From ransomware to SolarWinds, the cybersecurity space has been as hectic as ever over the past 12 months. However, for all of the emerging threats on the horizon, phishing – one of the oldest pain points in cybersecurity – continues to wreak havoc for enterprises around the world.
It’s often overlooked in terms of media hype, but phishing has been a mainstay in the cybersecurity threat landscape for decades. In fact, 43 percent of cyberattacks in 2020 featured phishing, while 74 percent of US organisations experienced a successful phishing attack last year alone. And globally, cybercriminals exploited public fears over the COVID-19 pandemic to find new phishing victims.
Phishing remains one of the most serious risks to an organisation’s cybersecurity health, but with proper anti-phishing hygiene and best practices in place, you can shore up your defences. Here are three simple tips to help you deal with phishing threats…
Phishing scammers are masters of making their content and interactions appealing. From content design to language, it can be difficult to discern whether content is genuine or a potential threat, which is why it’s crucial to look for the red flags.
Unusual formatting, overly explicit call-outs to click on a hyperlink or open an attachment, and subject lines that create a sense of urgency are all warning signs. Emails with these hallmarks should be treated with caution. And if you suspect a phishing attempt, contact your IT department immediately.
Cybercriminals may impersonate someone you already know – such as a colleague, service provider or friend – as a way to trick you into believing that their malicious content is trustworthy. Don’t fall for it.
If an email is out of place, or unusual, reach out directly to the sender to confirm whether the content is authentic and safe. If not, break off communication immediately and flag the incident through the proper channels at your workplace.
Threat actors have diversified their phishing efforts beyond traditional email. For example, voice phishing – or vishing – has become a primary alternative for scammers looking to gather sensitive information from unsuspecting individuals.
Similar to conventional phishing, vishing is typically executed by individuals posing as legitimate contacts – like healthcare providers or insurers – and asking for sensitive data. It’s imperative for individuals to be wary of any sort of communication that asks for personal information (via email, phone or chat), especially if the communication is unexpected. If anything seems suspicious, break off the interaction immediately and contact the company directly to confirm the authenticity of the communication.
Phishing may be “one of the oldest tricks in the book”, but it is still incredibly effective and increasingly widespread. By exercising caution and vigilance, and by deploying these few fundamentals, you can reduce your chances of falling victim to a phishing attack.
This article has been adapted from Cyber Security Awareness Month resources supplied by the event organisers, and is published here with permission. References include:
BUI is proud to be a 2021 Cyber Security Awareness Month Champion Organisation. Follow along on Facebook, LinkedIn and Twitter for more security tips throughout October!
Our Cyber SoC leverages state-of-the-art Microsoft Security technology – including Azure Sentinel – to continuously monitor connected environments.
With cloud-powered data processing, cyberthreats are detected, analysed, and managed in near real-time to provide comprehensive, end-to-end protection.
On the cybercrime timeline, phishing dates back to the mid-1990s when hackers exploited one of the earliest internet service providers to steal passwords and credit card data from unsuspecting users. Technology has evolved significantly since then, but phishing remains a popular attack method because it’s specifically designed to take advantage of human nature.
Phishing is the practice of using fake, fraudulent, or deceptive communication to lure or convince a targeted person (or group) to hand over sensitive information.
Cybercriminals pretend to be legitimate, trustworthy sources and contact their victims by email, phone, or SMS with the goal of acquiring anything from personal data and banking details to usernames and passwords.
The scammers then leverage the newly acquired information for their own illicit purposes, which may include identity theft, credit card fraud, or privileged account access, among other things.
Email phishing, spear phishing, whaling, smishing, and vishing are five common types of phishing attacks. Learn to recognise the warning signs so that you’re less likely to be fooled by a scam message.
Email phishing (also called deception phishing or deceptive phishing) is perhaps the most well-known type of phishing. In this kind of scam, attackers impersonate a real company, organisation, or group and send out mass emails to as many email addresses as they can find. This so-called “spray and pray” approach is a numbers game for the perpetrators, and even if they only hook a handful of victims, the attack may still prove worthwhile and lucrative.
How do they do it? The scam email message is intended to make you perform an action, like downloading an attachment or clicking on a link. Malware embedded inside the attachment is activated when you open the file, and the link destination is often a malicious website primed to steal your credentials or install nefarious code on your device.
Consider this example… You receive a legitimate-looking email from your streaming service, saying your account has been temporarily suspended because of unusual activity. You’re instructed to click on a link inside the email, to verify your account credentials. You expect to be directed to the streaming service’s login page, but the link actually takes you to a lookalike login page that harvests your username and password.
Spear phishing takes the concept of email phishing and applies it to a specific individual or group. Instead of the bulk, generic communication associated with regular email phishing, spear phishing involves customised messaging for a selected target. As the name implies, spear phishing is a pointed attack, not a wide-net manoeuvre, and scammers will often leverage publicly available corporate collateral to fine-tune the elements of their email trap.
How do they do it? Detailed, personalised messaging is key to the success of any spear-phishing campaign – because the attackers have to make you, the recipient, trust them enough to do what is asked in the email. They may spend days or even weeks on research and information-gathering (from your company’s website, social media pages, and published reports) as part of their efforts to trick you into action.
Consider this example… You’re the accounting clerk responsible for processing vendor invoices. You receive an email from an unknown vendor, with a PDF invoice attached. The message is well-written and friendly. The email sender knows your name and is knowledgeable about your company; they even send their best wishes to your colleague, John, whose motorcycle accident was addressed in your company newsletter last week. You believe that the vendor is legitimate and open the attachment, which then delivers malware to your laptop.
Whaling (also called whale phishing) is the term used to describe phishing attacks aimed at a company’s most senior, most connected, or most influential leaders – the whales. The chief executive officer, chief operating officer, chief financial officer, chief technology officer, and other senior managers are attractive targets because of their high-level access to company resources. With an executive’s login credentials in their possession, scammers may be able to transfer corporate funds, expose private data, or impersonate the target to disrupt or damage the business.
How do they do it? Like spear phishing, whaling requires a tailored approach. Cybercriminals may have to profile the chosen individual for months to gain sufficient insight into their personal and professional lives. But as soon as the phishers have enough information, they can create believable, persuasive messages to try to deceive their victims into downloading malicious files or visiting compromised websites.
Consider this example… A new email lands in your inbox – and it’s from a law firm. The subject line and the content of the message imply that your company is being sued for millions by a former employee. The preliminary paperwork is attached to the email. As the chief legal officer, it’s your responsibility to investigate – but you don’t realise that the attachment is tainted.
Smishing (also called SMS phishing) uses a text message rather than an email message to conduct a phishing attack, but the rationale is the same: scammers want to fool you into clicking on a risky link, downloading a malicious application, or surrendering your personal information.
How do they do it? Digital fraudsters take advantage of the fact that you keep your smartphone within reach and probably read your text messages soon after they arrive. And, as with other phishing methods, deception is their key tool. By masquerading as bona fide businesses (like your supermarket) or trusted sources (like your bank), they can deliver compelling texts directly to you – quickly, easily, and more than once.
Consider this example… You receive an SMS offering 20% off your next clothing purchase. The offer appears to come from your favourite fashion outlet, and uses the same language and style (right down to the abbreviations and emojis) that you’ve seen from the store in the past. To receive the discount, which is only available to the first 100 customers, you need to click the link and claim your coupon code online. You don’t know that the link, when clicked, installs malware on your phone.
Vishing (also called voice phishing or phone phishing) is when scammers call you directly – on your home landline, your work phone, or your cell – and try to make you give out personal or corporate information. Often, they will exploit annual trends and public concerns, or create a sense of panic that makes you feel compelled to comply with their requests.
How do they do it? The person making the fraudulent phone call may pretend to be a tax official who needs your company registration number for verification before refunding money to you. They may claim to be a health official calling to put you on the list for a COVID-19 vaccination. They may even claim to be a customer service agent from your bank, alerting you to suspicious withdrawals from your account. In every scenario, the phisher on the other end of the line will do their utmost to extract sensitive information from you.
Consider this example… You’re called by someone who claims to be from an insurance firm. They say that you’ve been named as a beneficiary in the estate of their deceased client, and you stand to receive a substantial sum of money if you can verify your identity in line with the facts in their possession. You may be asked for your full name, your ID number, your physical address, and your other phone numbers as the impersonator tricks you into providing confidential, high-value information over the phone.
These five types of phishing attacks are among the most prevalent, but they’re not the only ones used by cybercriminals. You need to be able to spot the tactics (and teach your teams to spot them, too) so that would-be phishers do not succeed when they target you and your staff.
Prepare your business teams for the dangers of cyberspace with comprehensive security training from BUI and Cyber Risk Aware.
Check out the on-demand webinar featuring our own Wayne Nel and Cyber Risk Aware CEO Stephen Burke to learn more.