![Phishing attacks are a form of attack carried out via email, text messages, phone calls, or websites.](https://info.scramble.cloud/wp-content/uploads/2024/03/1900x1080-1024x576.png)
What is Phishing?
Phishing attacks are a form of fraudulent attacks conducted via emails, text messages, phone calls, or websites. Their goal is to deceive individuals into downloading malware, disclosing confidential information, or taking other actions that expose themselves or their company to cybercrime.
Successful phishing attacks can lead to identity theft, credit card fraud, ransomware attacks, data breaches, and significant financial losses for individuals and businesses.
Social Engineering
Phishing is a common method of social engineering. Its primary aim is to deceive people into disclosing information or assets to the attackers. Attackers exploit human fallibility and pressure tactics to be successful. They often impersonate trusted individuals or organizations, such as colleagues, superiors, or companies with whom the victim does business. They create a sense of urgency that prompts victims to take hasty actions. Hackers prefer this method because it is easier and more cost-effective to deceive people than to breach computer systems.
According to the FBI, phishing emails are the preferred attack vector for hackers to spread ransomware to individuals and businesses. According to an IBM report on the costs of data breaches, phishing is the fourth most common and second most expensive cause of data breaches, resulting in average losses of $4.65 million per company.
The most common types of
phishing attacks
Mass phishing emails:
Mass phishing emails are the most common form of phishing attacks. In this type of attack, a scammer creates an email message that appears to come from a large, well-known, and reputable company or organization – whether it's a national or global bank, a major online retailer, the manufacturer of a popular software application or app – and sends this message to millions of recipients. Mass phishing via email is a numbers game: the larger or more well-known the alleged sender, the more likely recipients are to be customers, subscribers, or members.
The phishing email addresses a topic that could appear credible and targets strong emotions such as fear, greed, curiosity, a sense of urgency, or time pressure to grab the recipient's attention. Typical subject lines could include: "Please update your user profile", "Issue with your order", "Your completion documents are ready for signature", "Your invoice is attached".
In the main body of the email, the recipient is prompted to take an action that may seem reasonable and relevant to the topic, but ultimately leads the recipient to disclose sensitive data such as social security numbers, bank account numbers, credit card numbers, login credentials, or download a file that infects the recipient's device or network. For example, the recipient may be asked to "click on this link to update your profile", but the link leads to a fake website where they enter their actual login credentials while believing they are updating their profile. Or they may be asked to open an attachment that appears legitimate, but actually transfers malware or malicious code to the recipient's device or network.
Spear-Phishing Mails:
Spear phishing is a phishing attack that targets a specific individual – typically someone with privileged access to sensitive data or network resources, or with special permissions that the attacker can exploit for fraudulent or malicious purposes.
A spear phisher conducts research on the target individual to gather information necessary to impersonate a person or organization that the target actually trusts – whether it's a friend, a superior, a colleague, an employee, or a trusted provider or financial institution – or to impersonate the target individual themselves. Social media platforms and social networks are a rich source of spear phishing research, as they often reveal public information about employees, recommendations for colleagues and suppliers, as well as details about meetings, events, or travel plans.
With this information, the spear phisher can craft a message containing specific personal or financial data and a credible request to the target individual.
SMS-Phishing
SMS phishing, or smishing, refers to phishing conducted through text messages sent from mobile phones or smartphones. The most effective smishing methods are context-dependent, meaning they relate to smartphone account management or apps. For example, recipients may receive a text message offering a gift as a "thank you" for paying a mobile phone bill, or they may be prompted to update their credit card information to continue using a streaming service.
Voice-Phishing
Voice phishing, or vishing, is phishing conducted via telephone calls. Thanks to Voice-over-IP (VoIP) technology, scammers can make millions of automated vishing calls daily. They often use caller ID spoofing to make their calls appear to come from reputable companies or local phone numbers. Vishing calls typically alarm recipients with warnings about issues with credit card processing, overdue payments, or problems with the tax authorities. Callers who respond may end up divulging sensitive information to individuals working for the scammers. Some even grant the scammers control over their computers by the end of the call.
Social-Media-Phishing
Social media phishing leverages various features of social media platforms to gain access to confidential information from members. Scammers utilize the messaging functions inherent in these platforms, such as Facebook Messenger, LinkedIn Messaging or InMail, and Twitter DMs, much like regular emails and text messages. They also send users phishing emails that appear to originate from the social networking site itself, prompting recipients to update their login credentials or payment information. These attacks can be particularly costly for victims who use the same login credentials across multiple social media sites.
In-App-Messaging
Application or in-app messaging. Popular smartphone apps and web-based applications (Software-as-a-Service or SaaS) regularly send emails to their users. Therefore, these users are particularly vulnerable to phishing campaigns that spoof emails from app or software providers. Here too, scammers play with numbers and typically forge emails from the most popular applications and web applications, such as PayPal, Microsoft Office 365, or Teams, to maximize profits from their phishing campaigns.
Protection against phishing
Training:
User training and best practices are crucial in protecting businesses against phishing scams. It's important to teach users how to recognize phishing attacks and develop best practices for handling suspicious emails and text messages. This includes training users to identify characteristic features of phishing emails:
- Requests for sensitive or personal information or to update profile or payment information
- Requests to send or transfer money
- Attachments that the recipient has not requested or expected
- A sense of urgency, whether overt ("Your account will be closed today...") or subtle (e.g., a colleague urging immediate payment of an invoice), as well as threats of penalties or other unrealistic consequences
- Poor spelling or grammar
- Inconsistent or fake sender addresses
- Links shortened with Bitly or another link shortening service
- Images of text used instead of actual text (in messages or on websites referenced in messages)
This is just an incomplete list; hackers are always developing new phishing techniques to avoid detection. Publications like the quarterly Phishing Trends Activity Report from the Anti-Phishing Working Group can help companies stay up to date.
Companies can also promote or enforce best practices to reduce the pressure on employees to act as phishing detectives. This includes clear guidelines, such as that a supervisor or colleague will never send an email requesting a wire transfer. Employees can also be instructed to verify any requests for personal or sensitive information by contacting the sender or visiting the sender's legitimate website directly, using means other than those provided in the message. Additionally, employees can be encouraged to report phishing attempts and suspicious emails to the IT or security department.
Technology:
Despite the best user training and strict adherence to best practices, users still make mistakes. Fortunately, various established and new security technologies can help security teams continue the fight against phishing where training and policies end.
- Spam filters identify suspicious phishing emails (along with other spam emails) and move them to a separate folder while disabling all links contained within.
- Antivirus and anti-malware software detect and neutralize malicious files or code in phishing emails.
- Multi-factor authentication requires at least one additional login indicator besides a username and password, such as a one-time code sent to the user's mobile phone. This provides an additional line of defense against phishing attacks or other attacks that successfully compromise passwords.
- Web filters prevent access to known malicious websites and display warnings when users attempt to visit potentially malicious or fake websites.
Are you seeking some
informal advice?
Scramble Cloud
For teams, work files, backups, images, videos,
memories and more. Back up your files
encrypted with the cloud storage from Scramble.
© Copyright 2024 Scramble Cloud – End-to-End encrypted cloud storage・All rights reserved・Return to Top