Phishing attacks are one of the biggest and most common cybersecurity challenges companies and people face. It is an unfortunate online con game spearheaded by tech-savvy identity thieves and con artists. Phishers use email messages, malicious websites, spam and instant messages to trick people into sharing valuable data. Credit card accounts, banking information, passwords and usernames are just some information phishers seek to exploit.
Businesses are often the primary targets of email phishing scams. Whether you run a small bakery in Wisconsin or you’re an SEO Hong Kong specialist, phishing poses a significant threat to your organization’s security. It is important to familiarize yourself with the common types of phishing techniques to protect yourself from these scams.
What are the Types of Phishing?
Phishing goes beyond scamming you to buy the most expensive Starbucks drink or investing in a fraudulent company. It uses several techniques to get valuable information from you.
This is the most common type of phishing scam. In this fraudulent activity, phishers impersonate legitimate businesses in an attempt to steal an individual or business’s login credentials or personal data. These emails often use threats dashed with a sense of immediacy to coerce users into giving out valuable information.
Some techniques used in deceptive phishing include:
- Shortened links and redirects. To avoid raising red flags with potential victims, phishers use shorted URLs to redirect users to a fraudulent landing after the delivery of the email. Victims are then redirected to legitimate web pages once they’ve forfeited their credentials.
- Legitimate links. Many attackers dodge email filter detection by adding legitimate links into their emails.
- Blend benign and malicious code. This is a technique often used to fool the Exchange Online Protection (EOP).
- Minimal email content. Digital attackers escape detection by including minimal content in their emails.
Deceptive Phishing Defense 101
The success of a deceptive phishing attack depends on how closely the email resembles an official correspondence from the victim business. So, users should always inspect the URLs carefully to see if they will be redirected to a suspicious/unknown website. Also, look out for grammar mistakes, spelling errors and generic salutations throughout the email.
Spear phishing is a ruse that relies on a personal touch. In this type of phishing, attackers customize their emails with the victim’s name, company, position, phone number and other personal information in order to make the recipient believe that the sender is trustworthy. But its goal is similar to deceptive phishing: have the victim click on a malicious email attachment so they’ll hand over their information.
Some common techniques involved in spear phishing are:
- Compromise tokens. Many digital criminals are attempting to compromise session tokens or API tokens. Should they be successful, they can steal access to an email account.
- Malicious documents on cloud services. A report from CSO Online revealed that more phishers are housing their malicious files on Google Drive, Box, Dropbox and other cloud services. IT personnel are unlikely to block these services, which means the business’s email filters won’t flag these documents as malicious.
- Explore social media. Malicious phishers target companies by using social media to investigate the business’s structure.
Spear Phishing Defense 101
Protect yourself against this type of scam by conducting regular employee security awareness training. Also, continuously discourage users from publishing sensitive corporate or personal information on their social media platforms. Businesses should also invest in solutions that scan emails for malicious email attachments or links.
Also known as “CEO Fraud,” “whaling” is another form of phishing that targets executives in an organization. In this scam, fraudsters harpoon CEOs and steal their login credentials.
Most phishers gain confidence in committing CEO fraud when their initial spear phishing attempts are successful. The second phase of their attack is a business email compromise (BEC) scam where the attackers use a CEO’s compromised email account to authorize wire transfers to their bank accounts.
Some common techniques used in whaling include:
- Network infiltration. A CEO’s compromised account is more effective than a spoofed email account. Phishers use this account to infiltrate an organization’s network via rootkits and malware.
- Supply chain attack. Malicious attackers also use the information to target the business’s vendors and suppliers.
Whaling Phishing Defense 101
Whaling attacks work when higher executives don’t take cybersecurity seriously. To counter all CEO fraud threats, require security awareness training for all of your employees. Businesses should also consider using multi-factor authentication channels in their financial authorization processes so no one can validate payments via email only.
Information is power. It can also protect you from common phishing attacks. Always stay in the know of common phishing attacks, so you can protect your business from these attackers.