A phishing attack is one of the most common types of cyber security threats. Phishing is the use of bait information to trick the recipient into opening, clicking on, or responding to a fraudulent email, phone call or message that is often crafted to look legitimate. Commonly, phishing messages will incorporate the branding, and look and feel, of household names, such as large banks, online services, or other e-commerce sites. Phishing attacks use deception and manipulation to get the victim to give up confidential or private information, such as passwords or account details.
Unfortunately, phishing is such a large plague on businesses and users, that there are now different varieties of phishing attacks. Here are the four most common types of phishing attacks and what to do about them.
1. Spear phishing
Spear phishing, as the name implies, is a highly targeted attack on a single individual. This could be directed at someone with access to sensitive information or company financial systems. For instance, a phishing attack may target the payroll administrator at a company, since that person likely controls systems that can disburse large amounts of cash to a potential fraudster.
In a spear phishing attack, the perpetrator will often pose as a company executive with an urgent request to send funds to a third party payee. The attacker will often research the social media background of the person they are impersonating and the victim, to increase the effectiveness of their scheme. The victims are often the rank and file employees in an organization that have access to sensitive systems, such as online banking, payroll and accounting systems, and detailed employee records.
Spear phishing attacks are often very hard to detect and prevent. The attacks are often directed at a specific individual and look legitimate to many of the technologies deployed to detect phishing attacks. The surest way to defend against spear phishing attacks is a highly trained workforce that embraces a security-minded culture, and a checks and balances protocol in place for any financial transactions.
2. Extortion
Extortion attacks are nearly always after money from the victim. The attacker will claim to have compromising information about the victim, such as search history, photos or videos that they will release unless the victims pays an extortion fee. Moreover, the attacker will lend credibility to their attack by referencing past passwords that the victim has used, which are easy to harvest from fraud sites on the dark web.
3. Credential Harvesting
Credential harvesting attacks lure the victim into revealing personal financial information or passwords inadvertently. Commonly, the attacker will use trusted brands like Amazon to cloak their email and then rely on the habitual behavior of consumers and employees with online services. Nearly everyone has fallen prey, or nearly so, to one of these schemes. Often, we are hurried and careless when accessing online services and e-commerce sites. We are trying to save time online and being hasty can lead to big problems.
When a victim gives up a username and password on a spoofed site, the attackers then commonly take over the person’s account, dig for further personal or financial information, and/or leverage their account for fraudulent e-commerce transactions. In other cases, the harvested information from the attack will be sold on the dark web to facilitate further attacks or identity theft schemes.
4. Malware Phishing
Malware phishing attacks use email as a way of installing malware on the victim’s machine. This is probably the oldest form of phishing attacks, as many antivirus programs will now filter out malicious attachments from emails. However, occasionally some still get through. Once the malware is installed, any number of problems unfold, from ransomware infections, keylogging or spying on the victim, or inclusion of the victim’s machine in a botnet army or bitcoin farm.
With malware phishing common file types like MS Word documents or pdf files will be used as attachments, since those are more likely to make it through a filter. Sometimes the file type is spoofed to look like a common and harmless file type, but may contain malware.
In other cases, common file types may contain dangerous macros that execute other malicious tasks on the user’s machine, thereby infecting the machine further or providing malicious remote access to the machine. Users should refrain from ever opening an attachment they were not expecting, or from a recipient they don’t know well or recognize.
What can business leaders do about phishing attacks?
High priority should be given to cyber security awareness training for employees. Simulated phishing attacks are a great way to train employees on spotting and detecting common attack types. Moreover, regular and consistent cyber security awareness training should raise the general level of knowledge and awareness about the various risks and tactics cyber criminals are using every day.
Check out our blog on cyber security awareness training best practices or reach out to Michelle Lawson for a consultation on our IT Services in Utah to increase the level of phishing defense for your organization.