Phishing attacks are as old as the internet itself and are becoming more prevalent each day. Social engineering techniques are at the heart of every phishing attack. The most common approach is to send out fraudulent emails designed to look like they are from a known person or legitimate organization. They often have an air of urgency that is meant to entice the recipient to click on a link to a seemingly reputable website. It is then that the user is susceptible to being scammed into giving up personal information such as account usernames, passwords or credit card numbers. Even if the target does not provide any information at all the website itself can have scraping software or malicious code.
With almost 4.5 billion internet users, the number of potential phishing targets is mind boggling. What’s more, phishing scams are no longer reserved for skilled coders and elite hackers. Phishing kits are inexpensive and easily available software bundles that offer out of the box phishing scams for any would-be hacker with a bit of cash. These kits work on temporary servers and clone popular and well trusted websites. The best way of not falling for phishing attacks is to know how to spot one. Here are the six most popular types.
Deceptive phishing is a spray and pray technique that relies on scammers impersonating a legitimate business and sending out thousands of official looking emails that are designed to steal personal and sensitive data. Scare tactics are often employed to instill a sense of urgency that will make users panic and divulge sensitive data more readily. This makes less tech savvy internet users particularly vulnerable to deception attacks.
An example of this might be receiving an email that looks like it was sent by your bank notifying you of suspicious activity occurring on your account. The email instructs you to click on a link to log in to fix the problem. This link then leads you to a fake website that looks like your bank’s login page. Once you log in, your data will be forwarded to the scammers leaving you open to attacks and identity theft. To protect yourself, it is important to be wary of generic salutations, spelling errors, and any other suspicious content.
2. Spear Phishing
Deception attacks are mostly generic and can quite easily be detected. On the other hand, there is a more deceptive technique that relies on a personalized approach. This type of narrowly targeted attack is known as spear phishing. Spear phishing emails are customized with the victim’s name, company, position, phone number, as well as any other personal information that the attackers might have gotten a hold of.
The ubiquity of social media has significantly increased the average amount of personal information that we make freely available online. Most people have a LinkedIn or Facebook profile that is full of personal information that is ideal for scammers to collect. By using multiple online data sources, hackers can compose a highly customized and personalized email that has an air of legitimacy.
3. CEO Fraud
Spear phishing is not limited to targeting just employees. The most audacious attacks target the very top of an organizational structure. Phishing attacks that go after CEOs and other C level management are also known as ‘whaling attacks’, as they attempt to take down big prey. The highest level is CEO fraud, where scammers attempt to steal CEO’s login information. Once the CEO’s (or other high ranking official’s) email accounts are compromised, they can be used to authorize wire transfers of large amounts of money.
Another tactic is to orchestrate W-2 phishing attacks, when the scammers (masquerading as CEOs) demand W-2 information from all employees. They can then use this information to file fraudulent tax returns, sell the information on the dark web, or use it for some other malevolent purpose. W-2 attacks are extremely effective as employees are usually very eager to please their boss and respond to any requests quickly and without too much scrutiny. It is therefore crucial to have multi factor channels for authorizing all financial processes and transactions. This prevents the option of authorizing payments solely by email.
Email is undoubtedly the go-to weapon of choice for many scammers, but it is far from the only method of attack. Scammers and hackers often look to other tools and approaches. A study carried out by the Open University noted that the number of VoIP (voice over Internet Protocol) attacks is on the rise. These types of attacks are known as Vishing, and they use servers to impersonate legal entities or even government agencies in order to steal funds or sensitive data. One phone call is all it takes to trick an unsuspecting target.
Phone phishing scams have become so prevalent that they have made their way onto the IRS “dirty dozen” list of the most common tax scams in America. An example is if the target thinks that they are receiving a legitimate phone call from their bank, and the caller ID confirms this. US law enforcement took down the largest phone scam in the country in July of 2018, with 21 people sentenced to prison sentences ranging from four to twenty years. A common misconception is that caller ID apps can prevent vishing attacks. Hackers find ways around these apps, however. Best practice dictates that you should never give out any personal information over the phone, or SMS.
The average internet user is becoming more wary of traditional phishing scams, so some fraudsters are turning to advanced techniques that do not rely on baiting at all. Pharming is a type of attack that injects cache poisoning into a user’s (or company’s) DNS system. This domain name system breach turns legitimate website domain names, like amazon.com, into numeric IP address. The scammers can then use this data to directly reroute visitors to fake malicious websites.
These sites can then steal victim’s sensitive and confidential information. Alternately, they can install malware onto the visitor’s machine without them even knowing. The main targets for pharming are companies in the financial sector such as banks and online payment services. Pharming is particularly dangerous because of the fact that it dupes both the target and their computers. The best way to protect against pharming is to train employees to type login information exclusively on HTTPS-protected sites.