Introduction
Phishing continues to dominate the digital threat landscape for many businesses today large and small. In a 2020 Report released by Verizon Enterprise, they found that phishing is the second highest type of digital threat when it comes to data breaches and security threats.
Cyber criminals today show no sign of slowing down their phishing attempts and attacks in 2021 or in years to come, which is why it is essential for businesses to know how to spot common phishing attacks. In addition, it is just as equally important for organizations to start familiarizing themselves with common techniques used by malicious actors used to deploy these scams.
We have come up with three of the most common types of phishing attacks as well providing some useful tips on how organizations can protect and defend themselves against them.
1. Deceptive Phishing
This type of phishing is the most common by far because the fraudsters will impersonate a legitimate company in hopes of stealing login credentials and personal data. One of the ways they do this is via email by including content that has a sense of urgency which than manipulates the end user into doing what they want them to. Here are some common techniques to be aware of:
Legitimate links. Many criminals will try to evade detection from email filters by incorporating recognizable links in their phishing emails. Some examples are legitimate contact information from someone in the company where the end user will recognize, and they will feel more inclined to open it.
Imitate and alter logo of the company. Depending on the email filter, it can recognize a logo’s HTML attributes and dodge anything that looks unauthentic. However, what attackers do is they will alter the HTML attribute in the logo such as a color and move past the email spam filter into the end user’s mailbox.
Minimal content in the email. One way that attackers will attempt to get in front of their target is by including many images instead of text.
How to defend against deceptive phishing.
Deceptive phishing is only successful through emails that resemble legitimate correspondence from the company. Thus, users should know how to inspect an email and if any content redirects to an unknown website, this is a sign of phishing. Moreover, they should also look out for spelling errors and grammar mistakes, because this is a good indication of a deceptive phishing email.
2. Spear Phishing
Like deceptive phishing, spear phishing is deployed through email by including information such as company, phone number, position, and targets’ name to trick the end user into believing the sender is someone of familiarity. Although the content in the email is different, the goal is the same as deceptive phishing, to trick the recipient into clicking a malicious URL/ attachment that will persuade them into giving their personal information. The most common place where fraudsters gather sensitive information is through social media, especially LinkedIn. A lot of effort is put into drafting a spear phishing email because the attackers will research for a significant amount of time to get everything together and make the content seem available. Companies should train their employees, so they are more aware and better equipped when they are presented with a spear phishing email. Here are some common techniques to be aware
of:
They gather information on social media. Malicious actors tend to go on social media and gather as much information on a company based on LinkedIn and company pages like “About Us”. They then take that information and organize it in a way that is recognizable to the recipient.
Sometimes, they will house malicious documents on cloud services. These days it is becoming common for cyber criminals to store their malicious document in cloud services such as Google Drive, Drop Box, and other services. IT by default is not likely to block these third-party tools, which results in email filters not able to flag these weaponized documents.
How to defend against spear phishing.
For companies to protect themselves against this type of scam, employee security training on an ongoing basis that focuses on users publishing corporate or sensitive information online or social media. Subsequently, companies should invest in solutions that are known and recognized for analyzing emails that focus on links and attachments.
3. Whaling (CEO Fraud)
This type of attack is known as CEO fraud, where it is like phishing because it uses methods such as website and email spoofing to persuade its target into performing actions that causes them to reveal sensitive data or wire transfers.
Phishing attacks do not have a target, whereas spear-phishing targets an individual, however whaling is a combination of both in the sense that it targets someone very senior and influential in a company and pretends to be them via email. This tends to add an extra element of social engineering because typically, staff are less likely to refuse a task if someone they deem important is giving it to them. Like phishing, criminals who practice whaling use similar techniques, here are some techniques to look out for:
Email. In these emails, it can contain personalized information about the end user or convey a sense of urgency.
Phishing email followed up with a phone call. This technique is new, and it falls more under social engineering. This tactic is described as cyber enabled fraud because the phone call services as validation for the recipient.
How to defend against whaling.
The only way for an organization to defend itself against CEO fraud/ whaling is for the end recipient to have a better understanding of the type of leadership in the company. For example, if an employee is receiving a personal email from the CEO out of the blue, this should be an indication that it is abnormal. Whaling attacks typically work because executives and CEOs do not really participate in security awareness, and they should since they are mimicked. To counter these threats, everyone should be participating in security awareness on a regular basis. Other things that every business should include is something called Multi Factor Authentication (MFA) security channels in their authorization process so that no one can authorize payments or logins through email only but rather through another medium such as SMS, email, phone, or security question.
Conclusion
Cybercriminals are coming up with new strategies and ways to persuade employees into giving up sensitive information. The above types of phishing attacks are typically easier to spot than others, however, that does not mean the end user will be able to recognize each one every time. The concept of phishing is constantly evolving by adopting new techniques and forms and knowing this companies should host regular security awareness days and remind their employees (including executives) of the newest trends.
Other security measure that companies should consider investing is cybersecurity systems that specifically focus on phishing attacks and cybercrime. For more information, contact our cybersecurity solution specialists for a free consultation.