Phishing is a type of social engineering attack that hackers use to steal user data, including credit card numbers and login credentials. Typically, a phishing attack occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, text message, or instant message. According to the Federal Trade Commission, scammers use email or text to trick victims into giving them their personal information. Next, the bad actor tricks the recipient into clicking a malicious link, leading to objectionable outcomes, such as installing malware, freezing the system, and revealing sensitive information.
In its 2021 Data Breach Investigations Report (DBIR), Verizon Enterprise found that phishing remains one of the top action varieties in breaches and has been for the past two years. The report also notes that the attack has utilized the coronavirus pandemic to pump up its frequency to 36 percent of breaches, up from 25 percent last year. “This increase correlates with our expectations given the initial rush in phishing and COVID-19-related phishing lures as the worldwide stay-at-home orders went into effect,” reads the DBIR report.
Phishing Attack Techniques
What are some of the popular phishing attack techniques you should be aware of to implement the necessary measures to protect your personal information?
1. Email Phishing Scams
In email phishing, an attacker sends out thousands of fraudulent messages to net significant information and sums of money once a fraction of the recipients fall for the scam. The Federal Trade Commission notes that scammers launch thousands of phishing attacks every day, and they are often successful. Additionally, the FBI Crime Complaint Centerreported that people lost $57 million to phishing schemes in one year.
Certainly, cybercriminals will go to great lengths in designing phishing emails to mimic actual messages from a spoofed organization. For instance, they will apply the same phrasing, logos, typefaces, and signatures to make the phishing email appear legitimate. Besides that, they use minimal email contact to evade detection. They might also include an image instead of text in the email body to evade popular email clients’ spam filters.
Apart from mimicking actual emails from spoofed organizations, attackers will attempt to push users to act by creating a sense of urgency. For example, they could send a phishing email threatening the recipient about account expiration. Applying pressure tactics in phishing causes a target to be less diligent and more prone to error.
Finally, the links in phishing emails resemble legitimate sources but classically have an erroneous domain or extra subdomains. Similarities between a phishing scam and a legitimate URL offer an impression of a genuine, secure link, making the target less aware that a phishing attack is taking place. Sometimes, hackers use redirects and shortened links to avoid raising any red flags with their victims.
Recently, the United States government fended off what it called a “basic phishing” attempt security analysts blamed on the Russian intelligence operatives. According to security assessments, Microsoft first reported the attack, with hackers using malware-laden emails to target U.S. and foreign government officials, think tanks, and humanitarian groups.
Unlike email phishing scams that involve random users, spear phishing targets a specific individual or enterprise. Additionally, this technique is a more in-depth phishing method that requires special knowledge about the target. In spear phishing, often attackers will customize their attack emails with the target’s name, position, company, work phone number, and other personal information to trick a recipient into believing that they have a connection with the sender.
Given the amount of information needed to craft a successful and convincing spear-phishing attack, it’s no surprise that this attack technique is commonplace on social media sites like LinkedIn, where fraudsters can leverage a multitude of data sources to craft a targeted attack email.
3. CEO Fraud
Now and then, fraudsters can choose to launch spear-phishing attacks to harpoon an executive and steal their login credentials. The attack, commonly referred to as CEO fraud, involves compromising a CEO and high-ranking executive email accounts to authorize fraudulent wire transfers to a financial institution of their choice.
Email phishing, spear phishing, and CEO fraud characteristically rely on email as a means of communication. Even so, fraudsters sometimes turn to other media to launch phishing attacks. A good example is vishing attacks that involve placing a phone call. By and large, an attacker sets up a voice-over-internet protocol (VoIP) server to mimic various entities to steal sensitive data and funds.
The Smishing technique is conducted over mobile text messaging, also referred to as SMS phishing. As a variant of phishing attacks, hackers use smishing to deceive targets into giving sensitive information, much like they would in a traditional email phishing attack. Apart from stealing information, SMS phishing can be used to spread malware. In this case, an attacker sends a smishing URL link via mobile text messaging platforms to trick victims into downloading malware that installs itself on their mobile devices.
A new report from Fraud Watch International about phishing attack trends anticipated an increase in Smishing where text messages content is only viewable on a mobile device.
Hackers continuously devise new tactics to evade detection. For instance, they have developed pharming, a phishing technique that leverages cache poisoning against the Domain Name System (DNS), a naming system that the internet uses to convert alphabetical website names to numerical I.P. addresses to locate and direct visitors to requested sites.
Typically, a pharmer involved in DNS cache poisoning targets a DNS server and changes the I.P. address associated with an alphabetical website name. As a result, an attacker can redirect users to a malicious website of their choice, even if they enter the correct website addresses.
7. Spoofed/Phishing Websites
In spoofed or phishing websites, attackers forge a website that appears to be genuine and looks similar to a legitimate one. A study published on Frontiers in Computer Science states that an unsuspicious user is redirected to a website after clicking a link embedded within an email or through an advertisement (clickjacking). Subsequently, if a victim continues to interact with a spoofed website, they may end up disclosing sensitive information that the phisher will harvest.
Attackers will also often use “typo-squatting” to spoof a website. This is a method where they will purchase a domain with a name similar to a legitimate website (for example gogle.com instead of google.com) in hopes that a user may make a mistake when typing a URL into their browser and visit an illegitimate website, not noticing that they typed the URL incorrectly. Attackers will typically host a website on this domain as close to indistinguishable as possible from the website that the user meant to visit.
Impacts of Phishing Attacks
Without a doubt, a phishing attack can have devastating impacts on individuals and businesses. For instance, an attack allows hackers to commit unauthorized purchases, identity theft, or steal funds using stolen credit card information.
Besides its impact on individuals, phishing allows cybercriminals to gain a foothold in corporate and government agencies as part of a larger attack. In this case, hackers compromise employees to bypass security perimeters, launch malware inside a network, or gain privileged access to protected information and systems.
Unquestionably, phishing attacks result in severe financial losses and a declining market share due to destroyed brand’s reputation and customer trust. In fact, some phishing attack incidents might escalate to system destruction that might take more time and resources to recover.
Recognizing Phishing Attacks
“Scammers often update their tactics, but there are some signs that will help you recognize a phishing email or text message,” the Federal Trade Commission published under Consumer Information. FTC adds that phishing emails and text messages may look like they’re from a company you know or trust. Additionally, the messages may look like they are from a bank, a credit card company, a social network site, an online payment website or app, or an online store.
More frequently, phishing emails and text messages often tell a story to trick victims into opening an attachment or clicking a link. For example, FTC Customer Information reveals the following tactics hackers use in phishing emails:
- They send an email indicating they have noticed suspicious activity or log-in attempts
- They claim there is a problem with your account of your payment information
- They say you must confirm some personal information
- They include a fake invoice
- They request you to click a link to make a payment
- They offer a coupon for free stuff
- They say you are eligible to register for a government refund
Phishing Attack Techniques
Users and enterprises need to take the necessary steps to prevent phishing attacks.
1. Be Vigilant
Users should be vigilant so that they can detect spoofed messages containing subtle mistakes. For instance, users should look out for spelling mistakes or changes to domain names once they click a URL. Most importantly, users should stop and think about why they are receiving such an email before responding or opening a link.
Users should avoid publishing sensitive personal or corporate information on social media. The U.K.’s National Cyber Security Center (NCSC) reveals that attackers use publicly available information about your organization and users to make their phishing (particularly spear phishing) messages more convincing. Therefore, NCSC recommends considering what visitors to your social media and website need to know and the unnecessary details. Additionally, organizations should help their employees to understand how sharing personal information can affect them and their organization. Also, it would help to check what your business partners, contractors, and supplier give away about your organization online.
2. Employee and C-Suite Awareness Training
Businesses should invest in cybersecurity awareness campaigns to help employees understand secure practices, such as not responding to suspicious emails. In addition, proper training enables users to inspect all URLs carefully to see if they redirect to unknown and suspicious websites.
CEO fraud works because many executives often don’t participate in security awareness training with other employees. To counter such threats, organizations should mandate that all company personnel, including high-ranking executives, participate in security awareness training on an ongoing basis.
The National Cyber Security Center recommends organizations carefully consider their approach to phishing training. “Training your users – particularly in the form of phishing simulations – is the layer that is often overemphasized in phishing defense,” states the NCSC. A study published on Frontiers in Computer Science states that “Human education is by far an effective countermeasure to avoid and prevent phishing attacks.” The report adds that awareness and human training reduces users’ susceptibility to phishing attacks and compliments other technical solutions.
3. Strong Access Control
Enterprises should implement strong access controls to prevent the malicious intentions employed by an attacker that is utilizing phishing attacks. Notably, they can use multifactor authentication (MFA), which adds an extra verification layer when logging in to systems. MFA effectively prevents hackers from using compromised credentials to steal information since passwords alone are insufficient for authentication and authorization. According to the 2021 Data Breach Investigations Report (DBIR), phishing continues to walk hand-in-hand with the use of stolen credentials in breaches as it has in the past. Therefore, implementing strong access controls effectively prevents the attack.
Apart from MFA, organizations need to enforce strict password policies to ensure that employees create strong and unique passwords for different applications.
4. Use Security Software
It will help if you protect your devices using updated security software. Additionally, set the software to update automatically to allow it to detect and respond to emerging security threats. “Install antivirus, antispam software as a first action and keep it up to date to detect and prevent any unauthorized access,” recommends a study published on Frontiers in Computer Science.
It would also help if companies invested in software solutions that analyze inbound emails for known malicious email attachments and links. Additionally, security tools should be capable of picking up on indicators for both known malware and zero-day threats.
5. Filtering and Blocking Suspicious Emails
“Filtering or blocking a phishing email before it reaches your users not only reduces the probability of a phishing incident; it also reduces the number of time users need to spend checking and reporting emails,” writes the NCSC. Today, organizations can purchase affordable and effective cloud-based phishing email filtering and blocking services for their email servers. Such a solution checks all incoming emails for spam, phishing, and malware and automatically filters or blocks suspected phishing emails before reaching the user. It is important to note that in most cases an application or service can not replace a hyper-vigilant human. This method should be used in conjunction with employee training, as phishing attempts can still make it through to employees and users if not caught by the filtering or blocking service.
6. Data Backup
You can protect your sensitive information by backing it up. However, while backing up data, it is essential to ensure that backups are not connected to the main home or corporate networks. That is to say that you can copy important files to an external storage device or cloud storage.
7. Manual Verification
Finally, if you are unsure if an email, call, or text came from a legitimate source, or you are not expecting to be contacted about something and you feel suspicious of the subject material, take necessary actions to verify that the person or entity contacting you is who they say they are, and that their intentions are pure. Asking the person contacting you, through another channel of communication, if they did indeed send you an email, call, or text can often thwart a phishing attempt where an attacker is masquerading as someone familiar to you. If the person has no knowledge of the conversation they initiated, you can be sure that you are being phished.
Phishing Simulation and Prevention by Pulsar Security
Pulsar Security’s phishing simulations measure the likelihood of successful attacks and their potential damage. Our phishing simulations consist of conducting a phishing attack against your users to calculate the chances they will fall into a phishing trap and determining the potential negative repercussions to an organization.
Our phishing simulations feature standard and advanced phishing warnings and signs to help employees and users to spot phishing attacks. Besides, part of the simulation involves encouraging your users’ willingness to report future incidents and reassure them that it is okay to ask for further support when something looks suspicious.
What do we measure in phishing simulations?
- How likely users are to fall victim to phishing attacks and to what degree
- What attackers can access when users fall victims
- Which users may be especially susceptible to phishing attacks
After gathering insights from the simulations, Pulsar Security helps organizations set up reliable defenses against phishing. Remarkably, the defenses include both technical measures and training users to spot phishing emails. Overall, Pulsar Security ensures that your business improves resilience against phishing attacks without disrupting the productivity of users and employees. Besides, the security measures ensure that an enterprise has multiple opportunities to detect and respond to a phishing attack before it causes damage. Also, Pulsar Security professionals acknowledge that some attacks might get through. In such cases, the team helps companies plan for incidents, respond to attacks, and minimize the impact.