What are Phishing attacks?

Phishing is a cybercrime in which a target or targets are contacted via emails, websites, phone, text message or other tools by attackers to lure an individual or individuals to providing sensitive data including personally identifiable information, banking account information, credit card number, passwords or other login credentials.

The information is then used to access important accounts and can result in identity theft and financial loss. The information can also be sold in cybercriminal underground markets.

Understand Types of Phishing

Phishing can be in many forms, here are five of them:

Email Phishing

Email phishing is the most common cyber security threat that all people face today. Attackers often register under a fake domain and send numerous emails to the target. Customers confuse these emails with those sent by sources they trust and fall victim to the criminals. Attackers may use the credentials obtained to directly steal money from a victim, although compromised accounts are often used instead as a jumping-off point to perform other attacks, such as the theft of proprietary information, the installation of malware, or the spear phishing of other people within the target’s organisation.  Compromised streaming service accounts are usually sold directly to consumers on darknet markets.

Spear Phishing

Spear phishing involves an attacker using a targeted approach to trick their victims by using company specific information to make their victim think the email is legitimate. Usually, attackers often gather and use personal information on their target to look as legitimate as possible. These are the information that attackers typically using in spear phishing attack:

• Full name
• Job title and employment location 
• Email address
• Email signatures
• Other specific details 

Attackers spend time collecting this information on websites, and sometimes stealing it from other email addresses that have been compromised. 

Another common technique is for the attacker to use a cousin domain (or look-alike domain) to send their messages from. For example, if the attacker was targeting cloudflare.com, they would register “cloudfare.com” and send their emails from that domain. When combined with other targeted information spear phishing emails can be tough to spot. 

Whaling

Whaling attack is a type of attack that targets senior-level employees. This phishing attack looks very similar to spear phishing but goes an extra step further by targeting senior or other important individuals at an organisation. Phishing attacks that use this strategy often target other high level members within a company, putting sensitive information that most staff members don’t have access to at risk. Scams commonly ask for tax information, financial documents, or even wire transfers during whaling attacks.

Attackers often send fake email from C-level executives to either CEO or CFO and use that authority to pressure staff members into performing specific actions such as sending sensitive information or transferring money to an offshore account.

Smishing and Vishing

This form of phishing replaces email communication with telephone calls and text messages.

Smishing is similar to email phishing, except this phishing attack is carried out over mobile text messaging. 

Two common methods attacker often uses to steal data:

–   Smishing attacks typically send SMS messages to invite users to click on a link. The victim is then redirected to downloading an application that is embedded with malware on your mobile device and tricking the user to use the application to provide the personal information or account credentials.

–   A link is sent with the smishing message, and it will redirect users to a fake website which looks like a legitimate website to trick victims to provide their private data or captured victim’s login credentials. Furthermore, due to the nature of mobile browsers, URLs may not be fully displayed; this makes it difficult for users to identify an illegitimate logon page.

Vishing is the combination of ‘voice’ and ‘phishing’, its use of telephony (often Voice over IP telephony) to conduct phishing attacks. The vishing phone number might even be spoofed as the legitimate sources such as bank or law enforcement. Scammers usually claim to be government officials, bank officers or law enforcement and tell the victim that your bank account has been compromised or someone is trying to empty out your savings account. During a vishing phone call, a scammer uses social engineering or makes the victim fall into a panic to gain their sensitive personal information and financial details, such as account numbers and passwords.

Angler Phishing

Angler phishing is one of the fairly modern forms of phishing attacks that exists in social media. Attackers masquerading themselves as a customer service account in social media, hoping that the people who are upset won’t realise that they aren’t a valid account. Attackers usually create fake social media accounts and pretend to be legitimate organisations or financial institutes, especially banks. When the users contact or complain about the support contacting companies on social media, attackers will lure these disgruntled persons into handing over access to their personal information or account credentials.

Attackers will attempt to offer the disgruntled person a link that they claim will take them directly to an agent ready to talk to them. Once a victim clicks the provided link, malware will be installed onto the victim’s computer, or redirect them to another website that will try to obtain their personal information or account credentials. 

1. Phishing awareness training

To defend your business against phishing, you have to ensure your employees know that these attacks exist. Education is the best way to educate your employee to recognize suspected phishing attempts and the steps to take when targeted. This would transform employees into additional layers of defence in the organisation against phishing attacks.

2. Never open email links and attachments from unknown sources

Double check the email links before clicking on it and do not open URL links if it is from untrusted sources or emails especially spam emails. This is to prevent it re-directed you to malicious websites by malicious links looking seemingly legitimate. 

Do make a practice to type the URL manually or follow the bookmarks you have made previously when visiting the financial websites.

Open email attachment with extreme care. Always check the email attachment’s extension before downloading or opening it. Never open an attachment with “pif”, “exe”, “bat”, “.vbs” extension.

3. Never provide your personal or financial information over email

Email is not a secure method to send sensitive information. Remember that legitimate financial institutions seldom ask for sensitive information via email. Consult the relevant organisation if in doubt. 

4. Turn on Multi-factor Authentication (MFA)

Multi-factor authentication or MFA provides additional layer protection against system login. Even if a victim provides login credentials to a scammer, these measures decrease a scammer’s ability to gain access to the victim’s account and increase your ability to detect and respond to incidents in a timely manner.

5. Always keep your software up-to-date

Always keep your web browser, operating system, software or application applied with the latest patches. This is to ensure your software bugs or security issues are fixed. Old versions of software or applications might become the entrance into your network for hackers.

6. Get anti-phishing add-ons or use spam filter

There are many anti-phishing add-ons available to install in your web browser. It helps detecting and blocking scam emails and even reporting or blocking suspected phishing websites.

A spam filter is a program used to detect unsolicited, unwanted and virus-infected emails and prevent those messages from getting to a user’s inbox. Like other types of filtering programs, a spam filter looks for specific criteria on which to base its judgments.

7. Change password regularly and use a strong, complex and unique password for your accounts.

An attacker may attempt to access your account more than once over a period of time. Changing your password regularly will reduce the risk that they will have frequent access.

Many people like to use the same password for multiple accounts. It’s easy to remember but it’s actually one of the worst security practices. If one of these accounts are compromised, they will all be at risk of data breach.

 8. Ensure your devices installed an antivirus and run full virus scan weekly on your computer

Always ensure your antivirus software’s databases are up-to-date to reduce the chance of being affected by fraudulent emails or websites riding on software vulnerabilities. This also helps to protect you against the latest threat.

Your security software gives real-time protection against threats as they emerge, but regular system scans are vital. Most security suites are configured to perform a scan once a week.

9. Update your device’s operating system

Enable automatic updates with the latest security patches, including your mobile operating system. These might include repairing security holes that have been discovered and fixing or removing computer vulnerabilities.

Conclusion

Cybercrime is constantly evolving, it is important to make sure employees understand types of attacks and the risks they are facing. People are always the biggest vulnerabilities to an organisation. But organisations can do a lot from a policy, procedures and training perspective to be more aware of phishing and how it works.