Phishing attacks are one of the most common cybercrimes. According to the Tessian, in average in 2021 users at workplaces received 14 malicious emails. In certain industries, for example, in retail, this number is much higher – 49 dangerous emails.
The research by ESET and IBM shows an increase in the number of phishing attacks from year to year. At the same time, experts note their high level of success – according to CISCO, employees from 86% of companies responded to phishing links at least once.
The point of phishing is to gain access to confidential user data or to force the victim to perform certain actions beneficial to the organizer of the attack.
The data that the phisher wants to capture can be the login and password for access to a certain account, debit/credit card data, and other personal information. It happens that the victim is being convinced that he/she has been contacted by a representative of a certain company (or an employee of the same structure) to request authorization data (login/password) or a bank transfer.
Phishing attacks can be conventionally divided by the target audience, i.e. the victim targeted by the attack, or by the platform used for its organization (mail, voice and text messages). Let's dive deeper.
The traditional method that first comes to your mind when you think about phishing. The essence of this type of attacks is in sending dangerous emails by attackers, which usually contain a link to a fake site where the victim enters data to be intercepted by the attacker. A person clicks on a link that is shortened or visually similar to the original link, goes through it and sees a site that practically does not differ from the web resource he/she knows. Next, the user enters data that ends up in the hands of an attacker. The second widespread method of manipulation is when the email contains an attachment with a password and the attacker actually provides the password in the body of the email and asks to open the archive. In 99% of cases the archive will contain a virus that was not recognized by security systems precisely because it was encrypted with a password.
There are many examples of such phishing, and email has become one of the most popular attack vectors of this type. A high level of employee cyber hygiene will help to reduce the scale of a fraud. The company should teach employees to correctly respond to links from unknown senders – to actually notify the cybersecurity service about a potential threat.
Read more about the importance of cyber hygiene for business via the link.
However, it is almost impossible to completely protect against phishing attacks through email. Especially when it comes to communications between financial, marketing or sales professionals, who often receive messages with links and attachments from new senders. Attackers can hide dangerous links under shortened links (bit.ly), which makes their identification much more difficult.
Classic email phishing involves sending identical emails to a huge number of recipients with the hope that someone will respond. Another type of phishing is personalized letters. In them, senders try to identify the recipient, at least address him by name. According to them, this approach will increase the probability of a reverse reaction – people react faster and better when they see that the letter was sent personally to them.
Read more about the use of social engineering tools by cybercriminals via the link.
Whaling or CEO fraud
This is an even more sophisticated attack and involves the phishers impersonating a business manager. Attackers use social media or a corporate website to find information about a CEO or other executive. They then impersonate this person using a similar email address, sending an email asking for a fund transfer or to view an important document. For example, in 2015 Ubiquiti Networks Inc. sent more than $40 million to attackers as a result of a whaling phishing attack. Emails pretending to be sent from senior management instructed employees to transfer funds from a subsidiary in Hong Kong to accounts belonging to third parties. In reality, the money was received by criminals.
Of course, this type of attack involves much more difficult preparation, because it’s targeted, but nevertheless you will be surprised by the amount of information that can be found about almost any person in open sources.
The purpose of vishing is the same as other types of phishing attacks. The only difference is that voice messages are being used in its conducting. These attacks are well known, as most of us received a call from an alleged bank warning that their cards were allegedly blocked.
Calls abroad can be, for example, from representatives of a large technology company, for example, from Microsoft. And their initiator reports about a detected virus, to eliminate which you need to install an antivirus. Calls from head office help desk asking to install an update on a computer (which is actually a remote control virus) can be emulated as well. Criminals can pretend to be employees of the tax service or a credit union.
This is the same phishing, only criminals try to reach the victim via text messages. Sometimes a link sent in a text message leads to a virus. Sometimes, the text message contains a phone number that is suggested to be called, after which criminals use vishing – voice phishing.
Other tools of phishing scams
It seems that there are literally no limits to the imagination of phishing attackers and they use almost all communication channels that allow them to reach the end user.
For example, search engine phishing (or SEO-phishing) is a situation when criminals bring dangerous sites to the first positions of search engines, or, alternatively, buy advertising for such resources. For example, attackers were able to swindle large amounts of cryptocurrency through the advertising of fake websites of the blockchain.info.
Pop-up phishing involves placing dangerous links in pop-up windows.
Criminals also actively use social networks, such campaigns are also called fishing or angler phishing. In this case, criminals try to deceive the victim through personal messages on social media. For example, thanks to angler phishing Instagram accounts can be hacked on purpose and a substantial ransom can be demanded for access return.
How to prevent phishing?
Although phishing is a well-known practice, criminals are constantly inventing new methods of fraud and exploiting vulnerable topics, which makes it particularly dangerous.
Therefore, the fight against phishing must be comprehensive and take into account both technical solutions and organizational measures.
The first line of defense of any organization is people. That is why regular cyber hygiene education and trainings are so important. As attackers improve their methodologies, users must learn about them. And not only listen to theoretical lectures, but also practice on examples and recognize phishing emails.
2. Email filtering
The use of properly configured powerful anti-spam systems, email and network security gateways in the company will help to block the receipt of some particularly dangerous emails. Which will reduce the risk of their receipt by the company's employees.
3. Internet access restriction tools
Using access control lists (ALCs) is another way to reduce the risks associated with malicious websites. These tools can be used to restrict employee access to certain websites and web applications.
4. Multi-Factor Authentication Policy
In order to strengthen the protection of devices and accounts, the company should introduce mandatory multi-factor authentication and, possibly, switch to the use of hardware tokens to protect particularly important accounts. Two-factor authentication has actually been a must-have for the past few years.
5. Constant monitoring of the network environment and regular assessments of the state of the company's cybersecurity with the help of its own SOC (Security Operations Center) or with the involvement of an external contractor.
What does a SOC do? Helps companies and organizations improve their IT infrastructure monitoring capabilities to detect hidden behavior anomalies, early threat detection and incident response. That is, if the victim of phishing has already been caught, the abnormal behavior of his computer or account should be detected by the SOC. You can learn more about the functionality of our Center via the link.
6. Security Update Policies
Many phishing attacks exploit vulnerabilities that can be easily fixed by simply installing an update to your applications. Accordingly, the existence of software update policies will reduce the risk that phishing attacks will be successful.
7. Regular data backup
The existence and regular updating of backup copies will significantly reduce the consequences of a successful phishing (and not only) attack. A backup policy will also come in handy in case of problems with devices that may store particularly valuable information.
And to what extent is your company ready to counter phishing attacks? Would you like to pass the Phishing Security Test? You can learn more and register via the link.