6 Common Phishing Attacks and How to Prevent Them
The existence of phishing scams has become a reality that every company needs to be aware of. There are a variety of ways that cyber criminals are scamming organizations, and some are more common than others. These processes are always evolving alongside technology, making it very important to remain informed as scams change and develop.
A new employee receives an email from the CEO to purchase 3,000 dollars worth iTunes gift cards for client gifts. The CEO tells him that he is in a meeting and not to call him, just communicate via email. Kind of strange, but the new employee hasn't been at the company long, so he believes that this is normal. Being new in the role, the employee is eager to please. He immediately goes to the Apple Store and purchases 30 $100 dollar iTunes gift cards. The employee is supposed to scratch the backs of the cards and email them to the CEO. Kind of strange, but again this employee is very new and doesn't understand what a normal interaction should look like. It isn't until this employee talks to a colleague that he recognizes he has just been taken advantage of and was the subject of a phishing attack. As much as this sounds like a story out of a training packet for what NOT to do, this is actually my personal story. I was 5 days into a new job and looking to make a good impression. Looking back at it now, there were so many red flags that I should have noticed, but didn't. It's embarrassing to admit that I fell for this, however, it allows me to understand how these attacks work and are executed better than anyone! One thing I learned through this whole debacle was the fact that training is key. You can never be too prepared for situations like this, because the potential negative financial impact is far too great! Did you know the average cost of a successful phishing attack is $1,600,000?? I don't know about you, but that's a little rich for my blood! Keep reading to learn about the most common tactics attackers use to reel in your data!
-John Lyle, Marketing Manager, Aqueity
The following are the six most common phishing attacks as of late, and some basic tips to ensure that you can stop them before they cause harm to your organization.
1. Spear Phishing
Spear phishing attacks are relatively simple, yet very dangerous and effective due to how highly targeted they are and the fact that they look like their coming from a trusted sender. They arrive in the form of an email, and typically request that you login to an account (file sharing account, bank account, etc), or follow instructions included in an attachment. The goal is to convince you to provide some of your personal information.
The best way to stop a spear phishing attack is to ensure that your team is trained in how to recognize and report these emails. Additionally, security updates as they relate to your current technology are an important layer of protection. Always remain vigilant and proactive by keeping your technology updated and team educated.
Whaling is a form of social engineering, and the attacks come in the form of an email. These types of attacks generally target a company's big fish. The emails are composed in a way that convinces users they originate from a trustworthy source, whether your bank, employer, or a government agency. The action that they hope to elicit is for users to click on an embedded link. These attacks are effective because they seem credible given the source they claim to originate from.
The best approach to avoid a whaling attack is to ensure that everyone at your organization is properly educated, and aware of the tactics commonly utilized. Make sure that everyone at your organization can differentiate between legitimate emails and malicious ones. A big factor here is remaining skeptical of unsolicited attachments and fake hyperlinks. Another important precaution is to avoid keeping work documents on your personal devices.
3. Clone Phishing
The act of clone phishing entails the creation of an email account that looks almost identical to a legitimate email. The result is an email that is almost an exact copy of an existing email. The original links within these emails are then replaced with links malicious in nature.
The most effective ways to stop a clone phishing attack are to check the sender of the email, and hover over all links before clicking. If something doesn’t look right, always follow up with the organization that the email claims to originate from.
4. Vishing (Voice Phishing)
Although less common than internet phishing, vishing can really take a toll on an organization or individual. The process involves a call being placed in an attempt to elicit information, which can then be used to steal money. Typically these scams take the form of a recorded message warning about unusual activity on a bank account.
Similar to other phishing attacks, the best defense is to remain skeptical. Always check and verify what you are being told over the phone by signing into your account or calling an official number from the alleged source. It also helps to limit your information that exists and is being shared online, and stick to security questions that aren’t easily findable through your internet presence.
Smishing attacks are a form of SMS phishing, which occurs through text messaging. These attacks utilize the same approaches found in other phishing techniques, just specifically targeting a mobile device. Once your phone number is obtained by a cyber criminal, they will contact you via text message in order to convince you to call a specific number or click on a dangerous link.
If a text message seems at all suspicious, or is requesting an action outlined above, there are a few ways you can avoid being scammed. First, don’t reply to the text message or contact the number. Try conducting some research online by searching the number and content of the message. It is always best to avoid the links in questionable text messages, and just contact the company directly through an official line.
6. Email Spoofing
Email spoofing is the forgery of an email header. The goal with this attack is to convince a recipient that the email actually came from a sender that they are familiar with, and not the true malicious source. This lends trust to an email that shouldn’t be trusted at all, posing a real security threat to the recipient.
There are few proactive measures that can be taken to avoid falling victim to a spoofed email. First, work with a sender policy framework (SPF). This validates the IP address and confirms that it is associated with its claimed domain. Second, try using DKIM, which utilizes cryptographic keys used to sign outgoing messages, and thus validates incoming emails. Finally, a DMARC can put the power in the sender’s hands by informing the recipient of whether the email is protected by SPF or DKIM. It also provides the proper actions required when an email fails the authentication process.
If you have questions about training your employees on phishing prevention, you can reach us at 630-769-8700 or utilize our online form.