phishing campaign that redirects them to phishing website.
  • Malicious actors masquerade as a legitimate customer service representative and deceives the victim into handing over their personal data through text messages instructing to contact tech support.

6) Pharming

Since phishing reports are becoming predictable and traditional, most fraudsters are now abandoning the idea of baiting their victims entirely. Thus, pharming has come to play as it leverages cache poisoning against the domain name system (DNS). The internet can locate and thereby direct visitors to computer services and devices using DNS. This converts alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses. In a pharming attack, DNS server’s IP address is modified. Thus, a user can be redirected to phishing attack websites of their choice.

  • According to Panda Security, distribution of emails containing malicious code which modify host files on the recipient’s computer to install malware redirect all URLs to a website controlled by the attacker
  • Targeting of a DNS server can potentially compromise millions of web users’ URL requests.

Phishing Protection & it’s importance (infographics)

untitled image

How can phishing be prevented?

  1. Know what a phishing scam looks like:
    Malicious actors constantly develop newer methods of phishing attacks. However, they share commonalities. So a user who has regular security training is key to identify and report scam emails.
  2. Don’t click on that link:
    Some phishing attacks are fairly sophisticated, and the destination URL can look like a carbon copy of the genuine site, set up to record keystrokes. Therefore, download phishing apps to spot whether it is phishing site.
  3. Get free anti-phishing add-ons:
    Most browsers enable you to download add-ons that spot the signs of a malicious website.
  4. Don’t give your information to an unsecured site:
    Always lookout for the URL of the website to start with “https”, or look for a closed padlock icon next to the URL. Avoid entering any sensitive information or downloading files from unsecured sites.
  5. Rotate passwords regularly:
    It is possible that your account may have been compromised, get in the habit of regularly rotating passwords. Adding that extra layer of protection locks out potential attackers.
  6. Don’t ignore those updates:
    Do not ignore updates even though it can be a hassle. Security patches and updates are released to keep up to date with modern cyber-attack methods by patching holes in security.
  7. Install firewalls:
    Both desktop firewalls and network firewalls, when used together, can bolster your security and reduce the chances of a hacker infiltrating your environment.
  8. Don’t be tempted by those pop-ups:
    Most browsers allow you install free ad-blocker software that automatically block most malicious pop-ups. These phishing attack websites deceive you with where the “Close” button is, so always try and look for an “x” in one of the corners.
  9. Don’t give out important information unless you must:
    Make sure, if you have to provide your information, that you verify the website is genuine.

Have a Data Security Platform to spot signs of an attack:

Having a data security platform means receiving automatic alerts on anomalous user behavior and unwanted changes to files. It is evident that the biggest risk when it comes to phishing is the staff.

Get in touch with CSG Technologies to develop a solid phishing prevention strategy for protecting your organization against evolving threats. Call us today to learn about the key pieces of anti-phishing arsenals: tools, policies and training.

Do you want to read more on this topic? Check out these articles:

Matt Parks

Matt Parks

About the Author: President & CEO, Matt has over 20 years building and leading high functioning teams
delivering exceptional results