Today, pretty much everybody has heard of phishing and most people have a basic understanding that it is the use of fake messages to con people into carrying out certain actions or giving up important information. While that is essentially true, in reality, phishing is really an umbrella term for a wide range of different techniques that cybercriminals use to attack businesses and individuals. In this post, we take a detailed look at the most common phishing techniques and explain how to avoid becoming a victim.
Contents
Social engineering attacks
Before looking at specific types of phishing, it is important to note that all phishing attacks are what are known as social engineering. While many forms of cyberattack use technology to steal data or infect systems, social engineering uses psychology to get people to give away their login credentials, bank details and personal data or click on malicious links.
In order to get people to do their bidding, cybercriminals exploit our fear, sense of urgency, desires, curiosity and trust. Seeing these as areas of psychological weakness, they send messages that look like they come from organisations or people we know, use language that makes us trust them, offer us what we want (e.g. money or love), pique our interest or make us scared (e.g. your account will expire in 24 hours). Human nature makes people susceptible to these ploys and that is why phishing is a highly successful method of cyberattack.
Stay up to date with security, read: Web Hosting Security: Future Trends and Best Practices
Email phishing, spear phishing and whaling
While phishing can be done via channels like text messaging, social media and even over the telephone, the most common form, and the one most people are familiar with is email phishing. Also known as bulk phishing, cybercriminals send hundreds of thousands of emails to random addresses in the hope that a small number of people will fall for them. These can include emails pretending to come from businesses, some of which recipients will be familiar with, as well as from unknown people or companies. The number of ploys they use is vast and includes everything from ‘There’s a problem with your account, please log in to verify ’ and ‘Click here to track your delivery’ to ‘I saw your profile on social media and thought you were attractive’ and ‘You may be the beneficiary of a $1,000,000 will.’
If bulk phishing is a little like fishing with a giant net, spear phishing, as the name implies, is far more targeted. Here, cybercriminals have a specific goal in mind, such as stealing data or login credentials, and will target individuals within a company who they see as being best placed to deliver their goals. Before conducting the attacks, they will research the company to find who the key individuals are. This information is easily found on company websites or through sites like LinkedIn where people list their roles, responsibilities and even their boss and colleagues’ names. Email addresses, meanwhile, even if not published, can easily be guessed at once the person’s name and company email address are known. With all this research, cybercriminals can send highly convincing emails purporting to come from their superiors, for example,
Hi Sarah,
ABC Ltd have just sent me their new bank account details, can you update these before making the next payment? Also, I promised them we would make the payment today, so please make sure this goes ahead promptly.
Whaling is a form of spear phishing and as the name suggests, is aimed at the big fish within a company, such as directors, senior executives and board members. It is also referred to as CEO fraud or Business Email Compromise (BEC).
Run a WordPress site? Read: 7 Easy Ways to Strengthen WordPress Security
Smishing, vishing and angler phishing
As mentioned above, emails are not the only channel where phishing is carried out. Smishing, where cybercriminals use text messages, has become increasingly used. Typical ploys include, ‘We were unable to deliver your parcel, click here to rearrange,’ ‘Your account has been compromised, please click to change password’ and ‘We were unable to pay your direct debit, please log in to see details.’
Voice phishing or vishing is potentially far more pernicious as it often involves targeting individuals and the use of experienced telephone fraudsters. For example, if a cybercriminal knows which internet company you are with, they can pose as employees of that company and offer you enticing new deals. Of course, that will involve you giving your payment information to set up the new service. Scammers often take people through fake security, asking security questions so they can use the answers themselves. These attacks frequently see people being passed to another ‘advisor’ who will go through security again, asking more questions, to give them even more details. If you are asked to give 2 digits from a pin with one advisor and another 2 with a second advisor, the scammers may have access to your entire pin. The easy way to avoid these scams is to take the caller’s name and then ring the company yourself using the number listed on the official website.
Angler phishing uses social media to carry out phishing attacks. Here, cybercriminals might send direct messages or respond to social media comments, pretending to be a company representative.
Clone phishing
This is a common form of targeted phishing and is sometimes the result of a data breach where a company’s customers’ names and contact details are sold on the dark web. If cybercriminals have access to previous emails from that company they can clone them and send them to the people on the data breach list. As the emails look exactly like the usual emails from that company and even have spoofed addresses, customers can be easily fooled into believing they are genuine. What makes these emails dangerous is that the links in them are often malicious – some may download malware while others link to cloned websites that steal login information.
Website phishing
There are two main types of website phishing, pharming and search engine phishing. To carry out pharming, hackers first need to compromise a company website by redirecting users to a different site – something which requires them to have access to the website’s DNS settings. Using this method, anyone who sets out to visit the genuine website is automatically redirected to a cloned site, often with a similar domain name. Those who log in will give their login credentials away, while those who make a purchase will find that they are paying the cybercriminals and that no goods ever arrive. The business, meanwhile, loses sales and has its reputation significantly damaged. To prevent this from happening, businesses should limit access to their admin account, have two-factor authentication in place and register domain names that are similar to that of their website.
Search engine phishing, on the other hand, is when cybercriminals build professional-looking websites simply designed to defraud visitors, such as fake online stores. These will use SEO techniques to boost search engine ranking while promising visitors deals that are too tempting to ignore. The outcome is exactly the same as pharming.
Don’t lose control of your domain – read: 7 Tips to Keep Domain Names Secure
Watering hole attacks
A clever and unexpected form of phishing, watering hole attacks are designed to trick people belonging to a particular group or with a particular interest. This is done by compromising the websites these people visit. For example, a cybercriminal who joins an online forum discussing IT issues is likely to have plenty of opportunity to read about problems people are having with their systems. Posing as a friendly forum expert, the cybercriminal could post links to supposedly helpful information, but which actually download malware on other user’s devices. Watering hole attacks are also carried out on websites offering links to free software, movie, gaming, image and music downloads.
Preventing phishing
There are a wide range of things businesses and individuals can do to prevent becoming a victim of phishing. The first, and most important, is to familiarise yourself and your employees with the different forms of phishing that take place and what to look out for. Sometimes, this is just common sense – if a deal seems too good to be true, it probably isn’t genuine; if your email account has been suspended, how come you received an email telling you that?
Other solutions include:
- Check that the email address in the ‘From’ field is from the actual company domain.
- Hover the cursor over email links to see if they point to a company’s genuine website.
- Be suspicious about personalised emails that use your email address as your name, have odd-looking logos or contain badly written English.
- Avoid clicking email links, always visit websites via a web search.
- Never log in via an email link, always visit the website via a browser.
- Don’t post too much information about your role and colleagues on LinkedIn or other social media platforms.
- If you receive an unsolicited call from a company, ring them back using the number on the website. Do not give away any login/security credentials or personal information.
- Always check the URL of a website to ensure you haven’t been redirected.
- Use two-factor authentication for your accounts.
Finally, as the majority of phishing attacks are done by email, making use of a sophisticated spam filter, like SpamExperts, can prevent up to 99.98% of phishing emails from reaching your inbox.
Conclusion
Phishing is a highly sophisticated form of cybercrime that uses a variety of social engineering techniques to attack people and businesses. Moreover, it is also highly prevalent, with over 83% of companies facing phishing attacks in 2021 . Hopefully, from reading this article, you’ll have a more detailed understanding of the different types of phishing attacks and how to avoid them.
Looking for an effective way to cut spam, malware and phishing emails from your inbox? Learn more about SpamExperts.