With more businesses functioning online, exposure to computers and the Internet has increased manifold. Thus, you have cybercriminals growing in number as well. Hackers are becoming more intelligent than before. However, phishing is still the top threat among all breaches analyzed over the past one year. Therefore, it has become imperative for business organizations to know about phishing and phishing protection methods to apply to prevent them.
We shall now talk about some of the common types of phishing and see how organizations can defend themselves against them.
Emails appear to originate from a recognized sender.
Steals data by impersonating a genuine provider.
In this type of phishing, the cybercriminals impersonate a legitimate provider to steal personal information such as credit card details or login credentials of financial institutions. One example of such deceptive phishing is that of PayPal scammers.
Hackers send out emails to recipients to click on a link to ‘rectify specific discrepancy’ in their accounts. However, the link directs the recipients to a fake PayPal Login Page that the hacker uses to steal info. As a user, one should verify all the URLs carefully and look for spelling mistakes, grammatical errors, or generic salutations, and be vigilant to tackle such phishing attempts.
Spear Phishing
Characteristics of spear phishing:
Commonly observed on social media sites.
The email looks like it originates from a known sender.
Uses personalized info about the target.
As the name suggests, spear phishing is targeted-phishing. The hacker collects the target’s name, email id, organization details, work phone number, and other crucial information. The objective is to trick the target into believing that they have a connection with the sender. The hacker aims to trick the target into clicking on a spurious link or download a malicious attachment through which he/she attempts to steal personal information. One can observe such spear-phishing in social media sites like LinkedIn, where it is easy to collect information and craft a targeted attack email.
The best phishing protection methods to employ to guard against spear-phishing are:
Be careful when sharing sensitive private information with people
An automated email-analyzing solution to identify such phishing emails is the best investment to make.
CEO Fraud
Characteristics of CEO Frauds:
It usually targets top-level executives.
The objective is to authorize fraudulent financial transactions.
Obtain crucial tax info on all employees.
The modus operandi of the cybercriminals is simple in this type of phishing attack. They try to get hold of the login details of a top enterprise executive. In doing so, the hackers impersonate the CEO or high-ranking official to authorize the financial transactions of the business organization. The criminals also use the same email account to request the taxation or W-2 information of all employees. This information has a high demand on the dark web.
Usually, you do not see high-ranking officials or CEOs participating in the employee phishing awareness programs. Hence, it becomes easy for hackers to target this exclusive group. Here are some phishing protection methods to counter such threats.
Ensure that the top-ranked executives take part in phishing awareness training programs so that they do not become vulnerable targets.
Make sure that the business organization adopts multi-level authentication for authorizing financial transactions.
Pharming
As a result of business organizations adopting phishing awareness programs and the like, the awareness levels of the employees are now high. Hence, it has become challenging for cybercriminals to choose the traditional phishing scams. Therefore, they resort to a new type of phishing known as pharming.
Characteristics of pharming:
Redirect the victim to a malicious website.
Change the IP address associated with a specific website.
Leverage cache-poisoning against DNS servers.
The Internet uses the Domain Name System to convert alphabetical websites to a numerical form to locate and direct visitors easily. The DNS cache poisoning attack entails the hacker targeting a DNS server and changes the IP address associated with the alphabetical name of the website. Thus, the cybercriminal redirects users to a malicious website of their choice. The problem with pharming is that the victim experiences the same issue even when he/she enters the correct site name instead of clicking on the link.
Use only HTTPS-protected websites as far as possible.
Have an updated anti-virus software solution installed on your computer networks.
Ensure to update your security patches regularly.
We have discussed four innovative methods of phishing adopted by cybercriminals all over the world and examined the phishing protection methods that one should use to tackle such phishing attempts. Ultimately, it boils down to two aspects:
Have up to date security systems installed on your computers.
Increase your awareness levels and be vigilant at all times.
These are the most straightforward phishing protection methods you can employ at all times.
If given a choice between violating Amazon’s policies and getting phished, I’d much rather tick off Amazon. But hackers think that you think differently, which is the motivation for their latest phishing scam.
From Hoax Slayer, “According to an email, which purports to be from Amazon, your account will be locked because of violated policies. Supposedly, you are required to click a link to login and verify your account. The email features the Amazon logo and seemingly legitimate footer information in an effort to make it seem genuine. However, the email is fraudulent and the claim that your account has been locked is false.”
The wars of the future won’t be fought with bombs and planes they’ll be fought with 1s and 0s. And while the U.S. is worried about North Korea getting nuclear weapons, it should be more worried about their cyberattacks.
The latest salvo from North Korea is a spear-phishing attack targeting U.S. firms “with an interest in nuclear deterrence, North Korea’s nuclear submarine program and North Korean economic sanctions.” Apparently this is an ongoing malware campaign aimed at U.S. companies.
If you haven’t been paying attention, cities are getting killed by ransomware. The number of cities that have fallen victim to ransomware just 2019 is too long to list. And once a city does get hit by ransomware, the question that always comes up is, should the city pay the ransom? It’s not an easy question to answer.
One the one hand, paying the ransom is no guarantee that the city will get their systems back. On the other hand, not paying the ransom leaves the city with the unknown financial burden of restoring their systems.
The number of cyberattacks and security breaches increases every year. Year by year, the percentage surges upwards. According to Gemalto, there was a 164 percent increase in cyberattack frequency between 2016 and 2017. Projections between 2017 and 2018 already show a trend towards even greater growth.
Mobile phishing is not a new phenomenon. Almost anyone old enough to remember using pre-smartphone mobile devices also remembers getting suspicious texts and calls from early scammers. Often, these scam artists used some variant of the now-campy Nigerian Prince scheme to trick victims.
But times have changed. Today’s mobile phishing attacks are sophisticated, high-tech, and largely automated. Mobile phones have taken on a more important role in users’ lives than ever before, and the world’s hackers have access to more data than the previous generations could dream of. Without mobile phishing protection, users are vulnerable.
Phishing scams are more common than you might think. In fact, a person receives an average of six malicious emails per day, threatening the security of their computer and their systems.
Between 2013 and 2016, American businesses faced a staggering $500 billion in losses due to phishing scams. This led to an extensive FBI investigation of over 22,000 reported phishing scams.
What is a lateral phishing attack? A lateral phishing attack occurs when “one or more compromised employee accounts in an organization are used to target other employees in the same organization. Lateral phishing is similar to business email compromise (BEC), but while the latter is usually about getting victims to carry out fraudulent wire transfers, the main goal of the former is usually credential theft.” I suppose it means the attack occurs laterally across the org chart.
If you follow the news at all, you know that phishing attacks, cyber breaches and ransomware are everywhere. It’s practically an epidemic. But, not all victims are created equal.
It’s one thing if a bank or a big corporation or even a government entity gets hit with a cyber-attack. They either have, or can find the resources to recover from such an event. Many even have some form of insurance to bail them out. But lately, hackers have pulled out all the stops and have started targeting some of the most vulnerable in society.
Phishing is so widespread today, you can feel the effects of a phishing attack even if you’re not the one who got phished. The latest example of this is detailed in a report on Bleeping Computer: “Phishing Attacks Target US Utilities with Remote Access Trojan.”
About a year ago, information security company Shred-it released a report saying “Employee negligence is the main cause of data breaches.” I have no doubt that’s true. The part I disagree with is the solution.
The solution that’s being promoted for the “employee” problem is phishing awareness training. And not just training, but MORE training. There’s only one problem with this way of thinking: it won’t eliminate data breaches.
Phishing attacks can cause a lot of damage, so we try to not make light of them. But every now and then you have to look on the bright side.
There was news last week that “Several thousand school children in Alabama had their summer vacation extended by two weeks as the Houston County School District was forced for the second time to delay opening day due to a cyberattack.”
At DuoCircle we like to stay up to date on the latest phishing tactics so we can share them with you to keep you prepared. And we never cease to be amazed at the cleverness of hackers.
One of the fastest-growing email threats is account takeover, where a hacker takes over someone’s email account. Once they do, they have a lot of options, and one of the options they’re starting to choose is something called lateral phishing.
What if there existed a technology that could dramatically lower the chances of your domains being spoofed and used for phishing attacks on recipients. Would you take advantage of it? Probably not, because the technology does exist and almost nobody is using it. And the reasons why are confounding.
If you haven’t already heard, the Internet of Things (IoT) is going to be big. IoT simply means that every electrical device in your life will be connected to the Internet. From your doorbell to your thermostat to your refrigerator to every possible medical device. If you can plug it into an electrical socket it will probably plug into the Internet.
Phishing attacks give a little warning and they don’t linger at all. The timeline for many phishing websites is just a few hours. According to the 2018 Webroot Threat Report, “most phishing sites were only online for 4-8 hours.” Sometimes less. According to an article on Dark Reading website, “Many phishing campaigns last year combined attacks that were active for just a few minutes.”
Phishing attacks will always be successful because they’re not attacks on technology, they’re attacks on human nature.
As Danny Bradbury points out in SC Magazine, “Successful data breaches need not require expensive technology, massive deceptions, or even expertly faked credentials. Sometimes all it takes is a phone call to the help desk and a request for assistance logging in. You do not even have to be a legitimate user if you are convincing enough.”
It’s been shown repeatedly that all the phishing awareness training in the world won’t get the click rate on malicious emails down to zero. And now we know why.
Thanks to research conducted by Symphony Communication Services, “An alarming percentage of workers are consciously avoiding Its guidelines for security.”
You can lose a lot of things if you get successfully phished: money, credentials, personal information, productivity, reputation, to name a few. Do you know what else you can lose? Your life!
It’s been all over the news lately that successful phishing attacks have led to patient’s medical records being exposed. There was a breach at Baystate Medical Center that impacted 12,000 patients. There were three physicians at UC Davis that got hit in a phishing scam affecting 1,800 patients. And there were the 30,000 Medicaid recipients who had their data exposed in Florida due to a phishing attack. The list goes on.
It’s why awareness training will never be good enough. And it’s why the best phishing protection technology may always fall a little short. The truth is, some of the best and brightest minds around are using their smarts to come up with more clever and more undetectable phishing exploits. It’s a technological arms race, and maybe the best you can ever hope for is a tie.
