Different forms of phishing attacks remain the number one point of compromise in 91 percent of cyberattacks, whether they’re financially or politically motivated.
It might seem strange to be discussing different forms of phishing in 2020, but phishing attacks are still the most common malware infection vector. Yes, you read that correctly. According to the APWG’s Phishing Activity Trends Report for Q3 2019, phishing attacks remain at the top of the list. Moreover, there are several forms of phishing to choose from.
Since some people (and companies) never learn, phishing is not only the most effective attack method to date, but it also requires little effort on the part of the hackers. There are various forms of phishing, some more advanced than others and with various motives, but they all rely on psychological manipulation.
Phishing has long been a favourite tactic of many criminals because it’s simple to use and efficient at obtaining unauthorised access to sensitive information. Although some might believe that their firewall would keep them secure, phishing bypasses conventional security measures since social engineering allows cybercriminals to trick their victims into disclosing confidential details about themselves or their organisations, including their credentials.
A phishing attack does not need a genius to carry out. Phishing kits are inexpensive and can be used to spoof websites or capture computer data (in addition to the typical personal information). Kits that spoof email providers or file storage services are the most popular. Some con artists will simply use social media to impersonate customer service in order to steal financial details.
How Do Different Types of Phishing Work?
The response to this question is dependent on the type of phishing you’re discussing. Since scammers are constantly refining their skills and strategies, it’s a good idea to keep an eye on what’s in your inbox. Phishing has progressed from the conventional campaigns that most people are familiar with, and it’s becoming more difficult to identify except among the most tech-savvy individuals. Recently, fraudsters impersonating Verizon Wireless sent out a smishing scam asking users to check account security.
A phishing attack will often try to trick you into doing something or disclosing sensitive details. Cybercriminals want to elicit an emotional or inquisitive response from their victims. They can, for example, use urgent or emotionally charged language to entice you to respond to their email.
The following are some examples of traditional phishing emails:
- Emails about student loans; Messages from your bank or credit card provider
- A prospective employer requesting a revised resume with your Social Security Number;
- The Internal Revenue Service (IRS) is inquiring about tax returns; or
- If you work in a department that does a lot of organisational work, a shipping company could be a good fit.
What Are Some of the Main Types of Phishing Attacks?
Phishing is a social engineering scheme that employs various forms of email attacks, malicious websites or applications, text messages, and even phone calls to persuade a user to disclose personal information or sensitive data about the business. Unless the accounting department is hacked, a ridiculously large money transfer would almost certainly end up in a bank account on a tropical island!
Spear phishing, vishing, smishing, whaling, HTTPS phishing, and business email breach are some of the most common forms of phishing attacks (BEC). Ransomware is malicious software that encrypts your data and holds it hostage until you pay a ransom in cryptocurrency. Several forms of phishing attacks are used to spread ransomware.
Let’s take a look at five of the most popular phishing scams:
HTTPS Phishing Attacks
Hackers also found out a way to fool users into thinking a website is legitimate using HTTPS (Hypertext Transfer Protocol Secure) phishing. They’ll depend on users’ misconceptions that the page is encrypted and safe simply because HTTPS and the green padlock symbol are shown. However, even phishing websites can now use the HTTPS protocol in the browser address bar to gain user confidence (by incorporating website certificates). The user would then be able to quickly fill out a form, for example, and hand over their credentials or other confidential data.
The FBI warned users last year that just because a website begins with HTTPS does not guarantee privacy or protection. Unknown senders should be avoided, particularly if their email address ends in.com when it should be.gov, and misspelt words should be avoided, according to the FBI. According to Trend Micro, the forms of phishing that use digital certificates to encrypt connections increased by 58 percent in the first quarter of 2019 and are on the rising. According to a study released in Q3 2019 by the Anti-Phishing Working Group (APWG), the number is actually higher — 68 percent!
Business Email Compromise Attacks
Business Email Compromise (BEC), also known as email account compromise (EAC), is a type of phishing attack in which a cybercriminal impersonates corporate executive management to dupe employees (usually in Human Resources or Accounting) into allowing wire transfers or sharing personally identifiable information (PII) or tax information.
According to the FBI, BEC scams accounted for half of the 467,361 cybercrime losses recorded in 2019, totaling $1.77 billion. Other FBI figures show a high number of reports about spoofed emails impersonating an employee requesting direct deposit account changes, with a large portion of the funds going to banks in China, Hong Kong, the United Kingdom, Mexico, and Turkey.
These forms of phishing attacks that include a payroll diversion scheme which include a spoofed login page for an email host in order to appear legitimate and steal employee credentials. Domestic and foreign exposed dollar loss surpassed $26 billion, according to FBI victim complaints obtained between June 2016 and July 2019. A complex scheme defrauded Facebook and Google of over $100 million in 2019.
Spear Phishing Attacks
Spear phishing scams aren’t your typical con. These are phishing scams that are specifically tailored and researched to appear genuine. Victim research has been greatly aided by technology and social media, which has allowed for the development of customised and persuasive email attacks.
A spear phishing email is used in as many as 91 percent of cyberattacks, and it is always effective in convincing key employees in an organization’s HR, finance, legal, or IT departments to share their credentials or click on a connection that downloads malware into the system. It may be a LinkedIn update, an urgent request from a team member or boss, or even an urgent email from a company. Companies like JP Morgan, Home Depot, and Target have all been hacked as a result of spear phishing attacks.
Whaling attacks are similar to spear phishing attacks in that they threaten c-level executives or high-ranking individuals with authority who have access to sensitive information or even wealth. Since whaling emails necessitate careful analysis in order to convince the victim that the message is legitimate, perpetrators who engage in these forms of phishing attacks can be very patient in their pursuit of financial benefit. Whaling emails are descriptive and contain very sensitive information in order to persuade the victim to respond to the call to action.
Vishing is just a fancy name for phone fraud or voice phishing. You’re dealing with a well-crafted phishing attempt if you get a pre-recorded message from the IRS or your bank telling you to call a number and give away your credit card details or Social Security Number. Scammers have recently begun mixing voice and text messages (smishing) to seem more authentic.
Voice phishing scams are becoming more sophisticated, according to security expert Brian Krebs. According to his friend’s knowledge, phoney credit union or tax department phone calls have become so sophisticated that the specifics listed by the criminal often make sense. While the calls seemed to come from legitimate numbers, we all know how easy it is for criminals to fake caller ID numbers.
There are several other forms of phishing attacks, including clone phishing, domain spoofing, evil twin, and watering hole phishing, to name a few.
Types of Phishing Motivations
Targeted users open approximately 30% of all phishing emails. The majority of data breaches have resulted from the use of a poor password or a phishing attack that took advantage of an employee’s actions. According to statistics, phishing emails were involved in 78 percent of cyber espionage incidents, and more than 95 percent of all attacks begin with a phishing email.
A phishing attack may attempt to obtain data such as:
usernames and passwords, addresses and contact information, personal information that can be used to create fake accounts and for identity theft, confidential corporate information or tech data, sensitive information that can be used for tax evasion, and medical records or health insurance information are all examples of information that can be used to create fake accounts and for identity theft.
Although some phishing attacks are motivated by money, this is not always the case. Some phishing is done for the purpose of cyber espionage, while others are done for political reasons.
Financially Motivated Phishing Attacks
71 percent of attacks, including phishing attacks, were financially motivated, according to Verizon’s 2019 Data Breach Investigation Report (DBIR). According to the study, financial benefit remains a top motive in attacks targeting c-level executives, who are more likely to click on urgent emails and have the authority to make money transfers.
Cyber Espionage-Motivated Phishing Attacks
The top targets for various forms of phishing attacks are intellectual property and sensitive data. Russia, China, Iran, and North Korea are also supporters of nation-state-backed cybercriminal groups. According to ZDNet, they use spear phishing emails to execute malicious payloads and steal sensitive, confidential information from Western companies and governments.
Iran-backed hackers recently used spear phishing attacks to steal intellectual property from government agencies in Turkey, Jordan, and Iraq.
Politically Motivated Phishing Attacks
Many people have been scammed by emails posing as government officials. However, the most well-known politically motivated spear phishing attack was conducted against the Democratic Party of the United States by Russian-backed hackers during the 2016 election to steal information about the Clinton campaign.
Regardless of the type of phishing attack used by cybercriminals, it’s important that you and your employees understand how to spot them.
How to Identify Most Types of Phishing Attacks
The most popular forms of phishing attacks use an email to trick the victim into clicking on an infected connection or installing disguised malware in order to steal sensitive information. If the malware gains access to the system, it will search for vulnerabilities and compromise the system, network, and possibly any devices connected to it.
It also comes down to understanding what to look for when it comes to detecting phishing. The following are some immediate red flags that you might be dealing with a phishing scam:
- The email address of the sender. Check the sender’s email address, as well as the domain and URL to which the email’s links point.
- Requests for confidential or sensitive details that are unexpected. Suddenly, you receive a call from a well-known, reputable organisation or organisation, asking you to provide personal or confidential information.
Language that elicits an emotional response or a feeling of impending doom. The message elicits a range of emotions, from terror and excitement to a sense of impending doom. It might try to persuade you to pay a bill or take some other action right away.
- Upper management has made an urgent appeal. Your boss or CEO has sent you an email urgently requesting that you pay an invoice or open a sensitive document.
- There are so many knowledge mistakes and poor grammar. Something isn’t quite right. The sender makes grammatical and spelling errors; the logo appears to be off; the email address or the person’s name contains typos; or, worst of all, you have no idea who is giving you an invoice for immediate payment.
- A website is requesting personal information. Even if it appears to be legitimate, a website that requests sensitive personal details such as passwords, credit card numbers, social security numbers, and bank account numbers should be considered suspicious.
How Can You Avoid Phishing?
A couple of years ago, phishing messages were much easier to detect. If anybody had paid attention, they may have found a typo in the email or the sender’s name, some spelling errors here and there, or a large fake logo at the top — but scammers are becoming better at their art. Manipulative emails and spoofed websites are becoming increasingly difficult to distinguish from their legitimate counterparts.
Here are some helpful hints for avoiding various forms of phishing attacks:
- Employees are given security awareness training. Employees will benefit from awareness seminars that educate them on inbox threat identification and email best practises.
- Check all of your important emails twice. When you receive a money transfer request from the CEO, but something about it seems off, double-check that it is genuine by directly contacting the recipient.
S/MIME certificates are used to sign emails. Email encryption protects messages in transit and on email servers, and digital signatures validate the sender’s identity and message credibility.
- Methods of email authentication DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) are email authentication protocols that protect against various forms of targeted email attacks. Criminals will spoof a domain and send malicious emails if these protocols are not followed.
- Two-factor authentication (2FA) and multi-factor authentication (MFA) should be allowed. Using one of these methods will not only shield your computer from password compromise, but it will also secure wire transfers.
- Create, adopt, and enforce policies for computer use and BYOD protection. It’s important to gain more visibility into which devices are connecting to the work network now that BYOD (bring your own device) has become a way of life.
- Ensure that all patches and upgrades are current. A large company would have a large number of computers running various software versions. Run operating system security updates and fixes on a regular basis to avoid vulnerability vulnerabilities in the event of a successful phishing attack.
- Since this type of attack is very realistic and has a high success rate, it will most likely retain its top-ranking spot among the various types of phishing attacks. Cybercriminals will continue to use targeted testing and psychological manipulation to trick users into disclosing personal information that they can use for their own purposes. Some emails may be difficult to decipher depending on the form of phishing, which is why security workshops combined with effective security measures may help minimise the likelihood of phishing scams succeeding.
Allowing yourself or your workers to become addicted is not a good idea. Teach them how to identify the different forms of phishing attacks that exist today so that they can be prepared for new attacks that might appear tomorrow or in the near future.