Introduction
Phishing attacks are an increasingly frequent problem and a grave threat that can cripple businesses and ruin lives. These attacks can come in a variety of forms but always have the same malevolent intent; to steal your personal details or your money. As you can imagine, victims of a phishing attack typically suffer from financial loss and identity theft and in the case of company employees, may even lose their jobs. As we currently live in an age where technology is always developing and most people are online, the risk of phishing attacks happening and succeeding is higher than ever. Therefore, to combat this growing threat, we must come prepared to safeguard ourselves and our information from any would-be attacker. In this blog, we will be exploring the more common types of phishing and the many ways in which we can protect ourselves from a phishing attack.
What is meant by a “phishing attack”?
When it comes to cyber attacks, one of the first types you may think of is phishing. But what exactly is meant by a phishing attack? Well, a phishing attack is typically in the form of an email or text message, containing a link to a website that contains malware. Malware is a dangerous piece of software, used to steal data or damage your computer system. As you can imagine, for a company this could result in a lot of harm. A common type of malware used in phishing attacks is ransomware, that is designed to stop you from accessing your computer system by encrypting your data. This leads to threats of the data remaining inaccessible until the company targeted sends a ransom. For businesses, this may cause even more issues than just the original financial loss. Their reputation may also take a hit, leading to broken trust between them and their customers. Worse yet, they may lose even more money due to lost business and maybe even legal fees.
The aim of a phishing attack isn’t always to obtain money though, although that is one of the main reasons. The attack may also be with the intention of obtaining personal information from the victim such as passwords, bank details, usernames, etc. Attackers will then use or sell this information for their personal gain. Some phishing attacks can become quite personal with the attackers utilising social engineering techniques to strike fear into their targets and create a sense of urgency to ensure that they obtain the information or money they were aiming for.
Types of phishing attacks
Every company is susceptible to phishing attacks so we must remain vigilant to keep us and our data protected. To help keep you aware of the ways phishing can target you, here is an in depth list of the many common forms phishing may take.
Email phishing
Typically, phishing attacks occur via email, often containing a link to a fake website or an attachment that contains malware. The email will usually be disguised to appear as if it is from a legitimate organisation such as Amazon or Netflix however, on closer inspection their domain will not match the company’s domain that they are mimicking. Clicking on the link or downloading the file may result in either money loss or your personal information being stolen so watch out! The link/attachment will also be accompanied with a generic request, urging you to download the file or click the link by warning you to act before it’s too late or by enticing you with an offer before it’s no longer available. Usually, the text within the email is vague as it will most likely have been sent to as many people as possible in an attempt for the attacker to get as much information or money as they can. A prevalent example of phishing is ones claiming to be from social media sites. They’ll send a link to a malicious website, asking you to tell them your account details before your account gets deactivated.
Spear phishing
Spear phishing is a more sophisticated version of email phishing with the goal being the same but with the email being a lot more personal to you. Whilst they may be less common than your average phishing attack, they are considerably more successful and harder to detect as they disguise themselves as someone you know and trust. You can tell the attacker has done their research as they will most likely know your name, place of work and other information regarding your job role as well. This is done to reduce the amount of suspicion and increase the chances of you clicking on that malicious link, allowing the hacker to access the desired information and install a backdoor to allow further entry to more of the company’s systems. If a spear phishing attack is successful, more of the company may be at risk as spear phishing may set up the first stage of an APT (advanced persistent threat), allowing hackers access to even more information.
Whaling
Whaling and spear phishing are extremely similar as they utilise the same tactic of impersonating someone you trust and making sure the email is tailored specifically to you. There is a key difference, however. A whaling phishing attack (which may also be known as CEO fraud) targets higher-ranking members of an organisation, like an executive, by pretending to be a senior member. In some cases, they may even masquerade as the CEO. This adds another layer to their social engineering tactics as staff will be pressured to give in to the request of the hacker as they won’t want to go against the wishes of their superiors.
Smishing (SMS phishing)
Now phishing doesn’t always come in the form of an email. Smishing or SMS phishing is designed to attack people through the use of text messages. The means is still the same; hackers will send malicious links to you and once clicked, your information will be taken. The reason why these hackers have switched up the form of their attacks is because, with email phishing, success may be harder to achieve with new and upgraded spam filters. Alongside that, in an age where the majority of people use a phone on the daily, SMS phishing will become more commonplace. An example of this type of phishing attack you may have seen is when you are told that there has been an issue with a delivery and that you must pay a fee.
Vishing (voice phishing)
Another type of phishing attack using the phone is vishing or voice phishing. During a vishing attack, the attacker will pretend to be an employee from a certain organisation e.g. the bank. The strategy is much like the other forms of phishing, with the attacker utilising social engineering to make the target feel like they are doing the right thing by complying. The attacker will keep on persuading and threatening you until you give them your information.
How to spot phishing attacks
After reading all of that you may be wondering “How do I protect myself from phishing attacks?” Well don’t worry, we’re here to help. Here’s a list of some red flags to look out for:
- Inconsistent domain names and email addresses: If you find a suspicious email, remember to keep calm. The first thing you should do is, if there is a link, hover your mouse over it. Make sure not to click on it! Hackers are crafty and try to look as close to the business they’re masquerading as as possible. They can’t do this flawlessly though so look out for any spelling errors. A prime example is when they change a “m” to a “r” and a “n” so that it looks like this: rn. When a target is panicking, they may miss key clues such as that. Remember to check the email address as well. If you see them claim they’re from a company but are using a public email domain like Gmail, you can tell that something is not right.
- Poor spelling and grammar: This next tip is mainly for if you suspect a regular phishing attack that’s very generic and ordinary. Since the emails are not designed to be specific, it is likely the quality of the text is poor. Spelling and grammatical errors may be prominent so do try and keep an eye out for them.
- Sense of urgency: The tone of the email or text is also very important to look out for. Usually, the attackers will create a sense of urgency and danger, threatening you into sending them the information before something bad happens. While it is distressing, remember that the danger that they are speaking of is not real but the threat of the hacker is. Ignore them, report the email and delete it.
- Too good to be true offers: While a lot of phishing attacks pretend there is a problem, some may claim that you have won a grand prize or have the chance to win something that has a time limit to it. Don’t be blinded by this. Report and delete the phishing attempt.
- Requesting private information: An important thing to remember is that your bank, government, etc will not ask for your personal information. Never disclose your bank details to strangers.
- Unusual sender: In the case of a spear phishing attack, if a hacker may be posing as a friend or colleague, trust your instinct. Ask yourself, “Would they really say this?” To ease doubts, it is always wise to double-check with whoever they say they are to confirm whether it is truly them or not.
It is also worth noting, the National Cyber Security Centre encourages people to report phishing attacks when they see them, even if you do not fall foul of the attack itself.
How to prevent phishing attacks
Ideally, we want to avoid phishing attacks as much as possible. This is a hard task, however, as attacks are constantly changing and evolving and, chances are, it’s inevitable that you will receive one. But, there is no harm in taking some precautions and reducing how open you are to them. So, here are some ways you can prevent phishing attacks:
- Implementing spam filters: As a first line of defence, implementing spam filters is a good idea. Spam filters can filter out a vast majority of email phishing attempts based on various criteria. Naturally, hackers will try to bypass these spam filters so while they are beneficial and can catch regular phishing attacks, it’s crucial to take extra precautions.
- Adjusting browser settings: Browsers like Firefox and Google Chrome now come with malware protection which will prevent the download of any harmful malware and stop you from accessing a website that may also be dangerous. An example of this is Google Chrome as it displays a security warning page before you access a website with a suspicious URL.
- Regular password changes: This tip is one of the most important ones in my opinion. When a hacker compromises one of your accounts, any other account that is linked or shares the same password will also become compromised. It’s a very nasty domino effect. To prevent this from happening, we strongly advise you to change your password regularly. Also, make sure each password for your accounts are different. It’s best to have them be at least 12 characters long. Remembering passwords can be difficult though, especially if you have a lot of them. If you find yourself struggling, a password manager may come in handy!
- Reporting phishing attempts: In a scenario where a phishing attack has managed to find its way into your email inbox, the best thing you can do is report it. By reporting it, fake websites can be taken down so the chance of other people getting tricked by the same scheme is greatly reduced. To report a phishing attempt, please contact the relevant authorities such as the government or Action Fraud.
- Educating employees: For companies, employees are the first line of defence against a phishing attack. By educating them on what to look out for, you are protecting them and the business from hackers. At Sencode Cyber Security, we offer comprehensive training programmes that include real-world examples and case studies. These programmes are designed to equip your employees with the skills they need to identify and avoid phishing scams.
Conclusion
From emails to phone calls, cyber criminals are employing increasingly sophisticated and manipulative tactics to deceive people and organisations alike. Protecting our data is a continuous and hard battle but we must remain vigilant against these practices if we want to remain safe.
Always remember that by educating yourself on what to look out for and implementing the above precautions, you will be helping yourself and your organisation to avoid the theft of your personal data. Stay alert and stay safe!