Cybercrime has become a part of everyday life, and hackers are using any
opportunity to take advantage of an unknowing victim to gain access to personal
information for financial gain. As gatekeepers to the data of today’s small and
medium businesses (SMBs), managed service providers (MSPs) are also becoming
increasingly targeted by these attackers.
Some social engineering attacks are more obviously a scam than others. Education and cyber security training can mean the difference between compromised credentials and a failed attempt by a hacker.
One commonly used cyberattack is phishing. Phishing is an umbrella term for attacks that are typically delivered in the form of an email, chat, web ad, or website that has been designed to impersonate a real person, system, or organization. Phishing messages are crafted to deliver a sense of urgency or fear with the end goal of capturing an end user’s sensitive data and can result in wire transfer fraud, credential phishing, malware attachments, and URLs leading to malware spraying websites.
The Different Types of Phishing Attacks:
The most common phishing tactic, these emails are designed to look like they are from a trusted source. They ask the victim to reply to the email or fill out a web form, giving out personal details.
Spear phishing is an attempt to gain access to credentials or financial information from a targeted individual. Attackers pass themselves off as someone the target knows well or an organisation they’re familiar with to gain access to compromising information and exploit the victim. These attacks are purposefully crafted to target a specific user or small group of users. They are typically crafted after research of the target has occurred, resulting in a more personally relevant phishing attack.
Whaling is a form of spear phishing with a focus on a high-value target, meaning the fraudulent communication comes from a senior employee within an organisation, to boost credibility. This approach also targets other high-level employees within an organization as the potential victims and includes an attempt to gain access to company platforms or financial information. These attacks employ the same methods as spear-phishing attacks.
Mass phishing campaigns cast a wider net than the targeted techniques of spear phishing and whaling. True to their name, they are sent to the masses to convince a subset of the wide net to fall victim to their efforts. Typically, these are sent via email from a knock-off corporate entity insisting a password needs to be updated or credit card information is outdated. The damage caused by falling victim to a mass campaign may not be as immediately evident as more targeted attacks as there is a lag time between the successful attack and the sale of the data obtained in the attack.
Ambulance Chasing Phishing
This form of phishing is commonly a mass campaign, but can also be spear phishing. With ambulance-chasing phishing, attackers will play off of current crises to drive urgency for victims to take action that will lead to compromising data or information. For example, targets of this form of phishing may receive a fraudulent email encouraging them to donate to relief funds for recent natural disasters or the COVID-19 global pandemic.
Pretexting is a highly effective method of phishing as it reduces human defenses by creating the expectation that something is legitimate and safe to interact with. Pretexting involves an attacker doing something via a non-email channel to set an expectation that they’ll be sending something seemingly legitimate shortly. For example, attackers may call and leave a voicemail acting as a vendor saying that their contract will be sent shortly via email. Then, an email about the voicemail will be sent containing malicious links.
Account Expired/Change Password
Like other phishing scams, these look like they come from a trusted source, and inform the victim that their password for an account has expired. This is done to encourage them to enter other credentials to reset their password.
The scammer can then use these credentials to access the victim’s account.
Also called smashing, these work similar to phishing emails, but are sent as SMS, social media messages, or other messages compatible with phones.
Clicking through links in these messages can give hackers access to your data, or allow them to install malicious software on your device.
This type of attack is more sophisticated, as it involves intercepting emails between two people. The attacker can then send emails back to these two people, who think they are coming from each other, but are actually from the attacker.
They can ask for private information or request certain actions, and the person may easily fall, victim, as they think the email is from a trusted source.
In this method, hackers will create a Wi-Fi network copying the address of another. Anyone who connects to this spoofed network will be exposed to the hackers, allowing them to access passwords and other information.
This is usually done in public spaces such as coffee shops, malls, and airports.
How to get protected from Phishing:
These are just a few of the ways malicious actors will try to exploit businesses and
their unknowing employees to gain access to credentials and financial information.
To stay ahead of the curve, it’s crucial to every member of your organisation on the
risks they face as the cybersecurity landscape continues to evolve and hackers
become more sophisticated.
There are a few key ways to protect an organization from phishing and
increase your cyber resiliency.
- Regular training of staff and customers (Register here for Government Fully Funded Cyber Security Awareness Training)
- Learn the psychological triggers
- Build a positive security culture
- Implement technical measures e.g. email security or anti-phishing solutions
- Test the effectiveness of the training
To learn more about these protection methods read our blog on “How to Spot and
Protect Against Phishing Email Attacks”
IT Connexion is a proud partner of Datto Inc.