Like so many other cyberattacks, phishing attacks can target just about anyone. Bad actors usually pose as a trusted source to trick the victims into clicking a link or visiting a dangerous web site to steal sensitive information or install vicious malware. To make matters worse, malicious software can be automatically installed without the victim’s knowledge, meaning that sensitive information doesn’t always need to be entered into a suspicious online form to be stolen. Phishing also contributes to many of the ransomware attacks that occur each year resulting in Business Email Compromise (BEC) or extortion attacks that cripple company systems, breach company/client data, loss of Intellectual property, reputational damage and catastrophic financial loss.
Compounding the issue, there are many different types of phishing attacks. It now permeates the Wi-Fi hotspot connections that we make and the seemingly innocuous pop-ups we encounter. Even the once venerable HTTPS encryption is at risk. How can you counter all these attacks? Sadly, there is no standard, go-to form of protection against them, but you can improve your odds of spotting and avoiding them. The best way to inoculate your employees, customers, partners, and company is to increase knowledge of the various ways to block a phishing attack in the first place. To do this, you should understand the most common types of phishing scams.
These phishing attacks target e-mail accounts. The attacker may increase their odds of success by registering a domain or series of web sites to make themselves appear more legitimate. There are common-sense techniques to fight this type of phishing. For starters, recipients should always be wary of ANY e-mail that requests you to click on a link. Read the policies of the group that supposedly is sending you the e-mail. In most cases, they will tell you that they will never ask you to click on a link or enter your sensitive details. And if you’re really unsure, log in to the actual party’s web site or reach out over the phone. You’ll be glad you did.
Spear phishing attacks are more researched and nuanced, specifically customized to target higher-tier individuals or teams with greater access to critical networks. This makes them far more dangerous than the traditional mass-message approach of standardized phishing, because they appear even more legitimate, and the cost of falling for these attacks is higher. There are also different variants of spear phishing. One of these, commonly known as “whaling”, targets high-end executives in the hopes of gaining a significantly higher tier of credential. If they accomplish this goal, they can use their newfound status to conduct spear phishing attacks against the target’s own staff.
Pharming is a form of phishing that can be far more troublesome to detect. Here, the attacker infiltrates a legitimate Domain Name Server (DNS). This is normally used to convert spelled-out domains into IP addresses. By gaining DNS control, the attacker can reroute certain web sites to other, more malicious ones that appear as if they are legitimate.
The best defense in this case is to employ software specifically for targeting and flagging these types of attacks. Again, however, the solid policy of never trusting a link – and always visiting the site directly – is a good idea.
This phishing tactic, also known as “voice phishing,” utilizes a phone call in which the scammer interacts directly with the target over the phone. In most cases, they try to scare the recipient into surrendering credentials or sensitive financial information over the phone. They may do this by claiming that you owe money or claiming that you must update your files on one of your accounts. As always, be careful who you trust.
The act of smishing, or SMS phishing, employs a deceptive text message with a dangerous link. It’s a similar concept to the other phishing techniques. Like them, you can increase your chances of avoiding these attacks by being cautious around links you receive through texts.
This attack method can be a bit more personal. With clone phishing, the bad actor mimics prior emails that have been sent by a legitimate source, using their name value to produce a fraudulent request and link. Essentially, the only change from the actual legitimate email is that the link is altered to redirect to a different web site that is a scam designed to steal information.
That’s where the use of phishing attack prevention software can be useful. It also helps to make sure to double-check the originator’s email and where the link goes, reviewing for repeated letters or misspellings that most would glance over. Think “Citiizen’s Bank” instead of “Citizen’s Bank,” for example.
This phishing variant makes use of HTTPS encryption, thus bypassing some anti-phishing software while also making the correspondence appear even more legitimate to the naked eye. The key, once again, is to be more cautious, as well as to understand that even HTTPS protection is neither flawless nor guarantees information security.
Pop-up phishing infiltrates the traditional pop-up ads that we encounter when visiting web sites. With pop-up phishing, attackers implant dangerous coding within the ads themselves, which are then loaded as a notification when visiting the site. This tactic preys far more on random visitors than other types of phishing but is still effective. People who click on the ads and visit the site may be unknowingly installing malicious malware and spyware on their systems.
Evil Twin Phishing
This less-common attack uses a fraudulent Wi-Fi hotspot to steal sensitive information as it is transferred. This supports malicious tracking of individuals and can even allow the hacker to perform a dangerous man-in-the-middle attack to steal data and other sensitive information.
How do you prevent it? For starters, try to avoid public Wi-Fi in favor of personal hotspots and secure networks. It can also be helpful to disable auto-connect on your devices and make use of multi-factor authentication, VPNs, and other security options.
Of course, these are just some of the types of phishing attacks that are out there. Knowing how to identify and avoid these risks is what separates the more secure companies and individuals from those considerably far more at risk.
What Can Be Done?
If you’ve made it this far, you’ve probably picked up on some common-sense habits that should provide a base layer of protection against the various phishing scams. While these tactics, in and of themselves, are not enough to guarantee your company is completely safe, they certainly can’t hurt.
It’s crucial for today’s businesses – and especially those with remote workers whose daily activities are harder to oversee – to reinforce common-sense knowledge of how phishing attacks occur. By bolstering this understanding and instilling a set of best practices, organizations can automatically reduce instances of different phishing strikes.
Here are some other things your company can do to stay protected against different types of phishing campaigns:
- Promoting security Awareness by enrolling employees / contractors in computer-based Phishing / Training assignments and conduct regular phishing simulations.
- Raise User awareness of suspicious email by adding visual warning tags to email messages that fall into a grey area between clean and malicious.
- Deploy / configure strong attachment defense, impostor protection, predictive URL analysis on emails and provide real-time sandboxing every time a URL is clicked inside of an email.
- Institute a process or technology to quickly remove reported suspected phishing / unwanted emails (Post Delivery) from all user’s mailboxes.
- Implement two-factor authentication (2FA) for all email accounts making it difficult for a bad actor to gain access even if they have been able to acquire the legitimate password.
- Deploy timely and complete patch management to protect against emerging and known OS and 3rd party software vulnerabilities.
- Encouraging regular password changes and discouraging/prohibiting password sharing.
- Maintain strong endpoint protection and monitor/alert on suspicious endpoint behavior.
- Implement proactive web protection for systems online or when they are roaming at home / traveling.
- Be mindful of any window or pop-up message you receive on your end device; exercise caution and ask IT to confirm before you click to install, Join, or provide any information requested information.
- Phishing attacks of any type can be difficult to identify. That’s why phishing instances have gone up so drastically in numbers in recent years. The key is to raise awareness of the forms that they can take and the risks that they may pose.
Curious what else you can do? Quest Technology Management can be a great resource with further tips and installations to keep your business running smoothly – and keep your company from being caught by a “phish” hook. You’ll be glad you did.
As always, feel free to contact us anytime – we’re always happy to help.