Phishing. Yeah, we get it. We’re supposed to educate our users on phishing attacks and how to prevent them. Today I’m going to share with you an article that outlines the most common phishing attacks and what to do about them. I’m drawing from this nice article. It provides information on how to recognize each of these common phishing attacks and how best to respond to them. So, let’s have at it.
This first variety of common phishing attacks describes phishing emails that use several techniques to avoid detection.
- These attacks may include links to legitimate brands or websites.
- They tend to keep the email text short, in part to avoid analysis by phishing defense tools.
- These attacks use deceptive links or shortened links to make it harder to judge whether the links are legitimate or not.
- They may try to spoof the email address of an executive at the organization. How? They would do this to generate social proof that can increase the odds of being clicked.
You know these kinds of phishing emails. They are the emails purportedly from Microsoft or PayPal informing you of irregular account activity and asking you to log in and verify your credentials. If you are being asked to go to a site and provide your credentials you should definitely be concerned.
Just as with marketing campaigns, there are phishing attacks that target a large class of users hoping to get at least one click. And then there are the targeted phishing attacks. These latter common phishing attacks are referred to as spear phishing.
For instance, I received the phishing email that mentioned the name of one of my children. The message suggested that I should respond to find out more. Customers have told me that they are seeing an increase in these spear phishing attacks. The emails go farther to try and identify a common basis with the receiver. They might refer to a school you attended, where you grew up, or a favorite hobby. This kind of information is easy enough to find. Increasingly there are tools that can be used to collect this information in an automated way.
The best defense here is to contact the sender “out of band” to verify the request. Maybe your CEO didn’t really ask you to buy Target gift cards and keep it a secret.
Clearly, we are stretching the sportfishing analogy to its limits here. Whaling represents an attempt to capture the account credentials for a CEO or other top organizational executive. Once in possession of those credentials, hackers can use them to try to initiate wire fraud. Or they might gather W-2 information on employees for the purpose of filing fake tax returns. Most organizations have a story to share about bogus emails requesting a wire transfer or purchase of gift cards etc. The best way to deal with this type of common phishing attack is to make sure your organization has a solid process for managing and approving wire transfers, gift card purchases and the like.
It’s also worth mentioning that CEOs and other top executives must take part in phishing awareness training programs. Too often, lack of executive awareness about phishing, together with executive access to organizational assets, leads to a bad outcome.
This common phishing attack uses the telephone to gather sensitive information. I get so much telephone spam that I tend not to answer any call unless I recognize the number. However, these kinds of phishing attacks do occur. For instance, I have received more than one voice message telling me that there is a problem with my Social Security account. The solution, of course, is that I should press 9 to speak with someone and confirm my Social Security information. And did I mention that I am being sued?
Smishing uses SMS or text messages to conduct phishing. I receive regular text messages inviting me to apply for a COVID-19 loan etc. The tip off for these messages is that they think my name is Jim. Don’t ask me why. The links in these smishing messages are always shortened. This makes it more difficult to determine if the link is valid or not. As with unwanted phone calls, the best defense is to delete the message instead of responding.
This common phishing attack is not one that I have encountered before. Attackers modify DNS servers to substitute their malicious URL for the legitimate URL associated with a website. Hackers then send out emails that encourage users to log into the website. When this happens, users end up providing the hackers with their login credentials.
IT can defend against these attacks by hardening their DNS servers and making sure that all organizational devices are being protected with antivirus software. Users can do their part by making sure that they are logging in to secure websites (HTTPS:) before providing sensitive information.
Learn to Live in with Common Phishing Attacks
It would be great if phishing would go away. But, as our CTO says, we’ve had decades to work on getting rid of spam and we haven’t eliminated it yet. There’s no reason to think that we could be any better at eliminating phishing. If someone can make a profit with phishing it will exist in our world.
We can learn to live with these common phishing attacks by understanding how they work and educating our users and how to recognize and avoid these traps.
Can you help CGNET refine its cybersecurity product portfolio? Follow this link to a simple form that will ask you a question about types of security training we might offer. Thanks in advance for your help! (PS your answers will remain anonymous.)