Phishing attacks are increasing year over year as attackers invent new ways of targeting their victims. Forward-looking organizations are now tightening their corporate cybersecurity controls to seal the loopholes and keep the bad guys at bay.
A 2020 Proofpoint research found that 75% of organizations worldwide experienced some form of phishing attacks. Surprisingly, 74% of attacks that targeted US businesses were successful. A phishing attack occurs when a digital invader uses an email, text message, advert, or even a phone call to fake their identity and get them to take a specific action.
Often, the attackers trick unsuspecting persons into believing they are genuine people, winning over their trust and levering that trust to push their malicious agendas. For instance, an attacker could send you an email posing as a colleague before asking you for a favor, which may seem risky or even suspicious. Still, after giving it the benefit of the doubt, you may conclude that the requested “favor” is reasonable and doable.
The attacker may ask for your login credentials to the company portal or database to check something urgent – the reason being – their account, email, or login details have some technical issues at the moment. If you fail to do a thorough background check and confirm if the said claims are valid, you could easily fall victim to a phishing scam.
Now that you know what a phishing attack is, below are the five most prevalent types to watch out for:
1. Business Email Compromise
Business Email Compromise (BEC), also known as CEO fraud, is a typical phishing scam where the attacker fakes to be a top-level manager or C-suit executive asking for some favors from a junior employee. If the targetted employees fail to double-check the email address, email signing certificate, and even the formatting of the email itself — they could easily expose the entire organization to some serious cybersecurity risks.
2. Clone Phishing
This happens when the attacker has access to the victims’ original emails or texts; then, they decide to send them a complete replica of the genuine/initial emails. Inside the new email, they will replace genuine links and attachments with their malicious ones. To trick the victims into opening the compromised email, the attackers will often give an excuse that they are resending the previous email because they have made some corrections to the earlier attachments or content within the links. To avoid clone phishing, always double-check the email address and compare it with the previous one before taking any action.
Vishing is the name given to phishing scams that occurs via voice calls or over the phone. Most phishing attacks come from people who fake to be someone from your bank, a senior colleague working from a sister branch, a representative from the IRS, etc.
Often, the attacker will use automated calls, which re-route unsuspecting individuals who end up speaking with the attacker. Some use mobile apps or sophisticated software to hide or spoof their identity, e.g., GPS location or phone number.
And while most of these attackers will try hard to trick their victims into submitting their personal data such as bank details, credit card information, etc., some use advanced social engineering skills to get the victims to take specific actions. For instance, the attacker may first call to build rapport, giving the target their fake identity and not asking for a favor yet. They will then become closer and friendlier with time before unleashing their real intentions.
4. Spear Phishing
This type of phishing is targeted at specific individuals. The attackers often have enough background information about the victim. Still, they will use various social engineering tactics to lure the victim into their traps. For instance, they may use customized emails that the recipient is less likely to ignore. An example is when the attacker knows the victims’ social media accounts and can monitor to see when they are online, what their interests are, their major life events, etc.
Most spear phishing emails aim to steal specific data from the subject or install malware on the victim’s computer, giving the attacker access to their networks and privileged information. Investing in sophisticated anti-phishing software solutions may help filter out such spam emails; however, the rule of thumb is to stay vigilant and never take instructions from unofficial contacts.
5. Evil Twin
The evil twin is a phishing scam that occurs when a victim joins a malicious Wi-Fi network created by the attacker. The name “Evil Twin” means that the attacker creates a similar Wi-Fi network to the genuine one – including an identical SSID and even password. These attack works in that — once the victims connect to the compromised network, the attacker can eavesdrop on their network traffic, steal their passwords, account names, and even view attachments the users have accessed while connected to the Wi-Fi. Evil Twin attacks often occur in shared Wi-Fi zones such as coffee shops, restaurants, malls, conference halls, etc. A solution to this is using a reliable VPN service provider throughout the company devices. That way, the data remains encrypted and secure even on a malicious Wi-Fi network.
With the rapid adoption of digital transformation initiatives and the sudden shift to remote working, cybersecurity is now a major threat to small businesses and major corporations. Investing in cybersecurity tools is essential, but it’s not the silver bullet. Instead, you want your organization to stay vigilant of the current cybersecurity trends, spread awareness among employees, and conduct regular cybersecurity workshops to help keep the company safe from attackers and ensure compliance. To learn about Phishing and Pharming, follow this article. You will know all the differences and similarities there.