Cyber Security: Phishing Attacks
What Is Phishing?
Phishing is a fraud technique where a malicious actor sends messages impersonating a legitimate individual or organization, usually via email or other messaging system. Many cyber attackers distribute malicious attachments and links through phishing emails to trick unsuspecting users into downloading malware.
In most phishing attacks, attackers extract sensitive information from the victim, such as user credentials and account details. Exploiting human weaknesses to bypass security controls is often easier than breaking through digital defenses. Many people easily mistake phishing emails for legitimate messages.
10 Types of Phishing Attacks
While phishing usually refers to email-based fraud, there are several types of phishing.
1. Email Phishing
Email is the most popular phishing medium. Scammers register fake domains that impersonate real organizations and send thousands of requests to their targets.
Fake domain names often contain character substitutions, such as using “r” and “n” side-by-side to make “rn” instead of “m.” They could also use a genuine organization’s name in the local part of an email address with the sender’s name appearing in the inbox (e.g., sender@organization.com).
There are multiple ways to detect phishing emails, but users should always check email addresses when a message prompts them to download an attachment or click a link.
2. Business Email Compromise (BEC) or CEO Fraud
This type of Phishing attack involves attackers targeting key employees in key departments in an organization, for instance managers in the finance and accounting department of an organization. During Business Email Compromise or CEO Fraud an attacker impersonates a CEO or finance officer in an organization and sends an email on their behalf to a subordinate asking them to initiate a transfer of funds into a fake account owned by the attacker.
How it works – Typically attackers compromise the account of an authoritative figure in an organization like a senior executive by exploiting an existing infection planted in the system, for example, through a spear phishing attack. The attacker then studies the email activity to decipher the procedures and processes surrounding communication in the organization. Once the attacker has a good idea of the communication habits of the compromised account, he or she sends a fake email to a regular recipient. The fake email will usually urge the recipient to make an unauthorized transfer of funds to an external account in control of the attacker.
3. Spear Phishing
Spear phishing works like common phishing attacks, using communications from a seemingly trusted source to trick victims. However, a spear phishing attack targets a specific individual or set of individuals rather than sending generic messages to many users in the hope that one falls for the trick. Popular targets include HR staff and IT managers because they have higher access levels within the wider organization.
When the target is especially ambitious, it is called whaling. Standard spear phishing targets IT or management team members, while whaling targets high-value individuals such as the chief executive (i.e., CEO, CFO, or other senior management figures). Attackers often can impersonate other senior executives or representatives of other companies to convince the target to disclose sensitive and high-value information.
Successful whaling attacks require attackers to do more than usual to lure the whale. Once successful, the attackers can use the target’s authority to spear phish employees and other high-value targets without arousing suspicion.
4. Whaling
This is a social engineering tactic used by cyber criminals to ensnare senior or other important individuals in an organization by acting like another senior player, in the hopes of gaining access to their computer systems or stealing money or sensitive data. Whaling has an added element of social engineering compared to phishing as staff are more likely to carry out actions or divulge information without giving it a second when the request is coming from someone who is a ‘big fish’ or ‘whale’ in the organization, like the CEO or Finance Manager.
How it works – this social engineering tactic is very similar to phishing as it also uses email and website spoofing to trick individuals, the key difference being, phishing tends to target non specific individuals while whaling involves targeting key individuals or ‘’whales’ of the company like the CEO or Finance Manager while masquerading as another influential or senior individual in the organization.
5. Vishing and Smishing
Mobile phones replace email in smishing (SMS phishing) and vishing (voice phishing). With smishing, the attackers send text messages with similar deceptive content to a phishing email. Vishing involves phone conversations, with the scammer directly speaking to the target.
In one popular vishing scam, the fraudster pretends to be a fraud investigator representing a bank or credit card company. The fraudster informs the victims of an account breach, prompting them to verify their identity by providing credit card details. Alternatively, the attacker might ask the victim to transfer funds to a special account.
6. Clone Phishing
Although clone phishing attacks are not as sophisticated as spear phishing or whaling, they are still very effective. This attack method includes all major phishing tenants. The difference is that instead of impersonating an individual or organization to make a fraudulent request, the attacker copies legitimate emails previously sent by trusted entities.
The attacker then manipulates the link, replacing the real link from the original email with a new link that redirects victims to a fraudulent website that imitates a legitimate site. Users enter their credentials, exposing them to the attacker.
7. Pharming
Pharming is a highly technical form of phishing, making it harder to detect. It involves a hacker hijacking the DNS (Domain Name Server), which converts URLs from plain language to IP addresses. When users enter the target website’s URL, the DNS redirects them to another IP address, usually of a malicious website that appears legitimate.
8. HTTPS Phishing
Hypertext Transfer Protocol Secure (HTTPS) uses encryption to enhance security, and most users consider it safe to click on HTTPS links. Most organizations today use HTTPS over standard HTTP to help establish the legitimacy of links. However, attackers can leverage HTTPS to make their links appear legitimate and increase the success of their phishing campaigns.
9. Pop-up Phishing
Most users install pop-up blockers, but pop-up phishing is still dangerous. Malicious actors may place malicious code in small notifications (pop-ups), which people see when they visit a website.
An example of a relatively new pop-up phishing technique is to use the “notification” feature of the victim’s web browser. When the user tries to visit a website, the browser displays a message saying the website wants to display notifications. Clicking on “Allow” triggers the pop-up to install malware.
10. Evil Twin Phishing
Evil twin attacks often use fake WiFi hotspots that appear legitimate but can intercept sensitive data in transit. Malicious actors can eavesdrop or perform man-in-the-middle (MitM) attacks when someone uses a fake hotspot. Attackers can steal data sent over the connection, such as confidential information and login credentials.
How to Prevent Phishing
The best way for you to avoid falling for phishing attacks is educating yourself on what to look out for. There are so many examples of phishing attacks and methods online that you can familiarize yourself with so you can improve the chances of identifying an attempt when you are the target.
Other than educating and training yourself, there are a number of tips that can help you avoid falling victim to a phishing attack:
- Crosscheck URLs and email addresses for spelling mistakes.
- Watch out for spoof website pages that are designed to imitate popular websites you regularly visit.
- Email hijacking is a real threat, even if the email address checks out, but the message or request is suspicious, contact the sender in a new email to verify.
- Control how much you share online, attackers may use information you share online like your date of birth, address, mobile phone number etc. against you.
If you receive a phishing attempt
- Never click any links or attachments in suspicious emails. If you receive a suspicious message from an organization and worry if the message is legitimate, go to your web browser and open a new tab. Then go to the organization’s website from your own saved favorite, or via a web search. Or call the organization using a phone number listed on the back of a membership card, printed on a bill or statement, or that you find on the organization’s official website.
- If the suspicious message appears to come from a person you know, contact that person via some other means such as text message or phone call to confirm it. Do not reply to the email and do not trust any phone number listed in the suspicious email.
- Report the message (see below).
- Delete the message.
What to do if you are a victim of a Phishing attack
If you’re suspicious that you may have inadvertently fallen for a phishing attack there are a few things you should do.
- While it’s fresh in your mind write down as many details of the attack as you can recall. Try to note any information such as usernames, account numbers, or passwords you may have shared.
- Immediately change the passwords on those affected accounts, and anywhere else that you might use the same password. While changing passwords you should create unique and strong passwords for each account.
- Confirm that you have Multi-Factor Authentication (AKA MFA or Two-Step Verification) enabled for every account you can.
- You should notify IT of the attack.
- If you have shared information about your credit cards or bank accounts, contact those organizations to alert them.
- If you’ve lost money, or been the victim of identity theft, report it to local law enforcement.