Phishing is among the oldest types of cyberattacks, dating back to the 1990s and remaining among the most common and damaging. It has been and continues to be a profitable strategy for attackers. In modern e-commerce industry cybercrime in general is a thriving business and unfortunately a profitable one.
What Are Phishing Attacks?
In phishing attacks, cybercriminals tend to find creative methods to trick people into divulging sensitive or personal information such as bank account details, using tactics like spoofing the sites they pose as. Phishing is a form of social engineering in which hackers attempt to socially manipulate individuals into revealing valuable information such as usernames and passwords by impersonating trusted entities. One way this can be achieved is through the use of fake web pages designed specifically for defrauding or making money from their victims by stealing their data and identity details. Cyber criminals create websites and accounts that appear legitimate and clickable. When the computer user clicks on them, they are automatically directed to counterfeit access points rather than the authentic login portals because the accounts have been compromised with malware that scans your computer for banking software or password protect programs such as Skype or Outlook.
In modern times, there has been a lot of people falling victim to a scam. Due to the development in technology, the chances of being a victim of a cheat have increased tremendously. Today, phishing scams are becoming increasingly popular and have become more intelligent. Cybercriminals have infiltrated the online world using several different techniques for deceiving their victims into giving away sensitive information that might jeopardize personal, corporate or government security.
Pretending to be a legitimate entity, scammers will contact the target to verify customer records or report a technical error that needs attention. A simple survey or a sudden offer of a prize for participating are just a few examples of how today’s phishing attacks typically begin.
What Are the Types of Phishing Methods?
Cybercriminals use combination of techniques to manipulate individuals or employees to giving up sensitive information. Increasingly these techniques are becoming more sophisticated, therefore increasing the need for all to be educated. There are some common types of methods utilized albeit in combination.
Spear phishing is a means to obtain sensitive information on the internet by targeting and tricking specific individuals. Spear phishers obtain personal information about their target such as where they grew up, who their employer is and what they like to do and then tend to contact them in a more discreet yet believable way online or via email. The attackers pose as trustworthy friends or contacts to obtain sensitive information, generally via email or online chat. Since this feels personal and requires more thought, spear phishing has become the most successful form of acquiring confidential information on the internet.
These scams occur when a cyberattacker will impersonate a known source (a business or an entity) to send emails with the intent of compromising information. These emails will deceive recipients into disclosing personal information by asking the targets to verify account details, change a password or make a payment. A cyberattacker can impersonate a bank or email provider and ask the target to click a link to reset their password, when the user clicks the link, they are taken to a very convincing looking website that will then steal their credentials. The fake domain often involves character substitution, such as placing the letters “r” and “n” next to each other to create “rn” instead of “m.” Increasingly these compromised sites are becoming very sophisticated and very difficult to differentiate.
In this type of attack, the hacker impersonates the CEO or a senior leadership of a target company. Typically, the attacker tricks employees to transfer money to a bank account owned by the attacker, sending confidential HR files or revealing other sensitive information. The fake email usually describes a very urgent situation to minimize scrutiny and skepticism. The sense of urgency combined with the high-ranking status of the impersonated sender, many employees fall victim to this type of attack.
Vishing, also known as voice phishing is when a cybercriminal does phishing attack over telephone to individuals or employees, causing them to release sensitive information. These types of calls are usually made during times of stress or busy times, when the employee may not have sufficient time to scrutinize. These types of attacks require the cybercriminal to have done a lot of research prior and usually happens after the criminal has already acquired some other sensitive information via nefarious means. The criminals will use these attacks to squire additional sensitive information.
Pharming is a type of social engineering cyberattack in which criminals redirect internet users trying to reach a specific website to a different, fake site. These “spoofed” sites aim to capture a victim’s personally identifiable information (PII) and log-in credentials, such as passwords, social security numbers, account numbers, and so on, or else they attempt to install pharming malware on their computer. Pharmers often target websites in the financial sector, including banks, online payment platforms, or e-commerce sites, usually with identity theft as their ultimate objective. Pharming attacks use corrupt code to fake the targets computer to visit a compromised IP address as an alias to a legitimate web address.
Smishing is phishing via SMS. In this type of attack cybercriminals try to have the targets click on a malicious link that takes them to a compromised website. These messages usually seem to be from reputable organizations and attract victims by offering a coupon code or a chance to win a free reward.
In an HTTPS phishing attempt, a scammer will send an email containing a link to a “secure” website in the email body. Even if the link appears authentic and has the word “HTTPS” in the URL, the link could lead to a malicious website. HTTPS is industry standard for secure communication over computer networks, encrypts traffic between a browser and a website—guaranteeing that no third party has access to the data being sent.
Angler phishing is the name of a new type of internet scam that takes place over social media. Social media accounts are easy to create, and the sheer amount of people using them for customer support can prove valuable to cybercriminals. People who fall for “angler phishing” scams often believe they’re contacting an official representative or partner of their preferred company or bank. An example might be someone who thinks he’s posting on the Instagram account for his bank, when in actuality it’s an imposter account set up by a malicious hacker. Cyber frauds will use “angler phishing” to run cons over email, phone calls and text messages as well as via social media channels.
Typically, angler phishing is more active on weekends or days when hackers are aware that the company’s online customer service is understaffed or inactive.
Malicious pop-ups are when perpetrators hijack users’ internet browser in order to deliver misleading advertisements on web pages they visit. The most common type of these ‘pop-ups’ are browser windows which appear over top of the original website whilst users are browsing the internet. These phishing scams come in many different forms, but can be very convincing affairs; designed to look like real warning messages from the bank, service provider or credit card company, for example. In these types of attacks, cybercriminals are usually trying to scam users into handing over private information such as usernames, passwords or their credit card number. At times these popups may beseech visitors to find a quick fix by downloading the necessary tools — such as anti-virus in reality a malware program — or it might claim their computer has been hijacked and implore them to call a number purportedly belonging to tech support, to be further scammed.
Clone phishing is the next-level attempt to mislead the recipient’s suspicions beyond the common types of phishing. Users believe that the websites or domains are secure and trusted, unaware that these are impersonated domains and duplicated websites. The clone is a near-identical copy of the original, except that the links have been replaced with malware or a virus.
Whenever there’s wifi or any connection point to connect gadgets and devices to the internet, there are chances to find a connection that’s free or easy to access. An Evil Twin attack masks as an authentic WiFi hotspot and tricks users into connecting with the false claim of providing them ‘free’ and even secure service but instead exposes them to vulnerabilities and hacks. After connecting to an evil twin, the hacker can eavesdrop and intercept any unsecured communication an unknowing user sends. Even in the case of what may seem secure communication with an authentic website, the cybercriminal could be deploying Clone Phishing, or Smishing attacks to steal sensitive information.
How to Recognize Phishing?
There is no one bullet-proof way to identify a phishing scam. Individuals and employees must always be vigilant in exchanging information that are personally identifiable, financial in nature, and sensitive. There are some patterns that can be used to identify markers of potential phishing scam.
- Phishing emails and SMS messages may appear to be from a recognized or trusted firm. Messages may appear to be from a bank, credit card business, social networking site, payment website or app, or online retailer.
- Phishing emails and SMS messages frequently create or tell a story to deceive users into clicking links or opening attachments.
- The email is sent through a public email address. Legitimate organizations will most likely have emails looking like “firstname.lastname@example.org” rather than a common Gmail account.
- Misspelled names or addresses also signal a potential phishing attack. The issue is that a domain name can be purchased from a registrar by anyone. While each domain name must be unique, some techniques can generate addresses that are indistinguishable from the one being faked.
- Poorly written emails are also a sign of a phishing scam. Incorrect spelling and grammar are a good indication that a formal organization or company did not send the message
- Suspicious links or attachments can be part of the phishing email, either downloaded to infect the device or take the browser to a fake site to gather sensitive data.
- A sense of urgency is prominent in these attacks, as the cybercriminal would want the target to accomplish the task right away instead of taking time to think it through. One may have a better chance spotting such scams if they stop and think.
How to Prevent Phishing Attacks?
- One of the best ways to prevent phishing attacks is to download or purchase a trusted anti-virus program. Organizations and individuals alike should also test the current security solutions and controls regularly to ensure that the program can effectively defend against application and browser-based attacks.
- Until otherwise proven, all third-party traffic must be viewed as untrusted. It should make no difference whether the material comes from a partner site or a well-known internet property, such as a Google domain.
- Perform an internet search using the names or exact wording of the email or message to see if there are any references to a fraud campaign. Many common scams may be spotted this way.
- “Https:” are much preferred to the “http:” at the start of the internet address. A closed padlock symbol beside the link denotes that the website is secure. Legitimate websites that require users to enter sensitive information are usually encrypted to secure information.
- Never give out personal information, credit card details or online account credentials to untrusted callers. One may question the caller to fully understand what information is needed. Request for the name and phone number to conduct an independent check with the organization in question before returning the call.
- Strong passwords are always a must. Using long pass-phrases to secure accounts can aid in securing login details. Change passwords frequently, many organizations are required to implement 60 to 90 days password rotation policy.
- If a very urgent email comes from a senior leader asking for sensitive information immediately or transferring funds, first and foremost call that leader on their known phone number and validate the request via voice or better yet, face-to-face if possible.
- If every in doubt, stop, think, validate, or request for further proof before proceeding with the information or monetary exchange.
What to Do If You Suspect a Phishing Attack?
Stop and think before clicking the link. Cybercriminals frequently attempt to compromise information through links in emails, online advertisements, tweets and other social media postings. Even if the source is known, it’s recommended to remove or ignore the contents if the links or attachments appear suspicious.
Scan before opening a file. Run an anti-virus software check if the document or file has been compromised or is infected with a malicious code. Ensure the program is up-to-date, so the application picks up the latest information on current malware and codes.
Report the experience to the appropriate individuals or teams, including network administrators or technical support. One may also inform customer service about the situation and experience.
Pro Tip: Knowing who and what to trust is key to security. Consumers and employees must understand when not to trust another party and to detect the legitimacy and trustworthiness of the other party.
Why Does Phishing Increase During a Crisis?
Hackers always try to take advantage of a crisis, and the coronavirus pandemic is no exception. Since January 2020, fraudsters have used the COVID-19 pandemic to launch various cyberattacks, ranging from ransomware takeovers of hospital systems to private network hacks.
However, the most recent cybercrime plan uses the greatest cybersecurity vulnerability of all: human emotion. A wave of recent phishing attacks has targeted customers’ faith in well-known video conferencing systems to steal personal information and endanger lives. By imitating trusted tech platforms, hackers have adapted to the reality of remote work and telecommuting. Users of Skype, Zoom and Google Meet are increasingly the targets of deceptive cybercrime.
Pro Tip: A good firewall and up-to-date knowledge of cybersecurity can improve how consumers use devices and gadgets. Making use of virtual private networks can encrypt traffic and secure it.
- Phishing is a multi-strategy attack targeted to exploit breakdown in an organization’s processes and people who are responsible in handling customer sensitive / financial data.
- Protection against phishing requires a combination of technology and the employees/individuals practicing vigilance and caution during their day-to-day interactions on the internet.
- Phishing attacks are constantly evolving and becoming more sophisticated however they follow core patterns. Therefore, understanding these core patterns and educating all individuals and employees on these patterns will go far in protecting against phishing.
- All controls put in place to prevent against phishing require frequent testing and validation to ensure the protections, in technology and people, are effective.
- Protection against phishing is just one aspect of a company’s holistic cybersecurity protection and incident management posture.